The Rapid7 InsightVM Container Image Scanner is a Jenkins plugin that provides a mechanism for scanning Docker containers with InsightVM. This enables teams to perform vulnerability assessment for containers as an integral part of their CI/CD workflow. Container assessment plugin results are available both through Jenkins and the Builds tab of InsightVM's "Containers" screen.
- Configure custom rules for compliant container images
- Trigger build actions based on compliance to your rules
- Generate an assessment report
- Rapid7 Platform API Key
- Installation of plugin in the user's Jenkins instance with administrative privileges
Follow these steps to configure the Rapid7 Insight platform API key:
- Login to Jenkins and navigate to the Manage Jenkins page
- Click Configure System
- Scroll to the "Rapid7 InsightVM Container Assessment" section
- In the "InsightVM Region" field, select the region that InsightVM uses to access the platform
- In the "Insight Platform API Key" field, click Add. In the dropdown menu, select "Jenkins" to configure the Insight platform API key that you generated earlier
The plugin can be installed via the Jenkins Update Center as follows:
- Navigate to Manage Jenkins > Manage Plugins
- In the "Filter" box, search for "InsightVM"
- Under the Under the Available tab, select the checkbox for the InsightVM Container Image Scanner
- Click the desired install button
After configuring the Rapid7 Insight platform API key, follow these steps to configure the plugin:
- In the Rapid7 InsightVM Container Assessment form, complete the following fields:
- In the "Domain" field, select "Global credentials (unrestricted)"
- In the "Kind" field, select "Secret text."
- In the "Scope" field, select "Global (Jenkins, nodes, items, all child items, etc)"
- In the "Secret" field, enter your API key
- Leave the "ID" field blank
- Enter a description for your reference
- Click Add
- Select your newly configured credential from the dropdown menu
- Click Save to complete your plugin configuration
The plugin supports a couple differnt Jenkins build methods.
"Freestyle" is the classic job builder. Build steps can be added or removed via the user interface:
- In a new or existing job, click Add build step
- Select Assess Container Image with Rapid7 InsightVM. This will add a build step with a blank configuration
- Configure the items under "Options" as desired
- Click Add under the respective “Rules” section to configure the conditions that will trigger a build action. Two rule types are available:
- "Threshold Rules" - Sets a numeric limit. Values that exceed this limit will trigger the build action
- "Name Rules" - Matches text using the “contains” operator. A match will trigger the build action
- Click Save when finished
The "Pipeline" method involves generating build step scripts from the plugin and adding them to the existing Pipeline script:
- In a new or existing job, browse to the “Pipeline” section
- Click Pipeline Syntax below the "Script" field
- Open the dropdown next to "Sample Step" and select "assessContainerImage: Assess Container Image with Rapid7 InsightVM"
- Configure your build options and rules in the same manner as before
- Click Generate Pipeline Script when finished
- Add your new step script to the existing Pipeline script
- Click Save when finished
Note: Threshold rules must be unique per type. For example, you cannot have two rules for Critical Vulnerabilities. Only one instance of the rule will be applied.
This plugin does not contain any troubleshooting information.
- 1.0.6 - Updated docker-image-analyzer to 0.1.8, which fixed an Out Of Memory issue when parsing large files
- 1.0.5 - Updated docker-image-analyzer to 0.1.6, which fixed a regression in parsing lsb-release files
- 1.0.4 - Updated docker-image-analyzer to 0.1.5. Improved fingerprint results for some Linux distributions
- 1.0.3 - Initial release to Jenkins plugin repository