Integrating with Jenkins CI/CD

Use Jenkins Jobs to scan your YAML files for misconfigurations with Kubescape. Scan results are included as part of your Jenkins workflow.

Add scanning YAML files to your workflow

In Jenkins create a Job.
Add an execute shell build step to download and install Kubescape.

echo Installing Kubescape

BIN_DIR=$JENKINS_HOME/.local/bin

DOWNLOAD_URL="https://github.com/kubescape/kubescape/releases/latest/download/kubescape-ubuntu-latest"
OUTPUT=$BIN_DIR/kubescape
curl -L $DOWNLOAD_URL -o $OUTPUT

chmod +x $BIN_DIR/kubescape

Add another build step to run a scan against any YAML file and format the output.

$BIN_DIR/kubescape scan --format junit --output results.xml *.yaml

Add a Post-build Action of type Publish JUnit test report.
Point Test report XMLs to *results.xml.
Run your job.

The results contain a list of failed controls. If you check the Status page, you can see the resources that failed.

For more information about Jenkins , refer to the Jenkins documentation.
For more information about Kubescape commands, refer to the Kubescape documentation.

Fail the job if there are too many security misconfigurations

If you want to use Kubescape as a security gate in your delivery process, you can set up a failure threshold.

For example, if you want to make sure that at least 80% of your objects pass the security checks, add -t 80 in the scan step, (step 3).

$BIN_DIR/kubescape scan -t 80 --format junit --output results.xml *.yaml

When you add a threshold, the job passes only when 80% or more security checks pass. If less than 80% pass, the job fails.

Scan your entire cluster in your workflow

If you want to scan your entire cluster after applying a new YAML, the CI/CD worker must be able to access the target Kubernetes cluster.

Add a cluster scan

When you create the job to scan your cluster, replace the scan step, (step 3), with the following:

$BIN_DIR/kubescape scan --exclude-namespaces kube-system,kube-public --format junit --output results.xml .