Integrating with Jenkins CI/CD
How to integrate Kubescape to Jenkins jobs
Use Jenkins Jobs to scan your YAML files for misconfigurations with Kubescape. Scan results are included as part of your Jenkins workflow.
Add scanning YAML files to your workflow
- In Jenkins create a Job.
- Add an execute shell build step to download and install Kubescape.
echo Installing Kubescape
BIN_DIR=$JENKINS_HOME/.local/bin
DOWNLOAD_URL="https://github.com/kubescape/kubescape/releases/latest/download/kubescape-ubuntu-latest"
OUTPUT=$BIN_DIR/kubescape
curl -L $DOWNLOAD_URL -o $OUTPUT
chmod +x $BIN_DIR/kubescape
- Add another build step to run a scan against any YAML file and format the output.
$BIN_DIR/kubescape scan --format junit --output results.xml *.yaml
-
Add a Post-build Action of type Publish JUnit test report.
-
Point Test report XMLs to
*results.xml
. -
Run your job.
The results contain a list of failed controls. If you check the Status page, you can see the resources that failed.
For more information about Jenkins , refer to the Jenkins documentation.
For more information about Kubescape commands, refer to the Kubescape documentation.
Fail the job if there are too many security misconfigurations
If you want to use Kubescape as a security gate in your delivery process, you can set up a failure threshold.
For example, if you want to make sure that at least 80% of your objects pass the security checks, add -t 80
in the scan step, (step 3).
$BIN_DIR/kubescape scan -t 80 --format junit --output results.xml *.yaml
When you add a threshold, the job passes only when 80% or more security checks pass. If less than 80% pass, the job fails.
Scan your entire cluster in your workflow
If you want to scan your entire cluster after applying a new YAML, the CI/CD worker must be able to access the target Kubernetes cluster.
Add a cluster scan
When you create the job to scan your cluster, replace the scan step, (step 3), with the following:
$BIN_DIR/kubescape scan --exclude-namespaces kube-system,kube-public --format junit --output results.xml .
Updated about 1 year ago