Integrate with Jenkins
Prerequisites
Sysdig Secure API token: Jenkins workers must have access to the image storage, whether it’s the local storage where the image was created or the registry where it’s stored.
Configuration
To configure the Sysdig Secure plugin:
Install the Sysidg plugin.
From the main Jenkins menu, select Manage Jenkins.
Click Configure System.
Scroll down to the Sysdig Secure Plugin section.
In the Sysdig Secure API Credentials drop-down:
Click Add to create a new credential containing the Sysdig Secure API Token.
You can find the token in the Settings > User Profile menu.
Enter the password. You can keep the username field blank.
Select the new credential.
Enter the Sysdig Secure API endpoint in the Sysdig Secure Engine URL field.
For On-Prem installations, this is the URL where your Secure API is exposed.
For the SaaS service:
Default region US East (North Virginia):
https://secure.sysdig.com
US West (Oregon):
https://us2.app.sysdig.com
European Union:
https://eu1.app.sysdig.com
See SaaS Regions and IP Ranges for a complete list of regions.
If you are connecting to an On-Prem instance using an invalid TLS certificate, then you need to either configure Jenkins to trust the certificate, or uncheck the Verify SSL checkbox.
Click Save.
Example: Run the Sysdig Plugin Inside a Pipeline
The following is a simplified example executing the Sysdig plugin as a stage inside a pipeline:
stages {
stage('Checkout') {
steps {
checkout scm
}
}
stage('Build Image') {
steps {
sh "docker build -f Dockerfile -t ${params.DOCKER_REPOSITORY} ."
}
}
stage('Scanning Image') {
steps {
sysdigImageScan engineCredentialsId: 'sysdig-secure-api-credentials', imageName: "${params.DOCKER_REPOSITORY}"
}
}
}
The table below describes the configuration options.
Configuration Parameters
Option | Parameter | Description | Default |
---|---|---|---|
Image name | ImageName | The name of the image to scan | sysdig_secure_images |
Fail build on policy check STOP result | bailOnFail | Sysdig Secure policy evaluation returning a fail (STOP) indicates a Jenkins job failure. If this option is not selected, a failed policy evaluation will allow the build to continue. | true |
Fail build on critical plugin error | bailOnPluginFail | If selected, and the Sysdig Secure Plugin experiences a critical error, the build is failed. This is typically used to ensure that a fault with Sysdig Secure, such as unavailable service, does not permit a failing image to be promoted to production. | true |
Identifiers of policies to apply | policiesToApply | List of policies to apply to the image in addition to those marked as always apply in the sysdig ui |
Run Sysdig Plugin as a Jenkin Step
The following is an example of executing the Sysdig Secure plugin as a Jenkinsfile step, modifying the default parameters:
sysdigImageScan bailOnFail: false, bailOnPluginFail: false, engineCredentialsId: 'sysdig-secure-api-credentials', engineURL: 'https://secure.sysdig.com', engineVerify: false, imageName: 'ruby', policiesToApply: 'foo', scannerBinaryPath: '/bin/sysdig-cli-scanner'
Obtain Scan Results in Jenkins
The Sysdig plugin generates a scan report listed in the Jenkins build list.
sysdig_secure_gates.json
Scanning results for the Sysdig policy evaluation.sysdig_secure_security.json
Detected vulnerability datasysdig_secure_raw-vulns_report-.json
Raw vulnerability data
Learn More
Sysdig Secure Container Image Scanner
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.