Jenkins CI/CD
How to integrate Kubescape to Jenkins jobs
Scanning YAML files in your workflow
Basic setup
- Create a Job
- Add a build step "execute shell" and add the following steps
echo Installing Kubescape
BIN_DIR=$JENKINS_HOME/.local/bin
DOWNLOAD_URL="https://github.com/kubescape/kubescape/releases/latest/download/kubescape-ubuntu-latest"
OUTPUT=$BIN_DIR/kubescape
curl -L $DOWNLOAD_URL -o $OUTPUT
chmod +x $BIN_DIR/kubescape
- Add another build step to running the scan
$BIN_DIR/kubescape scan --format junit --output results.xml *.yaml
-
Add a "Post-build Action" of type "Publish JUnit test report" and point "Test report XMLs" to
*results.xml -
Run your job
The results will contain a list of failed controls. If you look into them you will see the resources that failed ->
Failing the job with too many security issues
If you want to use Kubescape not only for logging but also as a security gate in your delivery process, you can set up a failure threshold.
For example, if you want to make sure that at least 80% of your objects are passing the security checks, you can invoke Kubescape scan with the -t option with the appropriate parameter:
$BIN_DIR/kubescape scan -t 80 *.yaml
This will return failure in case the results are getting below 80%.
Scanning your entire Cluster in your workflow
Sometimes you would want to scan your entire cluster after applying the new YAML.
In this case, you need the CI/CD worker to access the target K8s cluster.
Adding Cluster Scan
Follow the instruction in scanning a YAML file
Replace the scan step with:
$BIN_DIR/kubescape scan --exclude-namespaces kube-system,kube-public --format junit --output results.xml .
Updated about 1 year ago