Back to blog

Jenkins X: Announcing CVE docker image analysis with Anchore

James Rawlings
James Rawlings
May 8, 2018

Anchore provides docker image analysis for user defined acceptance policies to allow automated image validation and acceptance.

As developers we would like to know if a change we are proposing introduces a Common Vulnerability and Exposure (CVE). As operators we would like to know what running applications are affected if a new CVE is discovered.

Now in Jenkins X pipelines, if we find an Anchore engine service running we will add the preview and release images to be analyzed. This means we can look at any environment including previews (created from Pull Requests) to see if your application contains a CVE.

Upgrade

Start by checking your current Jenkins X version:

jx version

If your Jenkins X platform is older than 0.0.903, then first you will need to upgrade to at least 0.0.922:

jx upgrade cli
jx upgrade platform

Install addon

You can install the Anchore engine addon when you are in your Jenkins X team home environment.

jx env dev
jx create addon anchore

This will install the engine in a separate anchore namespace and create a service link in the current team home environment so our pipeline builds can add docker images to Anchore for analysis.

Create an application

You can now create a new quickstart:

jx create quickstart

List any CVEs

Once the build has run you will be able to check for CVEs in any environment including previews created for pull requests.

jx get cve --environment staging

Demo

Here’s a 4 minute video that demonstrates the steps above:

Upgrading existing pipelines

If you have an existing application pipeline and and want enable image analysis you can update your Jenkinsfile, in the preview stage after the skaffold step add the line

sh "jx step validate --min-jx-version 1.2.36"
sh "jx step post build --image \$JENKINS_X_DOCKER_REGISTRY_SERVICE_HOST:\$JENKINS_X_DOCKER_REGISTRY_SERVICE_PORT/$ORG/$APP_NAME:$PREVIEW_VERSION"

In the master stage the add this line after the skaffold step

sh "jx step validate --min-jx-version 1.2.36"
sh "jx step post build --image \$JENKINS_X_DOCKER_REGISTRY_SERVICE_HOST:\$JENKINS_X_DOCKER_REGISTRY_SERVICE_PORT/$ORG/$APP_NAME:\$(cat VERSION)"

For any questions please find us - we mainly hang out on Slack at #jenkins-x-dev - or see jenkins-x.io/community for other channels.

About the author

James Rawlings

James Rawlings

James has a passion for continuous delivery and software automation in general. Continually looking at ways to help improve developers experience for the cloud. James works on the OSS project Jenkins X