- Create a Job
- Add a build step "execute shell" and add the following steps
echo Installing Kubescape BIN_DIR=$JENKINS_HOME/.local/bin DOWNLOAD_URL="https://github.com/armosec/kubescape/releases/latest/download/kubescape-ubuntu-latest" OUTPUT=$BIN_DIR/kubescape curl -L $DOWNLOAD_URL -o $OUTPUT chmod +x $BIN_DIR/kubescape
- Add another build step to running the scan
$BIN_DIR/kubescape scan framework nsa --format junit --output results.xml *.yaml
Add a "Post-build Action" of type "Publish JUnit test report" and point "Test report XMLs" to
Run your job
The results will contain a list of failed controls. If you look in to them you will see the resources who failed ->
In case if you are not only want to use Kubescape for logging, but also as a security gate in your delivery process, you can set up a failure threshold.
For example, you want to make sure that at least 80% of your objects are passing the security checks, you can invoke the tool with
-t option with the appropriate parameter:
$BIN_DIR/kubescape scan framework nsa -t 80 *.yaml
This will return failure in case that the results are getting bellow 80%.
In some cases you would want to scan your entire cluster after you applied the new YAML.
Note that in this case you need the CI/CD worker to have access to the target K8s cluster.
Follow the instruction as in scanning a YAML file
Replace the scan step with:
$BIN_DIR/kubescape scan framework nsa --exclude-namespaces kube-system,kube-public --format junit --output results.xml *. yaml
Updated 3 months ago