Integrate Deep Security Smart Check into your Jenkins container pipeline.
Deep Security Smart Check
Deep Security Smart Check can scan your images before they are pushed to your
production registry. If you have enabled pre-registry scanning on your Deep
Security Smart Check instance, you can use the preregistryScan
and
preregistryCredentialsId
parameters in the smartcheckScan
method:
smartcheckScan([
imageName: "registry.example.com/my-project/my-image",
smartcheckHost: "smartcheck.example.com",
smartcheckCredentialsId: "smartcheck-auth",
preregistryScan: true,
preregistryCredentialsId: "preregistry-auth",
])
Deep Security Smart Check can also scan images that you have already pushed to your
registry. In this example, the registry has credentials stored in the example-registry-auth
Jenkins credential, and those credentials are passed in the imagePullAuth
parameter to smartcheckScan
:
withCredentials([
usernamePassword([
credentialsId: "example-registry-auth",
usernameVariable: "REGISTRY_USER",
passwordVariable: "REGISTRY_PASSWORD",
])
]){
smartcheckScan([
imageName: "registry.example.com/my-project/my-image",
smartcheckHost: "smartcheck.example.com",
smartcheckCredentialsId: "smartcheck-auth",
imagePullAuth: new groovy.json.JsonBuilder([
username: REGISTRY_USER,
password: REGISTRY_PASSWORD,
]).toString(),
])
}
smartcheckHost
smartcheck.example.com
insecureSkipTLSVerify
smartcheckCredentialsId
imageName
imagePullAuth
smartcheckScan([
imagePullAuth: new groovy.json.JsonBuilder([
username: REGISTRY_USER,
password: REGISTRY_PASSWORD,
]).toString(),
//...
])
See creating a scan in the Deep Security Smart Check API Reference for additional registry credentials options.
insecureSkipRegistryTLSVerify
preregistryScan
preregistryHost
smartcheckHost
on
port 5000.preregistryCredentialsId
resultsFile - default: scan-results.json
findingsThreshold
Example with default values:
smartcheckScan([
//...
findingsThreshold: new groovy.json.JsonBuilder([
malware: 0,
vulnerabilities: [
defcon1: 0,
critical: 0,
high: 0,
],
contents: [
defcon1: 0,
critical: 0,
high: 0,
],
checklists: [
defcon1: 0,
critical: 0,
high: 0,
],
]).toString(),
])
Schema:
interface FindingsThreshold {
malware?: number;
contents?: {
defcon1?: number;
critical?: number;
high?: number;
medium?: number;
low?: number;
negligible?: number;
unknown?: number;
};
vulnerabilities?: {
defcon1?: number;
critical?: number;
high?: number;
medium?: number;
low?: number;
negligible?: number;
unknown?: number;
};
checklists?: {
defcon1?: number;
critical?: number;
high?: number;
medium?: number;
low?: number;
negligible?: number;
unknown?: number;
};
}
See DEVELOPMENT.md for instructions on getting started.
If you encounter a bug, think of a useful feature, or find something confusing in the docs, please create a new issue!
We :heart: pull requests. If you'd like to fix a bug, contribute to a feature or just correct a typo, please feel free to do so.
If you're thinking of adding a new feature, consider opening an issue first to discuss it to ensure it aligns to the direction of the project (and potentially save yourself some time!).
Official support from Trend Micro is not available. Individual contributors may be Trend Micro employees, but are not official support.