Jenkins CI/CD

How to integrate Kubescape to Jenkins jobs

Scanning YAML files in your workflow

Basic setup

  1. Create a Job
  2. Add a build step "execute shell" and add the following steps
echo Installing Kubescape

BIN_DIR=$JENKINS_HOME/.local/bin

DOWNLOAD_URL="https://github.com/armosec/kubescape/releases/latest/download/kubescape-ubuntu-latest"
OUTPUT=$BIN_DIR/kubescape
curl -L $DOWNLOAD_URL -o $OUTPUT

chmod +x $BIN_DIR/kubescape
  1. Add another build step to running the scan
$BIN_DIR/kubescape scan framework nsa --format junit --output results.xml *.yaml
  1. Add a "Post-build Action" of type "Publish JUnit test report" and point "Test report XMLs" to *results.xml

  2. Run your job

The results will contain a list of failed controls. If you look in to them you will see the resources who failed ->

10411041

Failing the job with too many security issues

In case you want to use Kubescape not only for logging, but also as a security gate in your delivery process, you can set up a failure threshold.

For example, you want to make sure that at least 80% of your objects are passing the security checks, you can invoke Kubescape scan with -t option with the appropriate parameter:

$BIN_DIR/kubescape scan framework nsa -t 80 *.yaml

This will return failure in case that the results are getting bellow 80%.

Scanning your entire Cluster in your workflow

In some cases you would want to scan your entire cluster after you applied the new YAML.
Note that in this case you need the CI/CD worker to have access to the target K8s cluster.

Adding Cluster Scan

Follow the instruction as in scanning a YAML file
Replace the scan step with:

$BIN_DIR/kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format junit --output results.xml *.
yaml

Did this page help you?