deepfence · ramanan-ravi · Dec 24, 2024 · Dec 24, 2024
diff --git a/ci-cd-integrations/jenkins/README.md b/ci-cd-integrations/jenkins/README.md
@@ -1,58 +1,17 @@
-# Jenkins example for Deepfence Vulnerability Mapper
+# Jenkins example
 
-This project demonstrates using Deepfence Vulnerability Mapper in Jenkins build pipeline.
-After customer's image is built, Deepfence Vulnerability Mapper is run on the image and results are sent to Deepfence management console for further analysis.
-There is also an option to fail the build in case number of vulnerabilities crosses given limit.
+### Vulnerability Scan
 
-| Variable                            | Description                                                                                                                              |
-|-------------------------------------|------------------------------------------------------------------------------------------------------------------------------------------|
-| def deepfence_mgmt_console_url = '' | Deepfence management console url                                                                                                         |
-| def deepfence_key = ""              | API key can be found on settings page of the deepfence                                                                                   |
-| def fail_cve_count = 100            | Fail jenkins build if number of vulnerabilities found is >= this number. Set -1 to pass regardless of vulnerabilities.                   |
-| def fail_critical_cve_count = 1     | Fail jenkins build if number of critical vulnerabilities found is >= this number. Set -1 to pass regardless of critical vulnerabilities. |
-| def fail_high_cve_count = 5         | Fail jenkins build if number of high vulnerabilities found is >= this number. Set -1 to pass regardless of high vulnerabilities.         |
-| def fail_medium_cve_count = 10      | Fail jenkins build if number of medium vulnerabilities found is >= this number. Set -1 to pass regardless of medium vulnerabilities.     |
-| def fail_low_cve_count = 20         | Fail jenkins build if number of low vulnerabilities found is >= this number. Set -1 to pass regardless of low vulnerabilities.           |  
-| def fail_cve_score = 8              | Fail jenkins build if cumulative CVE score is >= this value. Set -1 to pass regardless of cve score.                                     |
-| def mask_cve_ids = ""               | Comma separated. Example: "CVE-2019-9168,CVE-2019-9169"                                                                                  |
-| def deepfence_license = ""               | ThreatMapper or ThreatStryker                                                                                  |
-| def deepfence_product = ""               | ThreatMapper or ThreatStryker license key                                                                                  |
+Please refer the following files
+- vulnerabilities_scripted_pipeline.Jenkinsfile
+- vulnerabilities_declarative_pipeline.Jenkinsfile
 
-## Steps
-- Ensure `quay.io/deepfenceio/deepfence_package_scanner_cli:2.5.2` image is present in the vm where jenkins is installed.
-```shell script
-docker pull quay.io/deepfenceio/deepfence_package_scanner_cli:2.5.2
-```
-### Scripted Pipeline
-```
-stage('Run Deepfence Vulnerability Mapper'){
-    DeepfenceAgent = docker.image("quay.io/deepfenceio/deepfence_package_scanner_cli:2.5.2")
-    try {
-        c = DeepfenceAgent.run("-it --net=host -v /var/run/docker.sock:/var/run/docker.sock", "-deepfence-key=${deepfence_key} -vulnerability-scan=true -output=table -mode=local -mgmt-console-url=${deepfence_mgmt_console_url} -source=${full_image_name} -fail-on-count=${fail_cve_count} -fail-on-critical-count=${fail_critical_cve_count} -fail-on-high-count=${fail_high_cve_count} -fail-on-medium-count=${fail_medium_cve_count} -fail-on-low-count=${fail_low_cve_count} -fail-on-score=${fail_cve_score} -mask-cve-ids='${mask_cve_ids}'")
-        sh "docker logs -f ${c.id}"
-        def out = sh script: "docker inspect ${c.id} --format='{{.State.ExitCode}}'", returnStdout: true
-        sh "exit ${out}"
-    } finally {
-        c.stop()
-    }
-}
-```
-### Declarative Pipeline
-```
-stage('Run Deepfence Vulnerability Mapper'){
-    steps {
-        script {
-            DeepfenceAgent = docker.image("quay.io/deepfenceio/deepfence_package_scanner_cli:2.5.2")
-            try {
-                c = DeepfenceAgent.run("-it --net=host -v /var/run/docker.sock:/var/run/docker.sock", "-deepfence-key=${deepfence_key} -vulnerability-scan=true -output=table -mode=local -mgmt-console-url=${deepfence_mgmt_console_url} -source=${full_image_name} -fail-on-count=${fail_cve_count} -fail-on-critical-count=${fail_critical_cve_count} -fail-on-high-count=${fail_high_cve_count} -fail-on-medium-count=${fail_medium_cve_count} -fail-on-low-count=${fail_low_cve_count} -fail-on-score=${fail_cve_score} -mask-cve-ids='${mask_cve_ids}'")
-                sh "docker logs -f ${c.id}"
-                def out = sh script: "docker inspect ${c.id} --format='{{.State.ExitCode}}'", returnStdout: true
-                sh "exit ${out}"
-            } finally {
-                c.stop()
-            }
-        }
-    }
-}
-```
-- Set `deepfence_mgmt_console_url`, `fail_cve_count` variables in Jenkinsfile
+### Secret Scan
+
+Please refer the following file
+- secrets.Jenkinsfile
+
+### Malware Scan
+
+Please refer the following file
+- malwares.Jenkinsfile
diff --git a/ci-cd-integrations/jenkins/vulnerabilities_declarative_pipeline.Jenkinsfile b/ci-cd-integrations/jenkins/vulnerabilities_declarative_pipeline.Jenkinsfile
@@ -0,0 +1,40 @@
+node {
+    def app
+    def full_image_name = 'deepfenceio/jenkins-example:latest'
+    def deepfence_mgmt_console_url = '127.0.0.1' // URL address of Deepfence management console Note - Please do not mention port 
+    def fail_cve_count = 100 // Fail jenkins build if number of vulnerabilities found is >= this number. Set -1 to pass regardless of vulnerabilities.
+    def fail_critical_cve_count = 1 // Fail jenkins build if number of critical vulnerabilities found is >= this number. Set -1 to pass regardless of critical vulnerabilities.
+    def fail_high_cve_count = 5 // Fail jenkins build if number of high vulnerabilities found is >= this number. Set -1 to pass regardless of high vulnerabilities.
+    def fail_medium_cve_count = 10 // Fail jenkins build if number of medium vulnerabilities found is >= this number. Set -1 to pass regardless of medium vulnerabilities.
+    def fail_low_cve_count = 20 // Fail jenkins build if number of low vulnerabilities found is >= this number. Set -1 to pass regardless of low vulnerabilities.            
+    def fail_cve_score = 8 // Fail jenkins build if cumulative CVE score is >= this value. Set -1 to pass regardless of cve score.
+    def mask_cve_ids = "" // Comma separated. Example: "CVE-2019-9168,CVE-2019-9169"
+    def deepfence_key = "" // API key can be found on settings page of the deepfence 
+    def deepfence_license = "" // ThreatMapper or ThreatStryker
+    def deepfence_product = "" // ThreatMapper or ThreatStryker license key
+
+    stage('Clone repository') {
+        checkout scm
+    }
+
+    stage('Build image') {
+        app = docker.build("${full_image_name}", "-f ci-cd-integrations/jenkins/Dockerfile .")
+    }
+
+    stage('Run Deepfence Vulnerability Mapper'){
+        steps {
+            script {
+                DeepfenceAgent = docker.image("quay.io/deepfenceio/deepfence_package_scanner_cli:2.5.2")
+                try {
+                    c = DeepfenceAgent.run("-it --net=host --privileged -v /var/run/docker.sock:/var/run/docker.sock:rw", "-deepfence-key=${deepfence_key} -console-url=${deepfence_mgmt_console_url} -product=${deepfence_product} -license=${deepfence_license} -source=${full_image_name} -fail-on-count=${fail_cve_count} -fail-on-critical-count=${fail_critical_cve_count} -fail-on-high-count=${fail_high_cve_count} -fail-on-medium-count=${fail_medium_cve_count} -fail-on-low-count=${fail_low_cve_count} -fail-on-score=${fail_cve_score} -mask-cve-ids='${mask_cve_ids}'")
+                    sh "docker logs -f ${c.id}"
+                    def out = sh script: "docker inspect ${c.id} --format='{{.State.ExitCode}}'", returnStdout: true
+                    sh "exit ${out}"
+                } finally {
+                    c.stop()
+                }
+            }
+        }
+    }
+
+}
diff --git a/...tions/jenkins/vulnerabilities.Jenkinsfile → ...erabilities_scripted_pipeline.Jenkinsfile b/...tions/jenkins/vulnerabilities.Jenkinsfile → ...erabilities_scripted_pipeline.Jenkinsfile