Anchore provides docker image analysis for user defined acceptance policies to allow automated image validation and acceptance.
As developers we would like to know if a change we are proposing introduces a Common Vulnerability and Exposure (CVE). As operators we would like to know what running applications are affected if a new CVE is discovered.
Now in Jenkins X pipelines, if we find an Anchore engine service running we will add the preview and release images to be analyzed. This means we can look at any environment including previews (created from Pull Requests) to see if your application contains a CVE.
Start by checking your current Jenkins X version:
If your Jenkins X platform is older than 0.0.903, then first you will need to upgrade to at least 0.0.922:
jx upgrade cli jx upgrade platform
You can install the
Anchore engine addon
when you are in your Jenkins X team
jx env dev jx create addon anchore
This will install the engine in a seperate
and create a service link in the current team
so our pipeline builds can add docker images to Anchore for analysis.
Here’s a 4 minute video that demonstrates the steps above:
If you have an existing application pipeline and and want enable image analysis you can update your Jenkinsfile,
preview stage after the skaffold step add the line
sh "jx step validate --min-jx-version 1.2.36" sh "jx step post build --image \$JENKINS_X_DOCKER_REGISTRY_SERVICE_HOST:\$JENKINS_X_DOCKER_REGISTRY_SERVICE_PORT/$ORG/$APP_NAME:$PREVIEW_VERSION"
master stage the add this line after the skaffold step
sh "jx step validate --min-jx-version 1.2.36" sh "jx step post build --image \$JENKINS_X_DOCKER_REGISTRY_SERVICE_HOST:\$JENKINS_X_DOCKER_REGISTRY_SERVICE_PORT/$ORG/$APP_NAME:\$(cat VERSION)"