Help Center/ Host Security Service/ User Guide/ Installation and Configuration on Containers/ Image Access/ Configuring CI/CD Access/ Integrating Image Security Scan in CI/CD.
Updated on 2025-12-12 GMT+08:00
View PDF
Share

Integrating Image Security Scan in CI/CD.

Scenario

For details about HSS CI/CD image security scan, see CI/CD Image Security Scan Overview.

To use CI/CD image security scan, you need to integrate the scan plug-in in the Jenkins or CodeArts Pipeline project.

Notes and Constraints

You have enabled the pay-per-use CI/CD image scan. You will be paid per image per scan. For details, see Enabling Pay-per-use Container Image Scan.

Process Flow

Figure 1 Process
  1. Step 1: Configure Image Security Scan Commands
  2. Step 2: Integrate the Image Security Scan Command in the CI/CD Pipeline

Step 1: Configure Image Security Scan Commands

  1. Log in to the HSS console.
  2. Click in the upper left corner and select a region or project.
  3. In the navigation pane on the left, choose Installation & Configuration > Container Install & Config.
  4. Click the CI/CD Access Settings tab and then click Access Information.
  5. In the dialog box that is displayed, click Add CI/CD.

    The CI/CD identifier is the access token of the CI/CD plug-in and is used for identity authentication during image scans.

    Figure 2 Adding CI/CD

  6. Enter an identifier and click OK. The CI/CD identifier is added.

    Figure 3 Entering an CI/CD identifier

  7. Select an identifier and click Next.

    Figure 4 Selecting an identifier

  8. Configure image scan information as prompted.

    CI/CD security scan is classified into image security scan and IaC security scan. To scan the corresponding category, enable and set the corresponding parameters. For more information, see Table 1 and Table 2.

    Figure 5 Image scan information
    Table 1 Image security scan parameters

    Category

    Parameter on GUI

    Description

    Parameter in Command

    Scan

    Pipeline Type

    Select the CI/CD pipeline type as required.

    • Jenkins
    • CodeArts

    -

    Scan Scope

    Type of images to be scanned.

    • Local image
    • Remote image repository

    -

    CI/CD Identifier

    CI/CD plug-in access token used for identity authentication during image scans.

    cicd_id

    (Optional) Organization

    If Scan Scope is set to Remote image repository, you can enter the name of the organization that the remote image belongs to.

    NAMESPACE

    (Optional) Image

    Image name.

    IMAGE_NAME

    (Optional) Image Versions

    Image version information.

    IMAGE_VERSION

    Pipeline Action on Risks

    HSS will handle insecure images during image building based on the selected action.

    • Block: When high-risk images are detected, the CI/CD pipeline is blocked. High-risk images refer to the images whose risk level is high in the check results of vulnerabilities, malicious files, or baselines.
    • Allow: The CI/CD pipeline is allowed to run properly even if image risks are detected.

    is_blocking

    • Blocking the pipeline: is_blocking=1
    • Allowing the pipeline: is_blocking=0

    To block all the insecure pipelines, including the pipelines with high-risk images, set is_blocking=non-secure.

    Network Information (required only for remote image repository scans)

    Communication Type

    Communication protocol type of the image repository.

    • HTTP
    • HTTPS

    For example, if the remote image repository is Huawei Cloud SWR, select HTTPS.

    repository_address

    Value format: Communication_type://Image_repository_address

    Image Repository Address

    Enter the image repository URL or IP address:port.

    Example: myharbor.com

    If the remote image repository is Huawei Cloud SWR, its address can be obtained from the image download command. See Figure 6.

    Figure 6 Obtaining the SWR image repository address

    repository_address

    Value format: Communication_type://Image_repository_address

    Login Credentials (required only for remote image repository scans)

    Username

    Login username.

    If the remote image repository is Huawei Cloud SWR, you can obtain its username from Pull/Push Guide > "Login Commands". See Figure 7.

    Figure 7 Obtaining the SWR image repository username and password

    login_auth

    The value of this parameter is the encrypted value of the image repository username and image repository password.

    Password

    Password of the login user.

    If the remote image repository is Huawei Cloud SWR, you can obtain its password from Pull/Push Guide > "Login Commands". See Figure 7.

    login_auth

    The value of this parameter is the encrypted value of the image repository username and image repository password.

    (Optional) Advanced Configuration

    Vulnerability Whitelist

    During CI/CD pipeline building, if an image only has whitelist vulnerabilities, the CI/CD pipeline is not blocked.

    If you believe a high-risk vulnerability does not affect your services, you can add it to the vulnerability whitelist.

    Enter one or multiple vulnerability names. Put each vulnerability name on a separate line.

    -

    Vulnerability Blacklist

    During CI/CD pipeline building, if an image has a blacklisted vulnerability, the CI/CD pipeline is blocked.

    If you believe a low-risk vulnerability severely affects your services, you can add it to the vulnerability blacklist.

    Enter one or multiple vulnerability names. Put each vulnerability name on a separate line.

    -

    Image Whitelist

    During CI/CD pipeline building, if the image is found to have risks, the CI/CD pipeline is not blocked.

    Enter one or multiple image names. Put each image name on a separate line.

    Image name format:

    • Local image: Image_name:Version
    • Remote image: Organization_name/Image_name:Version

    -
    Table 2 IaC scan parameters

    Parameter on GUI

    Description

    Parameter in Command

    Configuration Method

    Method of storing IaC files.

    • Local directory
    • Git repository address
    • Remote HTTPS address

    config_mode

    Local directory

    When the configuration mode is set to Local directory, you need to enter the local directory address. The image security scanning tool obtains the YAML and Dockerfile files from the specified address for scanning.

    Example: example/iac/

    source

    Git repository address

    When the configuration mode is set to Git repository address, you need to enter the Git repository address. The image security scanning tool clones the project to the local host where Jenkins is located, and obtains the YAML and Dockerfile files in the project for scanning.

    Example: https://github.com/example-username/example-repo.git

    path

    Remote HTTPS address

    When the configuration mode is set to Remote HTTPS address, you need to enter the remote HTTPS address. The image security scanning tool obtains the YAML and Dockerfile files from the specified address for scanning.

    Example: https://example.com/example.yaml

    path

  9. After the configuration is complete, click Generate Command to generate commands for configuring the image security scan plug-in.
  10. Click Copy, as shown in Figure 8.

    The following uses Jenkins-Pipeline as an example.

    Figure 8 Copying commands

Step 2: Integrate the Image Security Scan Command in the CI/CD Pipeline

Integrate the scan commands based on the pipeline type.

  1. Log in to Jenkins.
  2. On the Dashboard page, click the name of a project in Jenkins-Pipeline mode.

    In this example, the project name is mypipeline.

  3. In the navigation tree on the left, choose Configure.
  4. Insert image security scan commands based on the type of the images to be scanned.

    The following example is for reference only.
    • Local images
    1. In the Pipeline area, insert the environment code segment of the command copied in 10 after agent any in the pipeline script.
    2. Insert the stage('image-scan') code segment of the command copied in 10 between the Build and Push phases in the pipeline script.
      Figure 9 Inserting image security scan commands
    • Remote image repository
      1. In the Pipeline area, insert the environment code segment of the command copied in 10 after agent any in the pipeline script.
      2. Insert the stage('image-scan') code segment of the command copied in 10 between the Test and Push phases in the pipeline script.

  5. Click Apply.

    Image security scan tasks will be executed while you build the project.

    You can use Blue Ocean to view the project build task. Image security scan is performed in the image-Scan step added to the project. After the scan is complete, you can view its results on the HSS console. For details, see Viewing and Handling CI/CD Image Scan Results.

    If you choose to block a pipeline while performing 8, the image security scan plug-in will block the pipeline having high-risk images, as shown in Figure 10.

    Figure 10 Blocking project building

  1. Create a CodeArts agent pool.

    For details, see Creating an Agent Pool.

    • Pool Name: Enter HSS.
    • Pool Type: Select LINUX.

  2. Create an agent on CodeArts.

    For details, see Creating an Agent in CodeArts.

    • Agent Name: Enter Agent-imagescan.
    • Host where the agent is installed: Select a Linux ECS.

  3. After the agent is created, click Homepage from the top menu bar to access the CodeArts console.
  4. Click the target project name to access its details page.
  5. In the navigation pane on the left, choose CICD > Pipeline.
  6. Locate the target pipeline and choose > Edit in the Operation column.
  7. Click to create a phase between Build and Push.
  8. Choose Job > From Scratch.
  9. Add the ExecuteShellCommand step.

    Figure 11 Adding the ExecuteShellCommand step

  10. Click Job Configuration. On the displayed page, configure the resource pool.

    • Resource Pool Type: Select Custom.
    • Custom: Select the agent pool created in 1, for example, HSS.
    Figure 12 Configuring an agent pool

  11. Return to the ExecuteShellCommand page and insert the image security scan commands based on the image type.

    The following example is for reference only.
    • Local images
      1. In the Command area, paste the command copied in 10.
      2. (Optional) If Image Name and Image Version are not configured when you execute 8, add the IMAGE_NAME and IMAGE_VERSION variables in the Advanced Settings area.
        The variable values are the image name and image version generated by the pipeline code.
        Figure 13 Environment variables
    • Remote image repository
      1. In the Command area, paste the command copied in 10.
      2. (Optional) If Organization, Image Name, and Image Version are not configured when you execute 8, add the NAMESPACE, IMAGE_NAME, and IMAGE_VERSION variables in the Advanced Settings area.
        Figure 14 Environment variables

  12. Click OK.
  13. In the upper right corner of the pipeline, click Save to save the pipeline configuration.

    Image security scan tasks will be executed while you build the project.

    You can view the execution status of the ExecuteShellCommand step (image security scan) in the pipeline build history. After the image security scan is complete, you can view the scan results on the HSS console.

    For details, see Viewing and Handling CI/CD Image Scan Results.

    If you choose to block a pipeline while performing 8, the image security scan plug-in will block the pipeline having high-risk images.

Related Operations

Parent Topic: Configuring CI/CD Access