Integrate with Jenkins

Sysdig offers a plugin to integrate Sysdig CLI Pipeline scans into a Jenkins-based build process. The plugin is published as a Jenkins plugin and is available for installation on any Jenkins server using the Plugin Manager in the web UI through the Manage Jenkins > Manage Plugins view, available to administrators of a Jenkins environment.

Prerequisites

Sysdig Secure API token: Jenkins workers must have access to the image storage, whether it’s the local storage where the image was created or the registry where it’s stored.

Configuration

To configure the Sysdig Secure plugin:

  1. Install the Sysidg plugin.

  2. From the main Jenkins menu, select Manage Jenkins.

  3. Click Configure System.

  4. Scroll down to the Sysdig Secure Plugin section.

  5. In the Sysdig Secure API Credentials drop-down:

  6. Click Add to create a new credential containing the Sysdig Secure API Token.


    You can find the token in the Settings > User Profile menu.

  7. Enter the password. You can keep the username field blank.


  8. Select the new credential.

  9. Enter the Sysdig Secure API endpoint in the Sysdig Secure Engine URL field.

    For On-Prem installations, this is the URL where your Secure API is exposed.

    For the SaaS service:

    • Default region US East (North Virginia): https://secure.sysdig.com

    • US West (Oregon): https://us2.app.sysdig.com

    • European Union: https://eu1.app.sysdig.com

    ​ See SaaS Regions and IP Ranges for a complete list of regions.

  10. If you are connecting to an On-Prem instance using an invalid TLS certificate, then you need to either configure Jenkins to trust the certificate, or uncheck the Verify SSL checkbox.

  11. Click Save.

Example: Run the Sysdig Plugin Inside a Pipeline

The following is a simplified example executing the Sysdig plugin as a stage inside a pipeline:

stages {
    stage('Checkout') {
        steps {
            checkout scm
        }
    }
    stage('Build Image') {
        steps {
            sh "docker build -f Dockerfile -t ${params.DOCKER_REPOSITORY} ."
        }
    }
    stage('Scanning Image') {
        steps {
            sysdigImageScan engineCredentialsId: 'sysdig-secure-api-credentials', imageName: "${params.DOCKER_REPOSITORY}"
        }
    }
}

The table below describes the configuration options.

Configuration Parameters

OptionParameterDescriptionDefault
Image nameImageNameThe name of the image to scansysdig_secure_images
Fail build on policy check STOP resultbailOnFailSysdig Secure policy evaluation returning a fail (STOP) indicates a Jenkins job failure. If this option is not selected, a failed policy evaluation will allow the build to continue.true
Fail build on critical plugin errorbailOnPluginFailIf selected, and the Sysdig Secure Plugin experiences a critical error, the build is failed. This is typically used to ensure that a fault with Sysdig Secure, such as unavailable service, does not permit a failing image to be promoted to production.true
Identifiers of policies to applypoliciesToApplyList of policies to apply to the image in addition to those marked as always apply in the sysdig ui

Run Sysdig Plugin as a Jenkin Step

The following is an example of executing the Sysdig Secure plugin as a Jenkinsfile step, modifying the default parameters:

sysdigImageScan bailOnFail: false, bailOnPluginFail: false, engineCredentialsId: 'sysdig-secure-api-credentials', engineURL: 'https://secure.sysdig.com', engineVerify: false, imageName: 'ruby', policiesToApply: 'foo', scannerBinaryPath: '/bin/sysdig-cli-scanner'

Obtain Scan Results in Jenkins

The Sysdig plugin generates a scan report listed in the Jenkins build list.


  • sysdig_secure_gates.json Scanning results for the Sysdig policy evaluation.

  • sysdig_secure_security.json Detected vulnerability data

  • sysdig_secure_raw-vulns_report-.json Raw vulnerability data

Learn More

Sysdig Secure Container Image Scanner