This pipeline is Build Security Pipeline implememted with Jenkins. The pipeline allows you to generate an SBOM for build artifacts and detect vulnerabilities in the packages that your artifacts depend on.
| Tool | Version | 使用用途 |
|---|---|---|
| Docker | 24.0.5 | コンテナイメージのビルド, pull |
| Jenkins | 2.414.3 | CIツール |
| syft | v1.0.1 | SBOM生成ツール |
| grype | v0.74.7 | 脆弱性検知ツール |
| sbomdiff | v0.5.3 | sbom差分検知ツール |
| jq | 1.6 | jsonファイル成形ツール |
To start this pipeline, you need to set up a Jenkins server running in a Docker container.
You can build a Jenkins Server with Dockerfile located at JenkinsServer/Dockerfile.
You run the following commands for build.
git clone https://github.com/matsumokei/Jenkins-Build-Security-Pipeline.git
cd JenkinsServer
docker build -t jenkins-test .You run docker run with the following option.
docker run -d \
--name jenkins-test \
-u $(id -u):$(id -g) \
--group-add $(awk -F: '$1 == "docker" {print $3}' /etc/group) \
--restart=on-failure \
-v $HOME/jenkins_home:/var/jenkins_home \
-v /var/run/docker.sock:/var/run/docker.sock \
-p 8081:8080 \
-p 50001:50000 \
jenkins-testThe Options -u $(id -u):$(id -g), --group-add $(awk -F: '$1 == "docker" {print $3}' /etc/group), -v /var/run/docker.sock:/var/run/docker.sock allow you to execute Host Docker in Jenkins Server.
To execute the pipeline, you can see my qiita articles: (Note: Articles are in Japanese.)
- Integration with test automation
- Implementation of the SSVC algorithm
- Migration to Jenkinsfile