TABLE OF CONTENTS

Overview

Aqua Security Scanner plugin for Bamboo can be used to scan Docker images in the Atlassian Bamboo for various security issues. This topic explains how to install and configure the Aqua Security plugin in Bamboo, and then how to run the build. 


Prerequisite

Before you configure the Aqua Security plugin in Bamboo, make sure that you have scanner permission assigned by your Aqua admin.


Integrate Aqua Scanner with Bamboo

There are four steps involved to integrate Aqua scanner with Bamboo as listed below:

  1. Install the Aqua scanner plugin
  2. Configure Aqua scanner plugin
  3. Add the Aqua scanner ask to Bamboo build plan
  4. Modify artifact outputs


Install the Aqua scanner plugin

To install the Aqua scanner plugin:

  1. Navigate to Atlassian Marketplace to download Aqua scanner plugin (Aqua Cloud Native Security Platform for Bamboo Server).
  2. Click Get it now to download the .jar file for the plugin (which will have a name like aqua-scanner-2.0.21-RELEASE.jar).



    3. In the Bamboo application, from the BAMBOO ADMINISTRATION dropdown at the top right of the page, select Manage apps.

    4. At the right side of the page, click Upload app.

    5. In the Upload app dialog, click Choose File to browse the .jar file that you downloaded, from your computer.

    6. Click Upload.



For more information, refer to Bamboo document, Installing Marketplace apps.

Configure Aqua scanner plugin

After installing the Aqua Security plugin in Bamboo, you should configure the Aqua scanner to scan the images. To configure the Aqua scanner plugin:

  1. From the BAMBOO ADMINISTRATION dropdown at the top right of the page, select Manage apps.
  2. In the left pane, click Aqua Scanner Plugin. Aqua Scanner Plugin Global Configuration page appears.



    3. Enter values in the following fields and Click Save. Following table explains details of the fields.


FieldDescription
Aqua Server URLThe Aqua Server URL
Aqua User NameName of the Aqua user having Scanner permissions
Aqua Password

Password for the Aqua user

Aqua Scanner ImageAqua scanner image, for example: aquasec/scanner:6.2
Aqua Additional Docker options(Optional) additional command line options for the scanner. For more information, refer to Scan Argument.

If you would like to connect Aqua with Bamboo through token based authentication, you should pass -e AQUA_TOKEN=a1b2c34..... (where a1b2c34....is the authentication token). If you pass authentication token, you should also pass the --direct-cc flag in the Extra Aqua scanner additional flags field in the Add the Aqua Scanner Task to Bamboo build plan section.
Do not verify TLS certificates(Optional) if checked , the plugin will not check TLS certificates while scanning. This is useful, for example, in development environment
Skip Aqua scans(Optional) if checked, the plugin will skip Aqua image scanning
Don't create Aqua scan result web portal(Optional) if checked, the plugin will not create report in summary, which means web reports will not be created


Add the Aqua Scanner Task to Bamboo build plan

To scan images in Bamboo, you should add Aqua scanner task and configure the scanner to perform the image scanning. To add Aqua scanner task:

  1. In the Bamboo application header, from the Build drop-down menu, select All build plans
  2. For the required build plan, Click the Configure plan button.
  3. In the left pane, click the required job under Stages & jobs.
  4. In the Tasks tab, click Add task. Task types dialog appears.
  5. Type Aqua Scanner Task in the search box and select the same from the results. Aqua Scanner Task configuration window appears. 
  6. Enter Task description.
  7. In the Aqua Configuration section, select one of the three options:
  • Use Aqua's Global Configuration: to set the default global configuration as configured in Aqua.
  • Use Custom Aqua Configuration: to set a task-specific custom configuration by entering values for the required fields. By default, values mentioned in the Configure Aqua scanner plugin section are displayed but you can customize values for each task through this option.
  • Use Bamboo Global Variables: to set up an environment for YAML or programming languages based on the code variables.

       8. In the Image Information section, select one of the following three options to identify Scanner Location Type:

  • Local Image: to scan a local image which is built through the Bamboo project. If you select this option, enter values in the following fields:
    • Image Name
    • Container Registry:(Optional) to indicate the container registry
    • Policies: add image assurance policies that you want to specify to determine compliance, after the image is scanned. By default, Aqua will use the Default image assurance policy and all other image assurance policies
  • Hosted Image: to scan an image that is already stored in a Docker registry. If you select this option, enter values in the following fields:
    • Image Name
    • Container Registry: (Optional) to indicate the Aqua registry in which the image is registered
    • Hide vulnerabilities in the base image: Enable this to hide vulnerabilities in the base image, which is used to create this image.
  • Docker-archive: to scan docker images contained in a .tar file. If you select this option, enter value in the Tar file path field.

    9. In the Aqua Scanner Additional Options section, select one of the following four options:

  • Show negligible/unknown severity vulnerabilities: to show Vulnerabilities with the negligible and unknown severities in the scan results.
  • Register image in the Aqua Server: to register image with Aqua
  • Never fail builds: A return code of 0 will be returned even if the image assurance policy fails.
  • Perform the action defined in Aqua's policy: to perform actions as per the assurance policies. If you select this option, you can optionally enter shell command to execute when image is not compliant to the image assurance policies.
  • Extra Aqua scanner additional flags: (Optional) enter additional flags as required. For example, if --layer vulnerabilities is passed as an additional flag, it will report vulnerabilities at each layer of an image. To know all of the supported flags, refer to Scan Argument.
    You should pass the --direct-cc flag to connect to the CyberCenter directly. Passing this flag is mandatory, if you connect Aqua with Bamboo through token based authentication. 

  10. Click Save.

  


Modify artifact outputs

Bamboo generates various files as artifacts during the build process. These are normally deleted when the build is complete, but you can optionally choose to save them. You should set the location to save these artifact files in the Artifacts tab. To configure storing artifact outputs:

  1. In the required build plan, navigate to the Plan configuration page.
  2. In the left pane, select the required job under Stages & Jobs. 
  3. Go to the Artifacts tab and click Create artifact.



         4. In the Create artifact dialog, Enter the following details:

  • Name: artifact name as it will be referred to, for example: aqua-scan-results.
  • Location: specify he directory, relative to the build folder
  • Copy pattern: a specifier to identify the file, such as *.jar, *.html for jar or html files

        5. Enable Shared and/or Required checkboxes as required for the purpose displayed on the UI.

        6. Click Create.



You can see the artifacts created while executing a job during its build, in the Artifacts tab.



Run the build

After configuration of Aqua, scanning images is completed in Bamboo, Aqua is ready to scan images in the build process. When the next build process is triggered, the build plan which contains the Aqua integration, scans images and shows the results. To run the build:

  1. Run the Bamboo build plan that contains the Aqua scanning task, as configured in the previous sections.
  2. When the build process is completed, click the task number and go Job Summary tab. You can see that scan results are displayed as shown below.