Skip to main content

Jenkins

In Jenkins, Cimon Attest is performed using the CLI. In the first step, you must install Cimon CLI and then attest the artifact that is created. Jenkins supports Cimon on all major pipeline types - "Freestyle project", "Pipeline", and "Multibranch Pipeline".

pipeline {
agent any

environment {
CIMON_CLIENT_ID = credentials("cimon-client-id")
CIMON_SECRET = credentials("cimon-secret")
}

options {
disableConcurrentBuilds()
}

stages {
stage('Install Cimon') {
steps {
sh 'curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh'
}
}

stage('Build Artifacts') {
steps {
sh """
mkdir dist
echo artifact1 > dist/artifact1
echo artifact2 > dist/artifact2
"""
}
}

stage('Generate Sign Key') {
steps {
sh """
openssl genrsa -out private-key.pem 3072
"""
}
}

stage('Cimon Attest') {
environment {
CIMON_SUBJECTS = """
dist/artifact1
dist/artifact2
"""
CIMON_SIGN_KEY = "private-key.pem"
}
steps {
sh './bin/cimon attest'
}
}

stage('Print Provenance') {
steps {
sh 'cat provenance.intoto.jsonl'
}
}

stage('Print Signed Provenance') {
steps {
sh 'cat provenance.intoto.jsonl.sig'
}
}
}
}

Explanation:

tip

When running a pipeline job, it is recommended to pull the Jenkinsfile from a version-controlled system. This improves the provenance quality and makes trusting the running build easier.

environment {
CIMON_CLIENT_ID = credentials("cimon-client-id")
CIMON_SECRET = credentials("cimon-secret")
}

Cimon receives input parameters through environment variables.

options {
disableConcurrentBuilds()
}

Enforce steps to run sequentially.

stage('Install Cimon') {
steps {
sh 'curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh'
}
}

Installing Cimon tooling. More info for installation options can be found in CLI integration page.

stage('Build Artifacts') {
steps {
sh """
mkdir dist
echo artifact1 > dist/artifact1
echo artifact2 > dist/artifact2
"""
}
}

Creating artifacts. This is build-specific, and we just used stub artifacts for the process demonstration.

stage('Generate Sign Key') {
steps {
sh """
openssl genrsa -out private-key.pem 3072
"""
}
}

Creating a signature key. This is build-specific, and we just used a stub key for the process demonstration.

stage('Cimon Attest') {
environment {
CIMON_SUBJECTS = """
dist/artifact1
dist/artifact2
"""
CIMON_SIGN_KEY = "private-key.pem"
}
steps {
sh './bin/cimon attest'
}
}

Attesting the artifacts given through input variables with the provided key. These can be configured through the CLI parameters.

stage('Print Provenance') {
steps {
sh 'cat provenance.intoto.jsonl'
}
}

stage('Print Signed Provenance') {
steps {
sh 'cat provenance.intoto.jsonl.sig'
}
}

Printing the attestation according to the default paths. These can be configured through the CLI parameters.

Usage

The supported parameters that could be supplied to Cimon are explained in the CLI integration.