Since the U.S. White House released its Cybersecurity Executive Order earlier this year, calling on government agencies to improve their security, it’s become quite apparent that supply chain security is of paramount importance. One of the main reasons for this is because we’ve seen, over the past year, a number of instances where supply chains have been attacked. This has led to a major crackdown on insecurities across the board.
For some, the command line is a perfect tool for such a task. It’s efficient, it’s simple, it’s effective. For others, however, a web-based or GUI solution is necessary. Fortunately, cloud native developers are swift to react, and because they already have a majority of the pieces in place, a solution for this was very quick to present itself. Said solution involves a combination of Syft, the Grype vulnerability tool, and CloudBees‘ CI/CD software Jenkins. With these three tools, you can generate an SBOM from a git repository in seconds… all from within the web-based Jenkins, a tool many cloud native developers already know.
So how is this done? Let me show you.
To make this quick and painless, we’re going to do all of the installations with the help of Docker. So the first thing we must do is install Docker. I’ll be demonstrating on Ubuntu Server 20.04, so if you’re using a different Linux distribution, make sure to alter the instructions as needed.
To install Docker on Ubuntu Server, log in and issue the command:
sudo apt-get install docker.io -y
When the installation completes, start and enable the Docker service with:
sudo systemctl enable docker
sudo systemctl start docker
Finally, add your user to the docker group with:
sudo usermod -aG docker $USER
Log out and log back in for the changes to take effect.
How to deploy Jenkins via Docker
Next, we’ll deploy Jenkins as a Docker container with the command:
docker run -u root -d --name jenkins --rm -p 8080:8080 -p 50000:50000 -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/jenkins-data:/var/jenkins_home jenkinsci/blueocean
Give the container a moment to start up. As it’s starting, you’ll want to locate the first four digits of the Jenkins container name with the command:
docker ps -a
With those four digits in hand, view the Jenkins logs with:
docker logs ID
Where ID is the ID of the Jenkins container. In the output of that log file, you should see a long string of characters under Jenkins initial setup is required (Figure 1).
Open a browser and point it to http://SERVER:8080 (where SERVER is the IP address of your server). You will be presented with a window that requires the initial admin password (Figure 2).
Once you’ve pasted the password, click Continue.
In the next window (Figure 3), click Install suggested plugins.
It’ll take some time for the plugin installation to complete. When it does, you’ll be presented with a window that allows you to create a new admin user (Figure 4).
Enter the details for your admin user and click Save and Continue.
Install Syft and Grype
When that process completes, install both Syft and Gype by heading back to the terminal window and issuing the following two commands:
docker exec jenkins bash -c 'curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin'
docker exec jenkins bash -c 'curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin'
You’re now ready to generate your first SBOM.
Generating an SBOM
Log into Jenkins with your new admin user credentials. On the main window (Figure 5), click New Item in the left navigation.
In the resulting window (Figure 6), name the new item syft-sbom-demo, click Pipeline, and then click OK.
In the Pipeline configuration window, select the following options:
- Definition – Pipeline script from SCM
- SCM – Git
- Repository URL – https://github.com/pvnovarese/syft-sbom-demo (although you can use any GitHub repository for this demo).
From the Credentials drop-down, select Jenkins, and then, in the resulting popup (Figure 7), fill out your GitHub credentials as needed.
When you complete the credential configuration, click Add.
Click save and then click Build Now.
The build will clone an alpine base image, call Syft, and generate the SBOM. You can then view the SBOM by clicking #1 in the build history (because this is your first build) and then clicking Console Output. Scroll down until you see the SBOM (Figure 8).
And that’s all there is to using Jenkins and Syft to generate a Software Bill of Materials for your GitHub-hosted project. This demo should give you the means to generate SBOMs for all of your cloud native GitHub projects that depend on container images. It might take some extra elbow grease to get your projects working (as opposed to the demo), but now that you know how it functions, you should be able to integrate with your own workflow.
The New Stack is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker.