Introduction

In any software development cycle, it is best practice to catch issues as early as possible since it both improves security and decreases the workload for both developers and security. In order to do this, CrowdStrike offers solutions for developers at build time that allow them to assess their Docker container images and review summarized report data integrated with their favorite CI/CD tools like Jenkins.

Video

Lab Environment

In this solution,

1. AWS Codecommit clones all the docker files from GitHub repo.
2. AWS Cloud9 IDE is used to look at the code and make any changes/pull/push request.
3. Jenkins compiles the code but also scans it for any vulnerabilities.
4. If the code is vulnerable, Jenkins sends the scan report to CrowdStrike.
5. If there are no vulnerabilities, the docker file is published to ECR for application deployment.

Install CrowdStrike Security for Jenkins Plugin

CrowdStrike Security for Jenkins is a plugin that uses image assessment to find vulnerabilities in container images early in the development process (i.e. shift-left), and then block them as per predefined policies within the CrowdStrike Falcon platform. The plugin provides several advantages:

Create Jenkins Pipelines

Jenkins Pipeline (or simply “Pipeline” with a capital “P”) is a suite of plugins which supports implementing and integrating continuous delivery pipelines into Jenkins. A continuous delivery (CD) pipeline is an automated expression of your process for getting software from version control right through to your users and customers. Every change to your software (committed in source control) goes through a complex process on its way to being released. This process involves building the software in a reliable and repeatable manner, as well as progressing the built software (called a “build”) through multiple stages of testing and deployment.

Jenkinsfiles are written in groovy, and declare a list of Stages that the pipeline must complete to result in a successful build. Our plugin is called with the method crowdStrikeSecurity in its own stage. When it is called, it can accept a series of parameters including:

• imageName: – this is the image name you would like to scan, this image must be built in the pipeline or already built on the node where the Jenkins Pipeline will execute
• imageTag: – this is the tag of the image you would like to scan, this image:tag must be built in the pipeline or already built on the node where the Jenkins Pipeline will execute
• enforce: – true or false, whether to apply the Scan Report Recommendation to Allow or Prevent the Jenkins Pipeline Build from completion.
• timeout: – timeout period for a Scan Report response from the Falcon API

Here’s what calling our plugin looks like in code:

The Dockerfile pulls from an old version of Python from Dockerhub and copies main.py from the local directory. This version of the Python will contain critical and high vulnerabilities.

Create InitialJenkinsPipeline

The InitialJenkinsPipeline.gvy groovy file (seen here in AWS Cloud9) sets variables and executes three stages in a Jenkins Pipeline:

1. Clone CodeCommit repo
2. Build Docker image
3. Scan image using the CrowdStrike plugin

Create a Pipeline called InitialJenkinsPipeline on Jenkins

Scroll down to the Pipeline Section and paste in your InitialJenkinsPipeline.gvy code

Create EnforceJenkinsPipeline

The EnforceJenkinsPipeline.gvy groovy file sets variables and executes four stages in a Jenkins Pipeline:

1. Clone CodeCommit repo
2. Build Docker image
3. Scan image using the CrowdStrike plugin
4. Push image to ECR (per Falcon Image Assessment Policy conditions)

Create a Pipeline called EnforceJenkinsPipeline on Jenkins, scroll down to the Pipeline Section and paste in your EnforceJenkinsPipeline.gvy code

On the Jenkins Dashboard, you should now see two pipeline items available in the middle of the page.

Configure Falcon Image Assessment Policies

When the Image Assessment tool assesses images from your registries, the images are compared to policies that you define. If the image matches a policy’s rules, you can view alerts about the match or you can prevent deployment of the image.

We will now create two new rules: Alert and Prevent as part of our assessment policy.

• For the Alert Rule, we will provide CVE severity of Low and Medium as a matching condition and create the rule

• For the Prevent Rule, we will provide CVE severity of High and Critical as a matching condition and create the rule

Jenkins Pipeline Build and Falcon API/Dashboard Integration

Build the Initial Jenkins Pipeline

Now, we will the build initial pipeline (InitialJenkinsPipeline) and observe the results.

Since the Dockerfile is currently pulling from an old version of Python which contains critical and high vulnerabilities, the CrowdStrike Falcon Image Assessment prevented the build due to High Vulnerabilities (per the policy rules we created earlier):

Jenkins sends the scan report to CrowdStrike, and you can see the same vulnerabilities on the Falcon UI and investigate them further:

Build the Enforce Jenkins Pipeline

At this point we are ready to run the Enforce Jenkins pipeline. However, first we will change the current Dockerfile to use the latest python base image (instead of a version with vulnerabilities). To do this, we make changes to the Dockerfile in Cloud9, “push” the changes and commit.

Next, we will run the Enforce Jenkins pipeline against the updated base image

Once the build executes and completes without failures/errors you will see a green check mark indicating a successful build

Next, we will look at the Amazon ECR registry to see the newly built (non-vulnerable, clean) image. This image can be used for Application deployment.

The CrowdStrike integration with Jenkins ensures that workloads remain secure while DevOps works at speed without any performance hit.