Security Features

Security addons for Jenkins X

Jenkins X has a few useful addons that can aid with ensuring the ongoing security of your deployed applications. There are static and container security, as well as dynamic security addons available.

Static security

The Anchore Engine is used to provide image security, by examining contents of containers either in pull request/review state, or on running containers.

This was introduced in this blog post

To enable this run the following command and let it prepare the services:

jx create addon anchore

This will launch the require engine and services, and make it available to run on any of your teams environments, and on any running preview applications.

To try it out, you can use the following command to report on any problems found:

jx get cve --environment=staging

Here is a video showing it in action. To remove this addon:

jx delete addon anchore

Dynamic security

The Open Web Application Security Project publishes a tool called ZAP: the Zed Attack Proxy. This provides various tools including a baseline command that can be run against an application endpoint looking for a base set of problems.

In Jenkins X this can be run against a Preview Application (that each application gets) by creating a post-preview hook:

jx create addon owasp-zap

Any pull requests will then have their preview application run through the ZAP baseline scan, and should any failures be detected it will fail the CI pipeline automatically. The pipelines do not be changed to run this test, and they will apply to all pull requests for the team.

To remove the ZAP test:

jx delete post preview job --name owasp-zap

The post preview hook can also be configured with a command like:

jx create post preview job --name owasp --image owasp/zap2docker-weekly:latest -c "zap-baseline.py" -c "-I" -c "-t" -c "\$(JX_PREVIEW_URL)"

You can have multiple hooks configured, so if you had specific containers that had probes/tests you would like to run against every preview app (ie every pull request) you could add it this way.

Preview Environments


Last modified October 17, 2019: release 0.0.1140 (49542bb)