技术文档 | 在Jenkins及GitlabCI中集成OpenSCA,轻松实现CI/CD开源风险治理

admin
admin
admin
102620
文章
87
评论
2024年2月9日13:57:16评论7 views字数 4037阅读13分27秒阅读模式

技术文档 | 在Jenkins及GitlabCI中集成OpenSCA,轻松实现CI/CD开源风险治理

技术文档 | 在Jenkins及GitlabCI中集成OpenSCA,轻松实现CI/CD开源风险治理

插播

OpenSCA-cli 现支持通过 homebrew 以及 winget 安装:

Mac/Linux 

brew install opensca-cli

Windows 

winget install opensca-cli

技术文档 | 在Jenkins及GitlabCI中集成OpenSCA,轻松实现CI/CD开源风险治理
技术文档 | 在Jenkins及GitlabCI中集成OpenSCA,轻松实现CI/CD开源风险治理

总有小伙伴问起如何在CI/CD中集成OpenSCA,文档它这不就来啦~

若您解锁了其他OpenSCA的用法,也欢迎向项目组来稿,将经验分享给社区的小伙伴们~

技术文档 | 在Jenkins及GitlabCI中集成OpenSCA,轻松实现CI/CD开源风险治理

Jenkins

技术文档 | 在Jenkins及GitlabCI中集成OpenSCA,轻松实现CI/CD开源风险治理

在 Jenkins 中集成 OpenSCA,需要在 Jenkins 构建机器中安装 OpenSCA-cli。OpenSCA-cli 支持主流的操作系统,包括 Windows、Linux、MacOS,亦可通过 Docker 镜像运行。

Freestyle Project

对于自由风格的项目,可以通过在构建步骤中添加 Execute shellExecute Windows batch command 来执行 OpenSCA-cli。

以 Execute shell 为例:

技术文档 | 在Jenkins及GitlabCI中集成OpenSCA,轻松实现CI/CD开源风险治理
# install opensca-clicurl -sSL https://raw.githubusercontent.com/XmirrorSecurity/OpenSCA-cli/master/scripts/install.sh | sh# export opensca-cli to PATHexport PATH=/var/jenkins_home/.config/opensca-cli:$PATH# run opensca scan and generate reports(replace {put_your_token_here} with your token)opensca-cli -path $WORKSPACE -token {put_your_token_here} -out $WORKSPACE/results/result.html,$WORKSPACE/results/result.dsdx.json

* install.sh 会默认将 OpenSCA 安装在用户家目录 .config 目录下,请根据实际情况调整 PATH 环境变量或使用绝对路径。

Pipeline Project

对于流水线项目,可以通过在流水线脚本中添加 shbat 来执行 OpenSCA-cli。以 sh 为例

pipeline {    agent any    stages {        stage('Build') {            steps {                // Get some code from a GitHub repository                // build it, test it, and archive the binaries.            }        }        stage('Security Scan') {            steps {                // install opensca-cli                sh "curl -sSL https://raw.githubusercontent.com/XmirrorSecurity/OpenSCA-cli/master/scripts/install.sh | sh"                // run opensca scan and generate reports(replace {put_your_token_here} with your token)                sh "/var/jenkins_home/.config/opensca-cli/opensca-cli -path $WORKSPACE -token {put_your_token_here} -out $WORKSPACE/results/result.html,$WORKSPACE/results/result.dsdx.json"            }        }    }    post {        always {            // do something post build        }    }}

(可选) 添加构建后动作

在 Jenkins 中,可以通过 Post-build Actions 来实现保存制品、报告等操作,例如可以通过 Publish HTML reports 插件来保存并展示 OpenSCA-cli 生成的 HTML 报告。

*请注意,OpenSCA 生成的 HTML 报告需启用 JavaScript 才能正常显示。这需要修改 Jenkins 的安全策略,具体操作请参考 Jenkins 官方文档。这可能会导致 Jenkins 的安全性降低,因此请谨慎操作。

修改 Jenkins CSP

在 Jenkins 的 Manage Jenkins -> Script Console 中执行以下脚本:

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-scripts; default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval';")

执行完成后,需重启 Jenkins 服务。

确保您已经安装了 Publish HTML reports 插件,然后在 Jenkins 项目的 Post-build Actions 中添加 Publish HTML reports

技术文档 | 在Jenkins及GitlabCI中集成OpenSCA,轻松实现CI/CD开源风险治理

成功构建后,在 Jenkins Job 的 Dashboard 中,即可看到 OpenSCA-cli 生成的 HTML 报告

技术文档 | 在Jenkins及GitlabCI中集成OpenSCA,轻松实现CI/CD开源风险治理

Pipeline Script 示例

post {    always {        // do something post build        publishHTML(            [                allowMissing: false,                alwaysLinkToLastBuild: true,                keepAll: true,                reportDir: 'results',                reportFiles: 'result.html',                reportName: 'OpenSCA Report',                reportTitles: 'OpenSCA Report',                useWrapperFileDirectly: true            ]        )    }}
技术文档 | 在Jenkins及GitlabCI中集成OpenSCA,轻松实现CI/CD开源风险治理

GitLab CI

技术文档 | 在Jenkins及GitlabCI中集成OpenSCA,轻松实现CI/CD开源风险治理

在 GitLab CI 中集成 OpenSCA,需要在 GitLab Runner 中安装 OpenSCA-cli。OpenSCA-cli 支持主流的操作系统,包括 Windows、Linux、MacOS,亦可通过 Docker 镜像运行。

security-test-job:    stage: test    script:        - echo "do opensca scan..."        - curl -sSL https://raw.githubusercontent.com/XmirrorSecurity/OpenSCA-cli/master/scripts/install.sh | sh        - /root/.config/opensca-cli/opensca-cli -path $CI_PROJECT_DIR -token {put_your_token_here} -out $CI_PROJECT_DIR/results/result.html,$CI_PROJECT_DIR/results/result.dsdx.json    artifacts:      paths:        - results/      untracked: false      when: on_success      expire_in: 30 days

完整示例

stages:  - build  - test  - deploybuild-job:  stage: build  script:    - echo "Compiling the code..."    - echo "Compile complete."unit-test-job:  stage: test  script:    - echo "do unit test..."    - sleep 10    - echo "Code coverage is 90%"lint-test-job:  stage: test  script:    - echo "do lint test..."    - sleep 10    - echo "No lint issues found."security-test-job:    stage: test    script:        - echo "do opensca scan..."        - curl -sSL https://raw.githubusercontent.com/XmirrorSecurity/OpenSCA-cli/master/scripts/install.sh | sh        - /root/.config/opensca-cli/opensca-cli -path $CI_PROJECT_DIR -token {put_your_token_here} -out $CI_PROJECT_DIR/results/result.html,$CI_PROJECT_DIR/results/result.dsdx.json    artifacts:      paths:        - results/      untracked: false      when: on_success      expire_in: 30 daysdeploy-job:  stage: deploy  environment: production  script:    - echo "Deploying application..."    - echo "Application successfully deployed."

感谢每一位开源社区成员对OpenSCA的支持和贡献。OpenSCA的代码会在GitHub和Gitee持续迭代,欢迎Star和Fork,也欢迎向我们提交ISSUE和PR,参与我们的开源安全共建计划,与社区成员共同建设充满可能性的开源解决方案。

GitHub:

https://github.com/XmirrorSecurity/OpenSCA-cli/releases

Gitee:

https://gitee.com/XmirrorSecurity/OpenSCA-cli/releases

OpenSCA官网:

https://opensca.xmirror.cn/

技术文档 | 在Jenkins及GitlabCI中集成OpenSCA,轻松实现CI/CD开源风险治理

原文始发于微信公众号(悬镜安全):技术文档 | 在Jenkins及GitlabCI中集成OpenSCA,轻松实现CI/CD开源风险治理

  • 左青龙
  • 微信扫一扫
  • weinxin
  • 右白虎
  • 微信扫一扫
  • weinxin
admin
  • 本文由 发表于 2024年2月9日13:57:16
  • 转载请保留本文链接(CN-SEC中文网:感谢原作者辛苦付出):
                   技术文档 | 在Jenkins及GitlabCI中集成OpenSCA,轻松实现CI/CD开源风险治理http://cn-sec.com/archives/2447923.html

发表评论

匿名网友 填写信息