TABLE OF CONTENTS
- Integrate Aqua Scanner with Bamboo
- Run the build
Aqua Security Scanner plugin for Bamboo can be used to scan Docker images in the Atlassian Bamboo for various security issues.
Before you configure the Aqua Security plugin in Bamboo, make sure that you have scanner permission assigned by your Aqua admin.
Integrate Aqua Scanner with Bamboo
There are four steps involved to integrate Aqua scanner with Bamboo as listed below:
- Install the Aqua scanner plugin
- Configure Aqua scanner plugin
- Add the Aqua scanner ask to Bamboo build plan
- Modify artifact outputs
Install the Aqua scanner plugin
To install the Aqua scanner plugin:
- Navigate to Atlassian Marketplace to download Aqua scanner plugin (Aqua Cloud Native Security Platform for Bamboo Server).
- Click Get it now to download the .jar file for the plugin (which will have a name like aqua-scanner-2.0.21-RELEASE.jar).
3. In the Bamboo application, from the BAMBOO ADMINISTRATION dropdown at the top right of the page, select Manage apps.
4. At the right side of the page, click Upload app.
5. In the Upload app dialog, click Choose File to browse the .jar file that you downloaded, from your computer.
6. Click Upload.
For more information, refer to Bamboo document, Installing Marketplace apps.
Configure Aqua scanner plugin
After installing the Aqua Security plugin in Bamboo, you should configure the Aqua scanner to scan the images. To configure the Aqua scanner plugin:
- From the BAMBOO ADMINISTRATION dropdown at the top right of the page, select Manage apps.
- In the left pane, click Aqua Scanner Plugin. Aqua Scanner Plugin Global Configuration page appears.
3. Enter values in the following fields and Click Save. Following table explains details of the fields.
|Aqua Server URL||The Aqua Server URL|
|Aqua User Name||Name of the Aqua user having Scanner permissions|
Password for the Aqua user
|Aqua Scanner Image||Aqua scanner image, for example: aquasec/scanner:6.2|
|Aqua Additional Docker options||(Optional) additional command line options for the scanner. For more information, refer to Scan Argument.|
-e AQUA_TOKEN=a1b2c34..... --direct-cc Extra Aqua scanner additional flags
|Do not verify TLS certificates||(Optional) if checked , the plugin will not check TLS certificates while scanning. This is useful, for example, in development environment|
|Skip Aqua scans||(Optional) if checked, the plugin will skip Aqua image scanning|
|Don't create Aqua scan result web portal||(Optional) if checked, the plugin will not create report in summary, which means web reports will not be created|
Add the Aqua Scanner Task to Bamboo build plan
To scan images in Bamboo, you should add Aqua scanner task and configure the scanner to perform the image scanning. To add Aqua scanner task:
- In the Bamboo application header, from the Build drop-down menu, select All build plans.
- For the required build plan, Click the Configure plan button.
- In the left pane, click the required job under Stages & jobs.
- In the Tasks tab, click Add task. Task types dialog appears.
- Use Aqua's Global Configuration: to set the default global configuration as configured in Aqua.
- Use Custom Aqua Configuration: to set a task-specific custom configuration by entering values for the required fields. By default, values mentioned in the Configure Aqua scanner plugin section are displayed but you can customize values for each task through this option.
- Use Bamboo Global Variables: to set up an environment for YAML or programming languages based on the code variables.
8. In the Image Information section, select one of the following three options to identify Scanner Location Type:
- Local Image: to scan a local image which is built through the Bamboo project. If you select this option, enter values in the following fields:
- Image Name
- Container Registry:(Optional) to indicate the container registry
- Policies: add image assurance policies that you want to specify to determine compliance, after the image is scanned. By default, Aqua will use the Default image assurance policy and all other image assurance policies
- Hosted Image: to scan an image that is already stored in a Docker registry. If you select this option, enter values in the following fields:
- Image Name
- Container Registry: (Optional) to indicate the Aqua registry in which the image is registered
- Hide vulnerabilities in the base image: Enable this to hide vulnerabilities in the base image, which is used to create this image.
- Docker-archive: to scan docker images contained in a .tar file. If you select this option, enter value in the Tar file path field.
9. In the Aqua Scanner Additional Options section, select one of the following four options:
- Show negligible/unknown severity vulnerabilities: to show Vulnerabilities with the negligible and unknown severities in the scan results.
- Register image in the Aqua Server: to register image with Aqua
- Never fail builds: A return code of 0 will be returned even if the image assurance policy fails.
- Perform the action defined in Aqua's policy: to perform actions as per the assurance policies. If you select this option, you can optionally enter shell command to execute when image is not compliant to the image assurance policies.
- Extra Aqua scanner additional flags: (Optional) enter additional flags as required. For example, if --layer vulnerabilities is passed as an additional flag, it will report vulnerabilities at each layer of an image. To know all of the supported flags, refer to Scan Argument.
10. Click Save.
Modify artifact outputs
Bamboo generates various files as artifacts during the build process. These are normally deleted when the build is complete, but you can optionally choose to save them. You should set the location to save these artifact files in the Artifacts tab. To configure storing artifact outputs:
- In the required build plan, navigate to the Plan configuration page.
- In the left pane, select the required job under Stages & Jobs.
- Go to the Artifacts tab and click Create artifact.
4. In the Create artifact dialog, Enter the following details:
- Name: artifact name as it will be referred to, for example: aqua-scan-results.
- Location: specify he directory, relative to the build folder
- Copy pattern: a specifier to identify the file, such as *.jar, *.html for jar or html files
5. Enable Shared and/or Required checkboxes as required for the purpose displayed on the UI.
6. Click Create.
You can see the artifacts created while executing a job during its build, in the Artifacts tab.
Run the build
After configuration of Aqua, scanning images is completed in Bamboo, Aqua is ready to scan images in the build process. When the next build process is triggered, the build plan which contains the Aqua integration, scans images and shows the results. To run the build:
- Run the Bamboo build plan that contains the Aqua scanning task, as configured in the previous sections.
- When the build process is completed, click the task number and go Job Summary tab. You can see that scan results are displayed as shown below.