This repository is no longer maintained but will be available
This is a setup to scan built Docker image from vulnerabilities with CoreOS Clair in Jenkins. Clairctl is used for analysing and making HTML-reports. Setup is used to avoid using vulnerable Docker images and to check them before deploying.
- Jenkins builds Docker image which contains all the tools.
- Clairctl script push Docker image layers to Clair, analyses the layers and creates a HTML-report containing CVE-details.
- Clairctl script cancels the remaining Jenkins build if Docker image contains too many high severity vulnerabilities.
Jenkinsfile generates Clairctl binary with golang:1.8 image. Clairctl binary is then added to same Jenkins workspace so it can be exported to Dockerfile.
Dockerfile which Docker uses to build Docker image containing kubectl binary, Docker binary, Clairctl binary, Clairctl script and configuration file.
Clairctl.yml is a configuration file for Clairctl containing Clair URI and location for generated HTML-reports.
Clairctl.groovy is a Groovy script where Clairctl generates HTML-report of specified Docker image. Jenkins' HTML Publisher Plugin archives it for you to check it. The script then uses 'if else' statements to check every severity level of vulnerabilities from HTML-report. If there are too many vulnerabilities from certain severity level, the build will be set to failed.
- Jenkins with Kubernetes plugin to run slave containers
- CoreOS Clair with same DNS-name as in clairctl.yml running in Kubernetes
- CLAIRCTL_REGISTRY in the beginning of Jenkins build. This is the Docker image repository name which was built in the same Jenkins build.