Build Phase Image Scanning

CI/CD Build Phase Vulnerability Scanning

Scan for vulnerabilities during the build phase of the pipeline using plug-ins such as Jenkins, Azure Devops, Github Action, gitlab, Bamboo, and CircleCI, or use the REST API. SUSE® Security supports two types of build-phase scanning: registry and local. For registry scanning, the SUSE® Security controller and scanner must be able to connect to the registry to pull the image.

To trigger a build-phase scan, the plug-in (e.g. Jenkins) must be able to connect to the Controller or Allinone. Note: The default REST API port for plug-ins to call the scanner is 10443. This port must be exposed through the Allinone or Controller through a service in Kubernetes or a port map (e.g. - 10443:10443) in the Docker run or compose file.

Make sure there is a SUSE® Security scanner container deployed and properly configured to connect to the Allinone or Controller. In 4.0 and later, the neuvector/scanner container must be deployed separately from the allinone or controller, and is included in the sample deployment yaml files.

You can download the plug-in from the Jenkins Plug-in Manager. Other plug-ins are accessible through the catalogs of the build tool, or on the SUSE® Security github page. The Bamboo scanner is available at https://github.com/neuvector/bamboo-plugin/releases/tag/1.0.1. The CircleCI ORB is available at https://github.com/neuvector/circleci-orb and through the CircleCI ORB catalog.

Local Build-Phase Scanning

For local scanning, the SUSE® Security scanner will try to scan the image on a local host (or a host reachable by the remote host docker command).

For Kubernetes or OpenShift-based local scanning, remove the commented-out section of the sample scanner deployment yaml file, shown in the Deploying SUSE® Security sections. The commented out section looks like this:

          env:
# Commented out sections are required only for local build-phase scanning
#            - name: SCANNER_DOCKER_URL
#              value: tcp://192.168.1.10:2376
            - name: CLUSTER_JOIN_ADDR
              value: neuvector-svc-controller.neuvector
            - name: CLUSTER_ADVERTISED_ADDR
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
            - name: CLUSTER_BIND_ADDR
              valueFrom:
                fieldRef:
                  fieldPath: status.podIP
#          volumeMounts:
#            - mountPath: /var/run/docker.sock
#              name: docker-sock
#              readOnly: true
#      volumes:
#        - name: docker-sock
#          hostPath:
#            path: /var/run/docker.sock
      restartPolicy: Always

For Docker-native local scanning, follow the instructions for Docker scanner deployments in the Docker Production deployments section for the scanner.

Local Build-Phase Scanning - Scanner Only (No Controller Required)

SUSE® Security supports standalone scanner deployments for local image scanning (which does not require a Controller). Certain plug-in’s such as the CircleCI ORB have an option to dynamically deploy a scanner when a build job requires image scanning, then remove the scanner when the results are sent back through the ORB. These dynamic scanner deployments are automatically invoked through the plug-in if supported.

Please see the scanner section for more details on stand alone scanners.