CI/CD Integration Protection
Container Protection integrates Jenkins to offer image protection using CVE (Common Vulnerability and Exposure) index. Each image generated by Jenkins is reviewed and scanned for vulnerability against the CVE index. And only the images with vulnerability below the pre-configured threshold will be uploaded to the Kubernetes registry.
Prerequisite
CI/CD integration requires Jenkins to be setup with Container Protection. Follow the instructions in the following to setup Jenkins with Container Protection:
CI/CD Integration Page
After you have configured Jenkins with Container Protection, each image generated by Jenkins project will be reviewed and scanned for vulnerability using CVE index. The scanned result can be viewed in FortiView > CI/CD Integration.
Notice the image build names on CI\CD Integration page matches the image names generated on Jenkins under the same project.
When you click on image build names in CI\CD Integration page, it will show you the block status, vulnerability, and risk score.
Risk Score | Risk score is determined using the vulnerabilities detected from the build images. |
Vulnerability | Vulnerability is sourced from CVE (Common Vulnerability and Exposure) index and is used to discover vulnerability of the build image. |
Block Status | A "Block " status means that image was blocked by Container Protection to be uploaded to the Kubernetes registry due to the vulnerabilities detected. A "Pass " status means the image generated by Jenkins is under the vulnerability threshold and has been uploaded to the Kubernetes registry. |
The Vulnerability distribution line chart has 4 severity levels, the following table explains the representation of the severity level by color:
Color |
Vulnerability Severity Level |
---|---|
Critical severity level vulnerability | |
High severity level vulnerability | |
Medium severity level vulnerability | |
Low severity level vulnerability |
For example,the generated image "redis" above has 9 vulnerability in critical servility level, 34 in high severity level, 95 in medium severity level and 20 in low severity level. It received an overall risk score of 16. The reason the image is blocked and prevented to be deployed is because the policy configuration of the project. When you looked at the policy details of "forticontainer_demo_policy_1", the image will be blocked if there is more than 1 medium severity level vulnerability. You can adjust the policy configuration following the guide in Add Policy to CI/CD Integration.
Vulnerability View
When clicking on the image detail button from CI/CD Integration Project page, then Image Details page will show all the CVE vulnerability.
All the vulnerabilities discovered from the project will be displayed in Image Detail page.
Click on More CVE Info to show the particular vulnerability details:
For full description on the vulnerability, click on More Info, and you will be re-directed to the details provided by National Vulnerability Database (NVD). For more details on National Vulenrability Database, please visist https://nvd.nist.gov/vuln.
Layers View
Click on the Layers tab on the same Image Detail page, then Layers View will be shown.
Layers View contains the image core layers that were reviewed and scanned for vulnerability, click on each layer for detail.