Give Jenkins a Software Bill of Materials with Syft – InApps 2022

Since the U.S. White House released its Cybersecurity Executive Order earlier this year, calling on government agencies to improve their security,  it’s become quite apparent that supply chain security is of paramount importance. One of the main reasons for this is because we’ve seen, over the past year, a number of instances where supply chains have been attacked. This has led to a major crackdown on insecurities across the board.

One way to aid in this attempt is supplying what is called a Software Bill of Materials (SBOM). I recently wrote a tutorial on how to generate an SBOM using a command-line tool called Syft.

For some, the command line is a perfect tool for such a task. It’s efficient, it’s simple, it’s effective. For others, however, a web-based or GUI solution is necessary. Fortunately, cloud native developers are swift to react, and because they already have a majority of the pieces in place, a solution for this was very quick to present itself. Said solution involves a combination of Syft, the Grype vulnerability tool, and CloudBees‘ CI/CD software Jenkins. With these three tools, you can generate an SBOM from a git repository in seconds… all from within the web-based Jenkins, a tool many cloud native developers already know.

So how is this done? Let me show you.

Install Docker

To make this quick and painless, we’re going to do all of the installations with the help of Docker. So the first thing we must do is install Docker. I’ll be demonstrating on Ubuntu Server 20.04, so if you’re using a different Linux distribution, make sure to alter the instructions as needed.

To install Docker on Ubuntu Server, log in and issue the command:

sudo apt-get install docker.io -y

When the installation completes, start and enable the Docker service with:

sudo systemctl enable docker

sudo systemctl start docker

Finally, add your user to the docker group with:

sudo usermod -aG docker $USER

Log out and log back in for the changes to take effect.

How to deploy Jenkins via Docker

Next, we’ll deploy Jenkins as a Docker container with the command:

docker run -u root -d --name jenkins --rm -p 8080:8080 -p 50000:50000 -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/jenkins-data:/var/jenkins_home jenkinsci/blueocean

Give the container a moment to start up. As it’s starting, you’ll want to locate the first four digits of the Jenkins container name with the command:

docker ps -a

With those four digits in hand, view the Jenkins logs with:

docker logs ID

Where ID is the ID of the Jenkins container. In the output of that log file, you should see a long string of characters under Jenkins initial setup is required (Figure 1).

Figure 1: The output of the docker logs command shows the initial admin password.

Open a browser and point it to http://SERVER:8080 (where SERVER is the IP address of your server). You will be presented with a window that requires the initial admin password (Figure 2).

Figure 2: Paste your initial admin password here.

Once you’ve pasted the password, click Continue.

In the next window (Figure 3), click Install suggested plugins.

Figure 3: Installing all of the suggested plugins for Jenkins is just a click away.

It’ll take some time for the plugin installation to complete. When it does, you’ll be presented with a window that allows you to create a new admin user (Figure 4).

Figure 4: Creating your first admin user in Jenkins.

Enter the details for your admin user and click Save and Continue.

Install Syft and Grype

When that process completes, install both Syft and Gype by heading back to the terminal window and issuing the following two commands:

docker exec jenkins bash -c 'curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin'

docker exec jenkins bash -c 'curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin'

You’re now ready to generate your first SBOM.

Generating an SBOM

Log into Jenkins with your new admin user credentials. On the main window (Figure 5), click New Item in the left navigation.

Figure 5: The Jenkins sidebar is where you manage all of your builds.

In the resulting window (Figure 6), name the new item syft-sbom-demo, click Pipeline, and then click OK.

Figure 6: Creating a new Pipeline for the Syft SBOM.

In the Pipeline configuration window, select the following options:

• Definition – Pipeline script from SCM
• SCM – Git
• Repository URL – https://github.com/pvnovarese/syft-sbom-demo (although you can use any GitHub repository for this demo).

From the Credentials drop-down, select Jenkins, and then, in the resulting popup (Figure 7), fill out your GitHub credentials as needed.

Figure 7: Creating credentials for GitHub.

When you complete the credential configuration, click Add.

Click save and then click Build Now.

The build will clone an alpine base image, call Syft, and generate the SBOM. You can then view the SBOM by clicking #1 in the build history (because this is your first build) and then clicking Console Output. Scroll down until you see the SBOM (Figure 8).

Figure 8: Our SBOM, generated by Syft through Jenkins.

And that’s all there is to using Jenkins and Syft to generate a Software Bill of Materials for your GitHub-hosted project. This demo should give you the means to generate SBOMs for all of your cloud native GitHub projects that depend on container images. It might take some extra elbow grease to get your projects working (as opposed to the demo), but now that you know how it functions, you should be able to integrate with your own workflow.

InApps is a wholly owned subsidiary of Insight Partners, an investor in the following companies mentioned in this article: Docker.