Security Center integrates with Jenkins to scan container images automatically during each build. Install the sas-jenkins-plugin plug-in, then configure a Jenkinsfile to trigger image scanning when your pipeline runs.
Jenkins version requirements
Make sure you are using Jenkins 1.625.3 or later.
Download the CI/CD plug-in
-
Log on to the Security Center console. In the top navigation bar, select the region of the asset you want to manage. You can select Chinese Mainland or Outside Chinese Mainland.
-
In the left-side navigation pane, choose Protection Configuration > Container Protection > CI/CD Integration Settings.
-
Click Integration Configuration.
-
In the Integration Configuration panel, click Download Plug-in in the upper-right corner.
The plug-in file (sas-jenkins-plugin) downloads to your computer in HPI format.
Install the CI/CD plug-in on Jenkins
This example uses the Jenkins 2.479.1 interface.
-
Log on to Jenkins.
-
In the left-side navigation pane, click Manage Jenkins.
-
On the Manage Jenkins page, click Plugins.
-
On the Plugins page, click the Advanced settings tab.
-
In the Deploy Plugin section, click Choose File and select the
sas-jenkins-pluginHPI file downloaded earlier. -
Click Deploy.
-
Restart Jenkins.
ImportantThe sas-jenkins-plugin plug-in takes effect only after Jenkins restarts. You can select the Restart Jenkins when installation is complete and no jobs are running checkbox to allow Jenkins to restart automatically when idle.
Configure image scanning
Log on to Jenkins.
Find the Pipeline project whose images you want to scan and click the project name.
In the left-side navigation pane, click Configure.
In the Pipeline section, configure the Security Center CI/CD plug-in integration with your Jenkins Pipeline.
The following Jenkinsfile syntax examples are provided for scripted and declarative pipelines. Choose one based on your needs.
Scripted Pipeline
node { sas(accessKeyId: '$AK', accessKeySecret: '$SK', token: '$TOKEN', imageId: '$IMAGE', domain: '$DOMAIN', registryUrl: '$REGISTRY_URL', registryUsername: '$REGISTRY_USERNAME', registryPwd: '$REGISTRY_PWD') }Declarative Pipeline
pipeline { agent any environment { ACCESS_KEY_ID = '$AK' ACCESS_KEY_SECRET = '$SK' IMAGE_ID = '$IMAGE' TOKEN = '$TOKEN' DOMAIN = '$DOMAIN' REGISTRY_URL = null REGISTRY_USERNAME = null REGISTRY_PWD = null } stages { stage('Build') { steps { sas(accessKeyId: env.ACCESS_KEY_ID, accessKeySecret: env.ACCESS_KEY_SECRET, imageId: env.IMAGE_ID, token: env.TOKEN, domain: env.DOMAIN, registryUrl: env.REGISTRY_URL, registryUsername: env.REGISTRY_USERNAME, registryPwd: env.REGISTRY_PWD) } } } }
Click Save.
After the integration is configured, Security Center runs an image security scan task each time you build the project, scanning your project images for security risks. The build console output displays Step.1 Image security scan started (loading the scanner image) followed by Step.2 Security scan in progress (analyzing the target image), indicating that the image security scan task is running.
What's next
View image scanning results on the Container tab of the Assets page in the Security Center console. For more information, see View image scan results.