Jenkins CI/CD

How to integrate Kubescape to Jenkins jobs

Scanning YAML files in your workflow

Basic setup

  1. Create a Job
  2. Add a build step "execute shell" and add the following steps
echo Installing Kubescape

BIN_DIR=$JENKINS_HOME/.local/bin

DOWNLOAD_URL="https://github.com/kubescape/kubescape/releases/latest/download/kubescape-ubuntu-latest"
OUTPUT=$BIN_DIR/kubescape
curl -L $DOWNLOAD_URL -o $OUTPUT

chmod +x $BIN_DIR/kubescape
  1. Add another build step to running the scan
$BIN_DIR/kubescape scan --format junit --output results.xml *.yaml
  1. Add a "Post-build Action" of type "Publish JUnit test report" and point "Test report XMLs" to *results.xml

  2. Run your job

The results will contain a list of failed controls. If you look into them you will see the resources that failed ->

10411041

Failing the job with too many security issues

If you want to use Kubescape not only for logging but also as a security gate in your delivery process, you can set up a failure threshold.

For example, if you want to make sure that at least 80% of your objects are passing the security checks, you can invoke Kubescape scan with the -t option with the appropriate parameter:

$BIN_DIR/kubescape scan -t 80 *.yaml

This will return failure in case the results are getting below 80%.

Scanning your entire Cluster in your workflow

Sometimes you would want to scan your entire cluster after applying the new YAML.
In this case, you need the CI/CD worker to access the target K8s cluster.

Adding Cluster Scan

Follow the instruction in scanning a YAML file
Replace the scan step with:

$BIN_DIR/kubescape scan --exclude-namespaces kube-system,kube-public --format junit --output results.xml .