Accessing CI/CD
Scenario
Integrate the image security scan plug-in of HSS in the Jenkins Pipeline project so that images can be scanned during the Jenkins Pipeline project construction.
Accessing CI/CD
- Log in to the management console.
- In the upper left corner of the page, select a region, click , and choose Security & Compliance > HSS.
- In the navigation pane, choose .
- Click the CI/CD Access Settings tab and then click Access Information.
Figure 1 CI/CD access settings
- In the dialog box that is displayed, click Add CI/CD.
The CI/CD identifier is the access token of the CI/CD plug-in and is used for identity authentication during image scans.
Figure 2 Adding CI/CD
- Enter an identifier and click OK. The CI/CD identifier is added.
Figure 3 Entering an CI/CD identifier
- Select an identifier and click Next.
Figure 4 Selecting an identifier
- Configure image scan information as prompted.
Figure 5 Image scan information
Table 1 Image scan parameters Category
Parameter on GUI
Description
Parameter in Command
Scan
Scan Scope
Type of images to be scanned.
- Local image
- Remote image repository
-
CI/CD Identifier
CI/CD plug-in access token used for identity authentication during image scans.
cicd_id
(Optional) Organization
If Scan Scope is set to Remote image repository, you can enter the name of the organization that the remote image belongs to.
NAMESPACE
(Optional) Image
Image name.
IMAGE_NAME
(Optional) Image Versions
Image version information.
IMAGE_VERSION
Pipeline Action on Risks
HSS will handle insecure images during image building based on the selected action.
- Block: When high-risk images are detected, the CI/CD pipeline is blocked. High-risk images refer to the images whose risk level is high in the check results of vulnerabilities, malicious files, or baselines.
- Allow: The CI/CD pipeline is allowed to run properly even if image risks are detected.
is_blocking
- Blocking the pipeline: is_blocking=1
- Allowing the pipeline: is_blocking=0
To block all the insecure pipelines, including the pipelines with high-risk images, set is_blocking=non-secure.
Network Information (required only for remote image repository scans)
Communication Type
Communication protocol type of the image repository.
- HTTP
- HTTPS
repository_address
Value format: Communication_type://Image_repository_address
Image Repository Address
Image repository address.
You can enter the website address or IP_address:Port_number of the image repository.
Example: myharbor.com
repository_address
Value format: Communication_type://Image_repository_address
Login Credentials (required only for remote image repository scans)
Username
Login username.
login_auth
The value of this parameter is the encrypted value of the image repository username and image repository password.
Password
Password of the login user.
login_auth
The value of this parameter is the encrypted value of the image repository username and image repository password.
(Optional) Advanced Configuration
Vulnerability Whitelist
During CI/CD pipeline building, if an image only has whitelist vulnerabilities, the CI/CD pipeline is not blocked.
If you believe a high-risk vulnerability does not affect your services, you can add it to the vulnerability whitelist.
Enter one or multiple vulnerability names. Put each vulnerability name on a separate line.
-
Vulnerability Blacklist
During CI/CD pipeline building, if an image has a blacklisted vulnerability, the CI/CD pipeline is blocked.
If you believe a low-risk vulnerability severely affects your services, you can add it to the vulnerability blacklist.
Enter one or multiple vulnerability names. Put each vulnerability name on a separate line.
-
Image Whitelist
During CI/CD pipeline building, if the image is found to have risks, the CI/CD pipeline is not blocked.
Enter one or multiple image names. Put each image name on a separate line.
Image name format:
- Local image: Image_name:Version
- Remote image: Organization_name/Image_name:Version
-
- After the configuration is complete, click Generate Command to generate commands for configuring the image security scan plug-in.
Figure 6 Generating commands
- Click Copy, as shown in Figure 7.
- Log in to Jenkins.
- On the Dashboard page, click the name of a project in Jenkins-Pipeline mode.
In this example, the project name is mypipeline.
- In the navigation tree on the left, choose Configure.
- Insert image security scan commands based on the type of the images to be scanned.
The following example is for reference only.
- Local images
- In the Pipeline area, insert the environment code segment of the command copied in 10 after agent any in the pipeline script.
- Insert the stage('image-scan') code segment of the command copied in 10 between the Build and Push phases in the pipeline script.
Figure 8 Inserting image security scan commands
- Click Apply.
Image security scan tasks will be executed while you build the project.
You can use Blue Ocean to view the project build task. Image security scan is performed in the image-Scan step added to the project. After the scan is complete, you can view its results on the HSS console. For details, see Managing CI/CD Images.
If you choose to block a pipeline while performing 8, the image security scan plug-in will block the pipeline having high-risk images, as shown in Figure 9.
Related Operations
Feedback
Was this page helpful?
Provide feedbackThank you very much for your feedback. We will continue working to improve the documentation.See the reply and handling status in My Cloud VOC.
For any further questions, feel free to contact us through the chatbot.
Chatbot