Anchore provides docker image analysis for user defined acceptance policies to allow automated image validation and acceptance.
As developers we would like to know if a change we are proposing introduces aCommon Vulnerability and Exposure (CVE). As operators we would like to know what running applications are affected if a new CVE is discovered.
Now in Jenkins X pipelines, if we find anAnchore engine service running we will add the preview and release images to be analyzed. This means we can look at any environment including previews (created from Pull Requests) to see if your application contains a CVE.
Upgrade
Start by checking your current Jenkins X version:
jx versionIf your Jenkins X platform is older than 0.0.903, then first you will need to upgrade to at least 0.0.922:
jx upgrade cli
jx upgrade platformInstall addon
You can install theAnchore engine addon
when you are in your Jenkins X team home environment.
jx env dev
jx create addon anchoreThis will install the engine in a seperate anchore namespace
and create a service link in the current team home environment
so our pipeline builds can add docker images to Anchore for analysis.
Demo
Here’s a 4 minute video that demonstrates the steps above:
Upgrading existing pipelines
If you have an existing application pipeline and and want enable image analysis you can update your Jenkinsfile,
in the preview stage after the skaffold step add the line
sh "jx step validate --min-jx-version 1.2.36"
sh "jx step post build --image \$JENKINS_X_DOCKER_REGISTRY_SERVICE_HOST:\$JENKINS_X_DOCKER_REGISTRY_SERVICE_PORT/$ORG/$APP_NAME:$PREVIEW_VERSION"In the master stage the add this line after the skaffold step
sh "jx step validate --min-jx-version 1.2.36"
sh "jx step post build --image \$JENKINS_X_DOCKER_REGISTRY_SERVICE_HOST:\$JENKINS_X_DOCKER_REGISTRY_SERVICE_PORT/$ORG/$APP_NAME:\$(cat VERSION)"For any questions please find us - we mainly hang out on Slack at#jenkins-x-dev - or seejenkins-x.io/community for other channels.