Nexus Container Integration

IQ Server | Reading time: 6 minutes

Is this article helpful?

This article covers everything you need to know about the integration of Nexus Container in Nexus Lifecycle. We’ll go over what the integration is, how it works, and how to use it. More specifically, this article will help you:

  • Understand what Nexus Container is and where you can learn more about it.
  • Explain how Nexus Lifecycle works with Nexus Container and what information is available from the scans.
  • Run scans in Nexus Lifecycle using the command line interface (CLI) or a Jenkins plugin.
  • Analyze the results of a scan and use that info to better understand the health of your infrastructure.

Prerequisites

What is Nexus Container?

Nexus Container is a Kubernetes-native, security solution for complete container lifecycles. It provides protection for the container network, process, and file system by continuously scanning for vulnerabilities and compliance issues from build, to ship, to run. Nexus Container is the only solution that protects running containers, Kubernetes orchestrator, and hosts from threats like vulnerability exploits, zero-day attacks, malware, and insider attacks at Layer7.

Nexus Container scans container images from build to production for vulnerabilities and compliance issues/misconfigurations, and uses admission controls to keep vulnerable images from deploying. Our run-time behavioral inspection identifies any and all network traffic at Layer 7 and every container process. This lets us automatically create behavior-based security policies, enforce Data Loss Protection, and prevent zero-day malware and network attacks, tunnel breaches, and more.

How does Lifecycle scan with Nexus Container?

Now that you have some basic knowledge on Nexus Container, let’s talk about how Nexus Lifecycle works with it.

Nexus Lifecycle scans the application layer of your containers, and provides precise component intelligence for Java, JavaScript, Nuget, and Python.

To scan using Nexus Container’s intelligence, the first step is to set up environment variables, linking your Nexus Container instance with Nexus Lifecycle:

Environment Variables to set

Environment Variable Example Value
NEXUS_CONTAINER_SCANNING_LICENSE <license>
NEXUS_CONTAINER_SCANNING_SCANNER_IMAGE neuvector/scanner
NEXUS_CONTAINER_SCANNING_REGISTRY_URL <registry URL>
NEXUS_CONTAINER_SCANNING_REGISTRY_USER <username>
NEXUS_CONTAINER_SCANNING_REGISTRY_PASSWORD <password>

To scan a private image, set these additional environment variables:

Environment Variable Example Value
NEXUS_CONTAINER_IMAGE_REGISTRY_USER <registry_username>
NEXUS_CONTAINER_IMAGE_REGISTRY_PASSWORD <registry_password>

In addition to setting the environment variables, you will need to create the following directory within the standard var directory:

mkdir /var/neuvector

It is important to ensure that full access rights to the above directory are granted. An example of the command to achieve this for a service user with the username nexuscontainer is:

chown -Rv nexuscontainer /opt/nexus-iq-server

Executing a scan via the CLI or as a build step with Jenkins will include any target prefixed with “container:” as part of the scan results.

What will I see in the evaluation results?

When scanning container images or registries, Lifecycle applies all configured policies and gives you a breakdown, as it would in any other application. The report contains information on the application layers, and provides a breakdown in terms of the container vulnerabilities, what is breaking policy, and how you can resolve vulnerabilities.

Information provided from the scan report helps you understand the quality of the applications alongside your infrastructure, and Nexus Lifecycle provides that intelligence throughout the development pipeline.

An example - running a scan from the CLI

  1. Navigate to the folder that has the Nexus IQ CLI.
  2. Run the Nexus IQ CLI:

java -jar nexus-iq-cli-1.120.0-SNAPSHOT.jar -i <your iq app> -s http://localhost:8070 -a admin:admin123 -t develop container://http://registry.hub.docker.com/library/alpine:3.4

The example above is using release 120 of the IQ CLI. test-app is the name of the application we are running the evaluation against, localhost:8070 is the location of our IQ Server, admin:admin123 are our login credentials, and container: means we are scanning a container image or registry.

Once the scan is complete, you’ll see a link to the results report in your CLI. Copy the link and then paste it into your browser to access the scan results.

NOTE: You can view container and application scan results in the same view by specifying both as targets in the same CLI command. For example: java -jar nexus-iq-cli-1.120.0-SNAPSHOT.jar -i <your iq app> -s http://localhost:8070 -a admin:admin123 -t develop container://<image/registry> <Path to target application archive file>`

Example Report with Container data

Figure 1: Container and application results in the same view!

Component Information Panel

Figure 2: Component Information Panel

Vulnerability Details

Figure 3: Vulnerability Details

Vulnerability Details with Recommendations

Figure 4: Vulnerability Information with Recommendations

The report shows you the components identified, customized policy violations, a detailed bill of materials, and will also automatically kick off notifications, if that feature is enabled.

For more information on running scans in the CLI, please see our Nexus IQ CLI help docs.

An example - running a scan from Jenkins CI

NOTE: You need a running instance of Jenkins with the Nexus Platform plugin installed and configured to run policy evaluations in Jenkins.

Open Jenkins, and create a new pipeline project. In the Pipeline section, enter the following script:

pipeline {
    agent any

    stages {
        stage('Policy') {
            steps {
     nexusPolicyEvaluation (
            advancedProperties: '', 
        enableDebugLogging: false,
                    failBuildOnNetworkError: false,
                    iqApplication: selectedApplication('test-app'),
                    iqScanPatterns: [[scanPattern: 'container:alpine:3.6']], 
        iqStage: 'develop',
                    jobCredentialsId: ''
     )
            }
        }
    }
}

In the example above, test-app is the name of the application we are running the evaluation against, and container: means we are scanning a container image or registry (alpine 3.6 in this example).

Save the pipeline script and then kick off your build in Jenkins.

Once the job is done, you’ll see a link to the results report. Open the link in your browser to access the scan results.

Nexus Container in Lifecycle FAQs

How does Nexus Lifecycle evaluate containers?

Nexus Lifecycle leverages Nexus Container intelligence to directly provide information about your images and registries back in the same familiar Lifecycle report, alongside other application vulnerabilities and evaluation results.

Where can I integrate Sonatype’s container scanning into my SDLC?

Nexus Container scanning in Lifecycle is currently available in the CLI and the Jenkins plugin.

Sources

What are containers and why do you need them?

Additional Resources

Talk to Us

Have more questions or comments? Learn more at help.sonatype.com, join us in the Sonatype Community, and view our course catalog at learn.sonatype.com.

And visit my.sonatype.com for all things Sonatype.