Jenkins¶
Scanning steps can be added to your Jenkinsfile by making use of our CLI installer.
Before doing so, you must make the BoostSecurity API Token available in your credentials. If you do not already have an API token created, you may create one on the dashboard Settings Page.
Additionally, the CLI will need to run within a context where it may pull from the remote Git repository to support differential scanning.
Once everything is ready, a scanning step can be added, for example:
pipeline {
agent any
environment {
// Expose the api token as an environment variable
BOOST_API_TOKEN = credentials('boost-api-token')
}
options {
// Skip default checkout so that we may expose env vars later
skipDefaultCheckout(true)
}
stages {
stage('BoostSecurity Scanner') {
steps {
script {
// Ensure SCM parameters are exposed as env vars
def scmVars = checkout scm
scmVars.each { k, v ->
env."${k}" = v
}
}
sh label: "download the boost cli",
script: """
curl -s https://assets.build.boostsecurity.io/boost-cli/get-boost-cli | bash
"""
// Expose GIT credentials to support pulling.
withCredentials([gitUsernamePassword(credentialsId: "github-token")]) {
// Execute the BoostSecurity Semgrep scanner module
sh label: "scan with boostsecurityio/semgrep",
script: """
export BOOST_SCANNER_REGISTRY_MODULE="boostsecurityio/semgrep"
"${env.WORKSPACE_TMP}/boost-cli/latest" scan repo
"""
}
}
}
}
}
Jenkins for source scanning¶
This configuration is appropriate for scanner modules for SAST scanning or SBOM inventory from source code.
Note
Even if the pipeline is configured to run the SBOM scanner on pull requests, the SBOM scanner does not collect components inventory on pull requests.
stages {
stage('BoostSecurity Scanner') {
steps {
script {
def scmVars = checkout scm
scmVars.each { k, v ->
env."${k}" = v
}
}
sh label: "download the boost cli",
script: """
curl -s https://assets.build.boostsecurity.io/boost-cli/get-boost-cli | bash
"""
withCredentials([gitUsernamePassword(credentialsId: "github-token")]) {
sh label: "scan with boostsecurityio/semgrep",
script: """
export BOOST_SCANNER_REGISTRY_MODULE="boostsecurityio/semgrep"
"${env.WORKSPACE_TMP}/boost-cli/latest" scan repo
"""
}
}
}
stage('BoostSecurity SBOM') {
when {
// SBOM generation should only occur on the main branch
branch 'main'
}
steps {
script {
def scmVars = checkout scm
scmVars.each { k, v ->
env."${k}" = v
}
}
sh label: "download the boost cli",
script: """
curl -s https://assets.build.boostsecurity.io/boost-cli/get-boost-cli | bash
"""
withCredentials([gitUsernamePassword(credentialsId: "github-token")]) {
sh label: "scan with boostsecurityio/trivy-sbom",
script: """
export BOOST_SCANNER_REGISTRY_MODULE="boostsecurityio/trivy-sbom"
"${env.WORKSPACE_TMP}/boost-cli/latest" scan repo
"""
}
}
}
}
Jenkins for scanning generated artifacts¶
This configuration is appropriate for scanner modules that scan artifacts generated from the build process. For example, scanner modules that generate SBOM from container images or scan for vulnerabilities need to generate the container image first.
Add the BoostSecurity scanner module-related stanza to your build pipeline, for example:
stages {
stage('BoostSecurity Scanner') {
steps {
script {
def scmVars = checkout scm
scmVars.each { k, v ->
env."${k}" = v
}
}
sh label: "download the boost cli",
script: """
curl -s https://assets.build.boostsecurity.io/boost-cli/get-boost-cli | bash
"""
def dockerfile = 'Dockerfile.test'
def customImage = docker.build("my-image:${env.BUILD_ID}",
"-f ${dockerfile} ./dockerfiles")
withCredentials([gitUsernamePassword(credentialsId: "github-token")]) {
sh label: "scan with boostsecurityio/trivy-image",
script: """
export BOOST_IMAGE_NAME="my-image:${env.BUILD_ID}"
export BOOST_SCANNER_REGISTRY_MODULE="boostsecurityio/trivy-image"
"${env.WORKSPACE_TMP}/boost-cli/latest" scan repo
"""
}
}
}