Accessing CI/CD

Scenario

Integrate the image security scan plug-in of HSS in the Jenkins Pipeline project so that images can be scanned during the Jenkins Pipeline project construction.

Accessing CI/CD

1. Log in to the management console.
2. In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
3. In the navigation pane, choose Installation & Configuration > Container Install & Config.
4. Click the CI/CD Access Settings tab and then click Access Information.
   Figure 1 CI/CD access settings
   

5. In the dialog box that is displayed, click Add CI/CD.

   The CI/CD identifier is the access token of the CI/CD plug-in and is used for identity authentication during image scans.

   Figure 2 Adding CI/CD
   

6. Enter an identifier and click OK. The CI/CD identifier is added.
   Figure 3 Entering an CI/CD identifier
   

7. Select an identifier and click Next.
   Figure 4 Selecting an identifier
   

8. Configure image scan information as prompted.
   Figure 5 Image scan information
   

   Table 1 Image scan parameters

   Category	Parameter on GUI	Description	Parameter in Command
   Scan	Scan Scope	Type of images to be scanned. Local image Remote image repository	-
   	CI/CD Identifier	CI/CD plug-in access token used for identity authentication during image scans.	cicd_id
   	(Optional) Organization	If Scan Scope is set to Remote image repository, you can enter the name of the organization that the remote image belongs to.	NAMESPACE
   	(Optional) Image	Image name.	IMAGE_NAME
   	(Optional) Image Versions	Image version information.	IMAGE_VERSION
   	Pipeline Action on Risks	HSS will handle insecure images during image building based on the selected action. Block: When high-risk images are detected, the CI/CD pipeline is blocked. High-risk images refer to the images whose risk level is high in the check results of vulnerabilities, malicious files, or baselines. Allow: The CI/CD pipeline is allowed to run properly even if image risks are detected.	is_blocking Blocking the pipeline: is_blocking=1 Allowing the pipeline: is_blocking=0 To block all the insecure pipelines, including the pipelines with high-risk images, set is_blocking=non-secure.
   Network Information (required only for remote image repository scans)	Communication Type	Communication protocol type of the image repository. HTTP HTTPS	repository_address Value format: Communication_type://Image_repository_address
   	Image Repository Address	Image repository address. You can enter the website address or IP_address:Port_number of the image repository. Example: myharbor.com	repository_address Value format: Communication_type://Image_repository_address
   Login Credentials (required only for remote image repository scans)	Username	Login username.	login_auth The value of this parameter is the encrypted value of the image repository username and image repository password.
   	Password	Password of the login user.	login_auth The value of this parameter is the encrypted value of the image repository username and image repository password.
   (Optional) Advanced Configuration	Vulnerability Whitelist	During CI/CD pipeline building, if an image only has whitelist vulnerabilities, the CI/CD pipeline is not blocked. If you believe a high-risk vulnerability does not affect your services, you can add it to the vulnerability whitelist. Enter one or multiple vulnerability names. Put each vulnerability name on a separate line.	-
   	Vulnerability Blacklist	During CI/CD pipeline building, if an image has a blacklisted vulnerability, the CI/CD pipeline is blocked. If you believe a low-risk vulnerability severely affects your services, you can add it to the vulnerability blacklist. Enter one or multiple vulnerability names. Put each vulnerability name on a separate line.	-
   	Image Whitelist	During CI/CD pipeline building, if the image is found to have risks, the CI/CD pipeline is not blocked. Enter one or multiple image names. Put each image name on a separate line. Image name format: Local image: Image_name:Version Remote image: Organization_name/Image_name:Version	-

9. After the configuration is complete, click Generate Command to generate commands for configuring the image security scan plug-in.
   Figure 6 Generating commands
   

10. Click Copy, as shown in Figure 7.
    Figure 7 Copying commands
    

11. Log in to Jenkins.
12. On the Dashboard page, click the name of a project in Jenkins-Pipeline mode.

    In this example, the project name is mypipeline.

13. In the navigation tree on the left, choose Configure.
14. Insert image security scan commands based on the type of the images to be scanned.
    The following example is for reference only.

    • Local images

    1. In the Pipeline area, insert the environment code segment of the command copied in 10 after agent any in the pipeline script.
    2. Insert the stage('image-scan') code segment of the command copied in 10 between the Build and Push phases in the pipeline script.
       Figure 8 Inserting image security scan commands
       

    • Remote image repository
      1. In the Pipeline area, insert the environment code segment of the command copied in 10 after agent any in the pipeline script.
      2. Insert the stage('image-scan') code segment of the command copied in 10 between the Test and Push phases in the pipeline script.

15. Click Apply.

    Image security scan tasks will be executed while you build the project.

    You can use Blue Ocean to view the project build task. Image security scan is performed in the image-Scan step added to the project. After the scan is complete, you can view its results on the HSS console. For details, see Managing CI/CD Images.

    If you choose to block a pipeline while performing 8, the image security scan plug-in will block the pipeline having high-risk images, as shown in Figure 9.

    Figure 9 Blocking project building
    

Related Operations

• Managing CI/CD Images
• Editing the Blacklist or Whitelist