jenkins/sap-jenkins-library
1
0
Fork 0
mirror of https://github.com/SAP/jenkins-library.git synced 2025-03-31 22:05:11 +02:00
Code Issues Releases Activity
sap-jenkins-library/documentation/docs/steps/protecodeExecuteScan.md
Niklas Albers 8c5986bbfa
Improve documentation for protecodeExecuteScan (#3076) 
* Improve documentation for protecodeExecuteScan

protecodeExecuteScan expects that the docker config file is named
'config.json'.

The dockerConfigJSON parameter is used by protecodeExecuteScan to
retrieve the directory only (for environment variable DOCKER_CONFIG).

* Also improve documentation that is generated

* No relative references in generated documentation.

* Less complex documentation

* Remove irrelevant empty line

* Improvements after review

* Add blank line after code block

* Handle registry URL example as code

Markdown format checker does not like raw URLs.

Co-authored-by: Sven Merk <33895725+nevskrem@users.noreply.github.com>
2021-09-01 10:57:21 +02:00

44 lines
1.9 KiB
Markdown
Raw Blame History

# ${docGenStepName}
## ${docGenDescription}
## Prerequisites
1. Create a Username / Password credential with the Protecode user in your Jenkins credential store
1. Look up your Group ID using REST API via `curl -u <username> "https://<protecode host>/api/groups/"`.
If the image is on a protected registry you can provide a Docker `config.json` file containing the credential information for the registry.
You can either use `docker login` (see the [Docker documentation](https://docs.docker.com/engine/reference/commandline/login/) for details) or you can create the file manually using the following script.
```shell
#!/bin/bash
auth=$(echo -n "$USER:$PASSWORD" | base64 -w0)
cat <<EOF > config.json
{
"auths": {
"$REGISTRY": {
"auth": "$auth"
}
}
}
EOF
```
`REGISTRY` is the URL of the protected registry (Example: `https://index.docker.io/v1`).
Attention: If you reference the file in --dockerConfigJSON or upload the file to the Jenkins credential store, the file has to be named `config.json`.
## ${docGenParameters}
### Details
* The Protecode scan step is able to send a file addressed via parameter `filePath` to the backend for scanning it for known vulnerabilities.
* Alternatively an HTTP URL can be specified via `fetchUrl`. Protecode will then download the artifact from there and scan it.
* To support docker image scanning please provide `scanImage` with a docker like URL poiting to the image tag within the docker registry being used.
* To receive the result it polls until the job completes.
* Once the job has completed a PDF report is pulled from the backend and archived in the build
* Finally the scan result is being analysed for critical findings with a CVSS v3 score >= 7.0 and if such findings are detected the build is failed based on the configuration setting `failOnSevereVulnerabilities`.
* During the analysis all CVEs which are triaged are ignored and will not provoke the build to fail.
## ${docGenConfiguration}
Reference in New Issue View Git Blame Copy Permalink