 |
VOOZH | about |
|
VOOZH | about |
We’re so glad you’re here. You can expect all the best TNS content to arrive Monday through Friday to keep you on top of the news and at the top of your game.
Check your inbox for a confirmation email where you can adjust your preferences and even join additional groups.
Follow TNS on your favorite social media networks.
Become a TNS follower on LinkedIn.
Check out the latest featured and trending stories while you wait for your first TNS newsletter.
Since the U.S. White House released its Cybersecurity Executive Order earlier this year, calling on government agencies to improve their security, it’s become quite apparent that supply chain security is of paramount importance. One of the main reasons for this is because we’ve seen, over the past year, a number of instances where supply chains have been attacked. This has led to a major crackdown on insecurities across the board.
One way to aid in this attempt is supplying what is called a Software Bill of Materials (SBOM). I recently wrote a tutorial on how to generate an SBOM using a command-line tool called Syft.
For some, the command line is a perfect tool for such a task. It’s efficient, it’s simple, it’s effective. For others, however, a web-based or GUI solution is necessary. Fortunately, cloud native developers are swift to react, and because they already have a majority of the pieces in place, a solution for this was very quick to present itself. Said solution involves a combination of Syft, the Grype vulnerability tool, and CloudBees‘ CI/CD software Jenkins. With these three tools, you can generate an SBOM from a git repository in seconds… all from within the web-based Jenkins, a tool many cloud native developers already know.
So how is this done? Let me show you.
To make this quick and painless, we’re going to do all of the installations with the help of Docker. So the first thing we must do is install Docker. I’ll be demonstrating on Ubuntu Server 20.04, so if you’re using a different Linux distribution, make sure to alter the instructions as needed.
To install Docker on Ubuntu Server, log in and issue the command:
sudo apt-get install docker.io -y
When the installation completes, start and enable the Docker service with:
sudo systemctl enable docker
sudo systemctl start docker
Finally, add your user to the docker group with:
sudo usermod -aG docker $USER
Log out and log back in for the changes to take effect.
Next, we’ll deploy Jenkins as a Docker container with the command:
docker run -u root -d --name jenkins --rm -p 8080:8080 -p 50000:50000 -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/jenkins-data:/var/jenkins_home jenkinsci/blueocean
Give the container a moment to start up. As it’s starting, you’ll want to locate the first four digits of the Jenkins container name with the command:
docker ps -a
With those four digits in hand, view the Jenkins logs with:
docker logs ID
Where ID is the ID of the Jenkins container. In the output of that log file, you should see a long string of characters under Jenkins initial setup is required (Figure 1).
Figure 1: The output of the docker logs command shows the initial admin password.
Open a browser and point it to http://SERVER:8080 (where SERVER is the IP address of your server). You will be presented with a window that requires the initial admin password (Figure 2).
Once you’ve pasted the password, click Continue.
In the next window (Figure 3), click Install suggested plugins.
Figure 3: Installing all of the suggested plugins for Jenkins is just a click away.
It’ll take some time for the plugin installation to complete. When it does, you’ll be presented with a window that allows you to create a new admin user (Figure 4).
Enter the details for your admin user and click Save and Continue.
When that process completes, install both Syft and Gype by heading back to the terminal window and issuing the following two commands:
docker exec jenkins bash -c 'curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin'
docker exec jenkins bash -c 'curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin'
You’re now ready to generate your first SBOM.
Log into Jenkins with your new admin user credentials. On the main window (Figure 5), click New Item in the left navigation.
Figure 5: The Jenkins sidebar is where you manage all of your builds.
In the resulting window (Figure 6), name the new item syft-sbom-demo, click Pipeline, and then click OK.
In the Pipeline configuration window, select the following options:
From the Credentials drop-down, select Jenkins, and then, in the resulting popup (Figure 7), fill out your GitHub credentials as needed.
When you complete the credential configuration, click Add.
Click save and then click Build Now.
The build will clone an alpine base image, call Syft, and generate the SBOM. You can then view the SBOM by clicking #1 in the build history (because this is your first build) and then clicking Console Output. Scroll down until you see the SBOM (Figure 8).
And that’s all there is to using Jenkins and Syft to generate a Software Bill of Materials for your GitHub-hosted project. This demo should give you the means to generate SBOMs for all of your cloud native GitHub projects that depend on container images. It might take some extra elbow grease to get your projects working (as opposed to the demo), but now that you know how it functions, you should be able to integrate with your own workflow.
