Skip to main content

Jenkins

In Jenkins, Cimon Attest is performed using the CLI. In the first step, you must install Cimon CLI and then attest the artifact that is created. Jenkins supports Cimon on all major pipeline types - "Freestyle project", "Pipeline", and "Multibranch Pipeline".

pipeline {
    agent any

    environment {
        CIMON_CLIENT_ID = credentials("cimon-client-id")
        CIMON_SECRET = credentials("cimon-secret")
    }

    options {
        disableConcurrentBuilds()
    }

    stages {
        stage('Install Cimon') {
            steps {
                sh 'curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh'
            }
        }

        stage('Build Artifacts') {
            steps {
                sh """
                    mkdir dist
                    echo artifact1 > dist/artifact1
                    echo artifact2 > dist/artifact2
                """
            }
        }

        stage('Generate Sign Key') {
            steps {
                sh """
                    openssl genrsa -out private-key.pem 3072
                """
            }
        }

        stage('Cimon Attest') {
            steps {
                sh """
                    cimon attest generate-and-sign \
                    --client-id $CIMON_CLIENT_ID --secret $CIMON_SECRET \
                    --subjects "dist/artifact1 dist/artifact2" --key private-key.pem
                """
            }
        }

        stage('Print Provenance') {
            steps {
                sh 'cat provenance.intoto.jsonl'
            }
        }

        stage('Print Signed Provenance') {
            steps {
                sh 'cat provenance.intoto.jsonl.sig'
            }
        }
    }
}

Explanation:

tip

When running a pipeline job, it is recommended to pull the Jenkinsfile from a version-controlled system. This improves the provenance quality and makes trusting the running build easier.

environment {
    CIMON_CLIENT_ID = credentials("cimon-client-id")
    CIMON_SECRET = credentials("cimon-secret")
}

The credentials must be loaded into the environment variables.

options {
    disableConcurrentBuilds()
}

Enforce steps to run sequentially.

stage('Install Cimon') {
    steps {
        sh 'curl -sSfL https://cimon-releases.s3.amazonaws.com/install.sh | sh'
    }
}

Installing Cimon tooling. More info for installation options can be found in CLI integration page.

stage('Build Artifacts') {
    steps {
        sh """
            mkdir dist
            echo artifact1 > dist/artifact1
            echo artifact2 > dist/artifact2
        """
    }
}

Creating artifacts. This is build-specific, and we just used stub artifacts for the process demonstration.

stage('Generate Sign Key') {
    steps {
        sh """
            openssl genrsa -out private-key.pem 3072
        """
    }
}

Creating a signature key. This is build-specific, and we just used a stub key for the process demonstration.

stage('Cimon Attest') {
    steps {
        sh """
            cimon attest generate-and-sign \
            --client-id $CIMON_CLIENT_ID --secret $CIMON_SECRET \
            --subjects "dist/artifact1 dist/artifact2" --key private-key.pem
        """
    }
}

Attesting the artifacts given through input variables with the provided key. These can be configured through the CLI parameters.

stage('Print Provenance') {
    steps {
        sh 'cat provenance.intoto.jsonl'
    }
}

stage('Print Signed Provenance') {
    steps {
        sh 'cat provenance.intoto.jsonl.sig'
    }
}

Printing the attestation according to the default paths. These can be configured through the CLI parameters.

Usage

The supported parameters that could be supplied to Cimon are explained in the CLI integration.