jenkins-build-deployment-pipeline-a-how-to-for-ensuring-integrity

 

Jenkins Automation.2

 

In this blog, we will briefly touch on the importance of DevOps having strong security, current hole in DevOps security aka DevSecOps, Jenkins Automation’s role in the build process, and with a technical walkthrough on how to integrate the vChain CodeNotary tool with your Jenkins build deployment pipeline to ensure its integrity.

 

The Weak Link in DevOps Pipelines

DevOps has been widely adopted for many years for its benefits including speeding up the software development process. However, in the CICD process, there is one significant weak link when it comes to ensuring the integrity of code from development to production. That is, when the build is created, stored on a repository and then picked up to be deployed into production, no-one knows if it has been maliciously edited. No integrity check was performed on the containers, scripts, clusters, or any of the other build components. It is completely possible that someone could have tampered with the build code and injected it with malware. Unfortunately, if the code’s integrity was never verified, there is no way to be completely sure what you are deploying is what you built. (And that is before we even get to the problems from after code has been discovered to be compromised as we posted about here.)

 

Securing DevOps Builds with CodeNotary

With CodeNotary, the solution is an easy, single step where you can be 100% sure your code is exactly how you left it. Code integrity is no longer a question with today’s technology. It is now possible to verify the integrity of all of your code at every stage of the build process before you ever deploy anything into production.

 

Additionally, one of the best things with CodeNotary’s robust, multi-layered, security solution is its seamless integration prevents problems from arising and scaling in size later on down the pipeline, creating significant savings in terms of potential patch costs and other associated damages.

 

By integrating CodeNotary’s distributed ledger technology into your DevOps and Jenkins builds, you now have the ability to keep a 30,000-foot view of all shipped components sent to any customer that scopes down to an infinitely granular level.

 

Here’s how simple it is to setup Jenkins code build notarization.

 

Integrating vChain CodeNotary into Jenkins Build Deployment Pipeline

In order to maintain an optimal DevSecOps pipeline with your CI/CD build, we have developed an application that can verify the integrity of all your code continuously. The details of how to configure CodeNotary to automatically sign Jenkins’ builds is below. The integration has 3 main steps in what otherwise can be labeled a 10 step process. The 3 main steps are:

 

Steps

  1. Configuration System level
    1. Configure vcn credentials system-wide in Jenkins
  2. Per build job
    1. Tie vcn credentials in from system configuration to local environment variables
    2. Sign asset
  3. Before deployment
    1. Run vcn verify with asset parameters

Step 1: System-level configuration

On the Home Screen, locate and click the Credentials link in the sidebar menu to expand the submenu beneath it.

 

001 Home Screen

Step 1.1

With the submenu opened up, go ahead and select the credentials type, in this case, select System.

 

001a Select Credentials - Jenkins Automation

Step 1.2

After selecting System, click Add Domain and notice the right-hand display shows ‘Global credentials (unrestricted)’. Click the link.

 

001b System Credentials - Jenkins Automation

 

Step 1.3

Create new credentials by selecting the Add Credentials option.

001c Create Credentials - Jenkins Automation

Step 2: Per build job

Now that you have the credential creation display opened, you will need to create your credential entries for your vcn keystore password, vcn user account, and vcn password.

 

002 Create Credential Entries - Jenkins Automation

 

Once you have all 3, your list of credentials should look something similar to the below.

 

003 List Credentials - Jenkins Automation

Step 2.1

Next, you will need to configure the build job environment for each build job you have. This is relatively simple. All you need to do is to tie the vcn credentials in from the system configuration to the local environment variables by setting the appropriate bindings.

 

004 Configure Build Job Environment - Jenkins Automation

 

After successfully setting your bindings, you will need to add a build job build step for signing your code with the vcn application. Click on the ‘Add build step’ drop down and select ‘Execute shell.’

 

005 Add build job build step for signing - Jenkins Automation

 

Step 2.2

Next, after vcn login and entering your credentials in the CLI, you will need to configure your build step for vcn signing by typing in the command:

 

vcn s docker://gcr.io/vchain-ops/vcn:stable

 

006 Configure build step for vcn signing_190703

Step 3: Before deployment

Lastly, you will need to execute this snippet in the deployment process:

 

~> vcn verify docker:gcr.io/vchain-ops/vcn:stable && your_deploy_script.sh

 

And that’s it. You’re now ready to have vChain CodeNotary provide a perpetually running integrity check into all of your Jenkins build deployment pipeline, as well as ensure you are participating in the latest DevSecOps best practices.

 

Secure your Jenkins build deployment pipeline integrity today by signing up for a free CodeNotary non-commercial license by clicking below.

 

Get Your CodeNotary Free License

 

Please note, it can take up to 24 hours for us to activate your license after you have successfully completed registration, though it’s generally much faster. If you have any feedback, questions, or concerns, drop us a line through our contact page here or our contact us through the CodeNotary.io chat.

CNIL
Metrics and Logs

(formerly, Opvizor Performance Analyzer)

VMware vSphere & Cloud
PERFORMANCE MONITORING, LOG ANALYSIS, LICENSE COMPLIANCE!

Monitor and Analyze Performance and Log files:
Performance monitoring for your systems and applications with log analysis (tamperproof using immudb) and license compliance (RedHat, Oracle, SAP and more) in one virtual appliance!

Subscribe to Our Newsletter

Get the latest product updates, company news, and special offers delivered right to your inbox.

Subscribe to our newsletter

Use Case - Tamper-resistant Clinical Trials

Goal:

Blockchain PoCs were unsuccessful due to complexity and lack of developers.

Still the goal of data immutability as well as client verification is a crucial. Furthermore, the system needs to be easy to use and operate (allowing backup, maintenance windows aso.).

Implementation:

immudb is running in different datacenters across the globe. All clinical trial information is stored in immudb either as transactions or the pdf documents as a whole.

Having that single source of truth with versioned, timestamped, and cryptographically verifiable records, enables a whole new way of transparency and trust.

Use Case - Finance

Goal:

Store the source data, the decision and the rule base for financial support from governments timestamped, verifiable.

A very important functionality is the ability to compare the historic decision (based on the past rulebase) with the rulebase at a different date. Fully cryptographic verifiable Time Travel queries are required to be able to achieve that comparison.

Implementation:

While the source data, rulebase and the documented decision are stored in verifiable Blobs in immudb, the transaction is stored using the relational layer of immudb.

That allows the use of immudb’s time travel capabilities to retrieve verified historic data and recalculate with the most recent rulebase.

Use Case - eCommerce and NFT marketplace

Goal:

No matter if it’s an eCommerce platform or NFT marketplace, the goals are similar:

  • High amount of transactions (potentially millions a second)
  • Ability to read and write multiple records within one transaction
  • prevent overwrite or updates on transactions
  • comply with regulations (PCI, GDPR, …)


Implementation:

immudb is typically scaled out using Hyperscaler (i. e. AWS, Google Cloud, Microsoft Azure) distributed across the Globe. Auditors are also distributed to track the verification proof over time. Additionally, the shop or marketplace applications store immudb cryptographic state information. That high level of integrity and tamper-evidence while maintaining a very high transaction speed is key for companies to chose immudb.

Use Case - IoT Sensor Data

Goal:

IoT sensor data received by devices collecting environment data needs to be stored locally in a cryptographically verifiable manner until the data is transferred to a central datacenter. The data integrity needs to be verifiable at any given point in time and while in transit.

Implementation:

immudb runs embedded on the IoT device itself and is consistently audited by external probes. The data transfer to audit is minimal and works even with minimum bandwidth and unreliable connections.

Whenever the IoT devices are connected to a high bandwidth, the data transfer happens to a data center (large immudb deployment) and the source and destination date integrity is fully verified.

Use Case - DevOps Evidence

Goal:

CI/CD and application build logs need to be stored auditable and tamper-evident.
A very high Performance is required as the system should not slow down any build process.
Scalability is key as billions of artifacts are expected within the next years.
Next to a possibility of integrity validation, data needs to be retrievable by pipeline job id or digital asset checksum.

Implementation:

As part of the CI/CD audit functionality, data is stored within immudb using the Key/Value functionality. Key is either the CI/CD job id (i. e. Jenkins or GitLab) or the checksum of the resulting build or container image.

White Paper — Registration

We will also send you the research paper
via email.

CodeNotary — Webinar

White Paper — Registration

Please let us know where we can send the whitepaper on CodeNotary Trusted Software Supply Chain. 

Become a partner

Start Your Trial

Please enter contact information to receive an email with the virtual appliance download instructions.

Start Free Trial

Please enter contact information to receive an email with the free trial details.