In Jez Humble’s blog The Case for Continuous Delivery, Jez states the two major tenants of a Continuous Delivery release process:
The first tenant requires the ability to perform extremely frequent releases. Jenkins‘ automated build and delivery features combined with Docker’s rapid and easy deployment model enables this ability; but what about reducing risk to produce resilient and reliable systems?
To ensure reduction of risk in even a small incremental release, we need a scan of the OS, components, and utilities in every Jenkins build – and precisely what Twistlock’s Jenkins plugin provides.
How Twistlock’s Jenkins Plugin Reduces Risk
The Twistlock solution allows you to set thresholds for compliance and security tolerance in your Docker containers at build time and report any violations. It’s also very easy to fail a build containing a risky OS, utility, or component. The scan includes over 90 compliance checks from the Center for Internet Security (CIS) – again, optionally failing a build that has one or more compliance violations.
The idea is that by the time an image is in your repository and available for consumption by your entire development and production deployment teams, it’s free of high level security vulnerabilities and compliant with industry standard Docker compliance rules, such as HIPPA and PCI.
Getting Started with Twistlock’s Jenkins Plugin
Here’s all you need to get started reducing risk in your Jenkins builds:
1. Install the Twistlock Enterprise Edition
2. Install and configure the plugin
3. Configure one or more Jenkins projects to perform the Twistlock security and compliance scan – we’ll cover that in the next section
Configuring a Jenkins Project with Twistlock
At a high level, we want to add two pipeline steps to your project pipeline, a Twistlock Scan followed by a Twistlock Publish.
In Jenkins, navigate to the desired project you want to protect and select “Configure”; then navigate down to the “Pipeline” section and select “Pipeline Syntax” as shown below.
In pipeline syntax, select the drop down list and select twistlockScan: Scan Twistlock Images. The first dropdown pick list you select your threat level for security vulnerabilities for failing the build. low would fail the build if any security vulnerabilities exist in your image, a value of high would only fail the build if there exists a high vulnerability, and warn will not affect the status of your build. The second dropdown pick list is similar but for compliance violations. You then select your image and tag to scan; the image can be local or in a repository.
If you are creating your Docker image outside of the build you will need to select the Advanced button and select the last box at the bottom of the screen Ignore Image Creation Time.
Finally choose Generate Pipeline Script and put this text in your paste buffer so you can copy this back into the Pipeline groovy script as shown in the previous screen shot, in stage( ‘scan’ ).
Repeat for snippet generation for twistlockPublish: Publish Twistlock analysis results and cut and paste the generated code back into the Pipeline groovy script as well as another build step which I called stage( ‘publish’ ).
Once these two pipeline steps are in place, simply rebuild your project and a Twistlock scan and publish of the scan results will complete after the regular build of your image.
Viewing Results of the Twistlock Scans
The scan shows all the vulnerabilities and compliance violations in your image as well as build-to-build trending data.
By simply clicking on the purple Twistlock symbol, you can see detailed vulnerability and compliance issues in your image. Also notice that the most recent build is marked as failed, this is a result of changing the threat level from warn to high coupled with the existence of high level vulnerabilities within the container image.
The CVE’s listed are clickable as well so you can drill down into the vulnerability and even show in what version the CVE is fixed – so remediation is simple as well.
Use Twistlock to Reduce Risk To Produce Resilient and Reliable Releases
In a nutshell, Twistlock’s Jenkins plugin enables the reduction of risk in your images built within Jenkins so you can produce resilient and reliable releases.
Get a demo today to find out how to get your organization up and running.
Follow us on Twitter
Keep up to date with the latest news from TwistlockLabs and TwistlockTeam.
Twistlock Releases Serverless Runtime Defense
A few months ago, we wrote a piece on “The Continuum of Cloud Native...
Why DevSecOps is No Longer Optional
DevSecOps has been a hot topic within tech conversations for a few yea...
Better Together: Announcing The Twistlock Advantage Program
It’s been about three years since we exited stealth with the first g...
My Security Toolset Today Vs 10 Years Ago
It can be easy to forget how sophisticated IT security tools are today...
How to crash the Linux Kernel with a CDROM interaction – CVE-2018-11506
I’ve recently discovered and reported a buffer overflow vulnerabilit...