A lot of customers ask about running SourceClear from within a Docker container on their build node. Here is how to do it. Customize this to suit your exact needs. Throughout the blog I assume that you've got a project named myproject.
The steps to follow are:
- Build an Ubuntu based Docker image containing your project's source code
- Run the Docker image, which downloads and installs the latest SourceClear agent
- Starts a SourceClear scan on the project folder
Add the two following files to the root of your project:
# Latest Ubuntu FROM ubuntu # Curl is required for grabbing the latest SourceClear Agent RUN apt-get update RUN apt-get install -y curl # Mount the local folder for scanning purposes. ADD . /src
This is just a simple script file to keep the command line looking neat and tidy when you execute the Docker container.
cd /src && curl -sSL https://download.sourceclear.com/ci.sh | sh
Make sure it's executable
> chmod 755 srcclr.sh
Setting up the environment
The Agent API Key
Create a new Jenkins agent from your SourceClear organization, create an API key and add it as an environmental variable:
export SRCCLR_API_TOKEN=<insert token here>
This will get passed to the Docker container at runtime.
Build the container
Building the Docker container does several things:
- Downloads the base Docker image (Ubuntu)
- Installs Curl
- Mounts the root project folder into /src on the container
Now build the container (from the root of the project):
docker build . -t srcclr_scan_myproject
Execute the containerized scan
docker run -e SRCCLR_API_TOKEN srcclr_scan_myproject /src/scan.sh
This will do several things:
-e SRCCLR_API_TOKEN will inject this environmental variable into the running container, along with its value. This supplies the SourceClear Agent with the required API key.
srcclr_scan_myproject tells docker to utilize the image we just built (which contains the latest source from myproject)
/src/scan/sh runs the scan script we created locally, which now resides in /src/ along with the project's source.
If you've set everything up, you should see output like:
$ docker run -e SRCCLR_API_TOKEN srcclr_scan_myproject /src/scan.sh SourceClear scanning engine ready Running the Gem scanner Scanning completed Found 0 lines of code Matching libraries against the SourceClear Registry... Matching complete Summary Report Scan ID 7295d188-2073-449a-9068-90ac6c08f44f Scan Date & Time Oct 04 2017 08:49PM UTC Account type ENTERPRISE Scan engine 2.10.37 (latest 2.10.37) Analysis time 5 seconds User root Project /src Package Manager(s) Gem Open-Source Libraries Total Libraries 168 Direct Libraries 57 Transitive Libraries 120 Vulnerable Libraries 2 Third Party Code 100% Security With Vulnerable Methods 0 High Risk Vulnerabilities 1 Medium Risk Vulnerabilities 5 Low Risk Vulnerabilities 0 Vulnerabilities - Public Data CVE-2015-5147 High Risk Denial Of Service (DoS) And Stack-based Buffer Overflow redcarpet 3.2.3 Vulnerabilities - Premium Data NO-CVE Medium Risk Heap-based Buffer Overflow Through Embedded C Dependency nokogiri 1.8.0 NO-CVE Medium Risk Denial Of Service (DoS) Through Memory Consumption nokogiri 1.8.0 NO-CVE Medium Risk Copy-Paste Vulnerability (CPV) Through Libxml2 nokogiri 1.8.0 NO-CVE Medium Risk Copy-Paste Vulnerability (CPV) Through Libxml2 nokogiri 1.8.0 NO-CVE Medium Risk Multiple Stack Overflows Through Embedded C Dependency nokogiri 1.8.0 Licenses Unique Library Licenses 8 Libraries Using GPL 2 Libraries With No License 14 Full Report Details https://myorg.sourceclear.io/teams/855C9Z5/scans/2489804