技术文档 | 在Jenkins及GitlabCI中集成OpenSCA，轻松实现CI/CD开源风险治理

原创

OpenSCA社区

发布于 2023-12-29 15:47:06

1930

发布于 2023-12-29 15:47:06

文章被收录于专栏：OpenSCAOpenSCA

插播：

OpenSCA-cli 现支持通过 homebrew 以及 winget 安装：

Mac/Linux

brew install opensca-cli

Windows

winget install opensca-cli

总有小伙伴问起如何在CI/CD中集成OpenSCA，文档它这不就来啦~

若您解锁了其他OpenSCA的用法，也欢迎向项目组来稿，将经验分享给社区的小伙伴们~

Jenkins

在 Jenkins 中集成 OpenSCA，需要在 Jenkins 构建机器中安装 OpenSCA-cli。OpenSCA-cli 支持主流的操作系统，包括 Windows、Linux、MacOS，亦可通过 Docker 镜像运行。

Freestyle Project

对于自由风格的项目，可以通过在构建步骤中添加 Execute shell 或 Execute Windows batch command 来执行 OpenSCA-cli。

以 Execute shell 为例：

# install opensca-cli

curl -sSL https://raw.githubusercontent.com/XmirrorSecurity/OpenSCA-cli/master/scripts/install.sh | sh

# export opensca-cli to PATH

export PATH=/var/jenkins\_home/.config/opensca-cli:$PATH

# run opensca scan and generate reports(replace {put\_your\_token\_here} with your token)

opensca-cli -path $WORKSPACE -token {put\_your\_token\_here} -out $WORKSPACE/results/result.html,$WORKSPACE/results/result.dsdx.json

* install.sh 会默认将 OpenSCA 安装在用户家目录 .config 目录下，请根据实际情况调整 PATH 环境变量或使用绝对路径。

Pipeline Project

对于流水线项目，可以通过在流水线脚本中添加 sh 或 bat 来执行 OpenSCA-cli。以 sh 为例

pipeline {

    agent any



    stages {



        stage('Build') {

            steps {

                // Get some code from a GitHub repository

                // build it, test it, and archive the binaries.

            }

        }



        stage('Security Scan') {

            steps {

                // install opensca-cli

                sh "curl -sSL https://raw.githubusercontent.com/XmirrorSecurity/OpenSCA-cli/master/scripts/install.sh | sh"

                // run opensca scan and generate reports(replace {put\_your\_token\_here} with your token)

                sh "/var/jenkins\_home/.config/opensca-cli/opensca-cli -path $WORKSPACE -token {put\_your\_token\_here} -out $WORKSPACE/results/result.html,$WORKSPACE/results/result.dsdx.json"

            }

        }

    }



    post {

        always {

            // do something post build

        }

    }

}

(可选) 添加构建后动作

在 Jenkins 中，可以通过 Post-build Actions 来实现保存制品、报告等操作，例如可以通过 Publish HTML reports 插件来保存并展示 OpenSCA-cli 生成的 HTML 报告。

*请注意，OpenSCA 生成的 HTML 报告需启用 JavaScript 才能正常显示。这需要修改 Jenkins 的安全策略，具体操作请参考 Jenkins 官方文档。这可能会导致 Jenkins 的安全性降低，因此请谨慎操作。

修改 Jenkins CSP

在 Jenkins 的 Manage Jenkins -> Script Console 中执行以下脚本：

System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-scripts; default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval';")

执行完成后，需重启 Jenkins 服务。

确保您已经安装了 Publish HTML reports 插件，然后在 Jenkins 项目的 Post-build Actions 中添加 Publish HTML reports：

成功构建后，在 Jenkins Job 的 Dashboard 中，即可看到 OpenSCA-cli 生成的 HTML 报告

Pipeline Script 示例

post {

    always {

        // do something post build

        publishHTML(

            [

                allowMissing: false,

                alwaysLinkToLastBuild: true,

                keepAll: true,

                reportDir: 'results',

                reportFiles: 'result.html',

                reportName: 'OpenSCA Report',

                reportTitles: 'OpenSCA Report',

                useWrapperFileDirectly: true

            ]

        )

    }

}

GitLab CI

在 GitLab CI 中集成 OpenSCA，需要在 GitLab Runner 中安装 OpenSCA-cli。OpenSCA-cli 支持主流的操作系统，包括 Windows、Linux、MacOS，亦可通过 Docker 镜像运行。

security-test-job:

    stage: test

    script:

        - echo "do opensca scan..."

        - curl -sSL https://raw.githubusercontent.com/XmirrorSecurity/OpenSCA-cli/master/scripts/install.sh | sh

        - /root/.config/opensca-cli/opensca-cli -path $CI\_PROJECT\_DIR -token {put\_your\_token\_here} -out $CI\_PROJECT\_DIR/results/result.html,$CI\_PROJECT\_DIR/results/result.dsdx.json

    artifacts:

      paths:

        - results/

      untracked: false

      when: on\_success

      expire\_in: 30 days

**完整示例**

stages:

  - build

  - test

  - deploy



build-job:

  stage: build

  script:

    - echo "Compiling the code..."

    - echo "Compile complete."



unit-test-job:

  stage: test

  script:

    - echo "do unit test..."

    - sleep 10

    - echo "Code coverage is 90%"



lint-test-job:

  stage: test

  script:

    - echo "do lint test..."

    - sleep 10

    - echo "No lint issues found."



security-test-job:

    stage: test

    script:

        - echo "do opensca scan..."

        - curl -sSL https://raw.githubusercontent.com/XmirrorSecurity/OpenSCA-cli/master/scripts/install.sh | sh

        - /root/.config/opensca-cli/opensca-cli -path $CI\_PROJECT\_DIR -token {put\_your\_token\_here} -out $CI\_PROJECT\_DIR/results/result.html,$CI\_PROJECT\_DIR/results/result.dsdx.json

    artifacts:

      paths:

        - results/

      untracked: false

      when: on\_success

      expire\_in: 30 days



deploy-job:

  stage: deploy

  environment: production

  script:

    - echo "Deploying application..."

    - echo "Application successfully deployed."

原创声明：本文系作者授权腾讯云开发者社区发表，未经许可，不得转载。

如有侵权，请联系 cloudcommunity@tencent.com 删除。

开源