Get Started with Qualys Container Scanning Connector for Jenkins

Version 1.7

Welcome to Qualys Container Security! We help you get acquainted with the Qualys solutions for securing your Container environments, including Images, Containers, and Docker Hosts, using the Qualys Cloud Security Platform.

This document provides information about using the Qualys Container Scanning Connector for Jenkins.

Container Security Overview

Qualys Container Security provides discovery, tracking, and continuous protection of container environments. It addresses vulnerability management for images and containers in their DevOps pipeline and deployments across cloud and on-premise environments.cs_overview

With this version, Qualys Container Security supports

  • Discovery, inventory, and near-real-time tracking of container environments
  • Vulnerability analysis for images and containers
  • Vulnerability analysis for registries
  • Integration with CI/CD pipeline using APIs (DevOps flow)
  • Uses new ‘Container Sensor’ – providing native container support, distributed as a container image

Upon installation, the sensor automatically discovers Images and Containers on the deployed host, provides a vulnerability analysis of them, and monitors and reports on docker-related events on the host. The Container Security Jenkins plugin also supports monitoring and reporting on Containerd events. The sensor lists and scans registries for vulnerable images. The sensor container runs in non-privileged mode. It requires persistent storage for storing and caching files.

Currently, the sensor only scans Images and Containers. For getting a vulnerability posture on the Host, you would require Qualys Cloud Agents or a scan through Qualys Virtual Scanner Appliance.

What data Container Security collect?

The Qualys Container Security sensor fetches the following information about Images and Containers in your environment:

  • Inventory images and containers in your environment using commands such as docker ps that list all containers.
  • Metadata information about Images and Containers from commands such as docker inspect and docker info, which fetch low-level information on docker objects.
  • Event information about Images and Containers from the docker host for docker events like created, started, killed, push, pull, and may others.
  • Vulnerabilities found on Images and Containers. This is the output of the vulnerability management manifests run to identify vulnerability information in Images and Containers. It primarily includes software package listings, services running, ports, and many more.
  • For example, package manager outputs like rpm—qa and npm are supported across various Linux distributions (CentOS, Ubuntu, CoreOS, and many more) and images like Python, NodeJS, Ruby, and so on.

About the Container Scanning Connector

Qualys Container Security provides a plugin for Jenkins to get the security posture for the container images built via the tool. The plugin can be configured to fail or pass the container image builds based on the vulnerabilities detected.

Pre-requisites

The following pre-requisites must be met to configure Qualys Container Scanning Connector for Jenkins:

  • A valid Qualys subscription with the Container Security application activated.
  • Access to Qualys Container Security application API endpoint from your build host.
  • Requires the container sensor for the CI/CD environment to be installed on the Jenkins build host. Refer to Qualys Container Security Sensor Deployment Guide for instructions on installing the container cicd sensor. You must pass the following parameter while deploying the sensor for the CI/CD environment --cicd-deployed-sensor or -c.
  •  An Internet connection is required for the agent to connect to the Qualys Cloud Platform. If the agent is running behind a proxy, install a sensor with the proxy option
  • The Jenkins controller and agent nodes should have an open connection to the Qualys Cloud Platform to get data from the Qualys Cloud Platform for vulnerability reporting.
  • Jenkins plugin automatically tags images built out of CI/CD pipeline with the tag qualys_scan_target:<image-sha> to mark them for scanning, and only those images are scanned for vulnerabilities. Once the scanning is over, Qualys Container Sensor removes the tag. However, if an image has no tag applied to it other than 'qualys_scan_target:<image-sha>,' the sensor retains the tag to avoid removing the image from the host.

Recommended Setup for Controller-Agent Deployment

Container Scanning Connector should be deployed on the Jenkins controller. Qualys Container Security Sensor should be installed where the docker daemon is running. If the docker daemon is running on the Jenkins agent, install the Sensor on the Jenkins agent. If the docker daemon runs on a remote host, install the sensor.

The following figure shows the docker daemon running on the Jenkins agent.

jenkins_controller_agent

The following figure shows the docker daemon running on a remote host.

 The plugin calls to check if the sensor container is running on the host and if it is installed in the CI/CD mode.

For the ContainerD scan to run in clustered environments, the Container Security Sensor and the Jenkins Controller should be installed in the CI/CD mode per the instructions. The Container Security Connector v1.7.x can be installed as a plugin on Jenkins, which supports the image scan for both Dockerd and Containerd.

Quick Start Steps

Follow the steps to get started with Container Scanning Connector for Jenkins:

  1. Install the Plugin
  2. Upgrade the Plugin
  3. Scan CI/CD Images
  4. Use the Plugin

Additional Resources