在Jenkins及GitlabCI中集成OpenSCA,轻松实现CI/CD开源风险治理
字数 918 2025-08-22 12:22:15
OpenSCA在Jenkins及GitLab CI中的集成指南
1. OpenSCA简介
OpenSCA是一款开源组件安全分析工具,用于在CI/CD流程中进行开源风险治理。最新版本支持通过以下方式安装:
- Mac/Linux:
brew install opensca-cli - Windows:
winget install opensca-cli
2. Jenkins集成OpenSCA
2.1 准备工作
在Jenkins构建机器中安装OpenSCA-cli,支持以下方式:
- 直接安装(Windows/Linux/MacOS)
- 通过Docker镜像运行
2.2 Freestyle项目集成
在构建步骤中添加执行命令:
# 安装opensca-cli
curl -sSL https://raw.githubusercontent.com/XmirrorSecurity/OpenSCA-cli/master/scripts/install.sh | sh
# 设置环境变量
export PATH=/var/jenkins_home/.config/opensca-cli:$PATH
# 执行扫描并生成报告(替换{put_your_token_here}为实际token)
opensca-cli -path $WORKSPACE -token {put_your_token_here} -out $WORKSPACE/results/result.html,$WORKSPACE/results/result.dsdx.json
注意:
- install.sh默认将OpenSCA安装在用户家目录.config下
- 根据实际情况调整PATH环境变量或使用绝对路径
2.3 Pipeline项目集成
示例流水线脚本:
pipeline {
agent any
stages {
stage('Build') {
steps {
// 常规构建步骤
}
}
stage('Security Scan') {
steps {
// 安装opensca-cli
sh "curl -sSL https://raw.githubusercontent.com/XmirrorSecurity/OpenSCA-cli/master/scripts/install.sh | sh"
// 执行扫描并生成报告
sh "/var/jenkins_home/.config/opensca-cli/opensca-cli -path $WORKSPACE -token {put_your_token_here} -out $WORKSPACE/results/result.html,$WORKSPACE/results/result.dsdx.json"
}
}
}
post {
always {
// 后处理步骤
}
}
}
2.4 构建后处理
2.4.1 修改Jenkins CSP策略
由于OpenSCA生成的HTML报告需要JavaScript支持,需修改Jenkins安全策略:
- 进入
Manage Jenkins -> Script Console - 执行以下脚本:
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-scripts; default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval';")
- 重启Jenkins服务
2.4.2 发布HTML报告
安装Publish HTML reports插件后,在Post-build Actions中添加:
post {
always {
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'results',
reportFiles: 'result.html',
reportName: 'OpenSCA Report',
reportTitles: 'OpenSCA Report',
useWrapperFileDirectly: true
])
}
}
3. GitLab CI集成OpenSCA
3.1 准备工作
在GitLab Runner中安装OpenSCA-cli,支持方式与Jenkins相同。
3.2 基础集成示例
security-test-job:
stage: test
script:
- echo "do opensca scan..."
- curl -sSL https://raw.githubusercontent.com/XmirrorSecurity/OpenSCA-cli/master/scripts/install.sh | sh
- /root/.config/opensca-cli/opensca-cli -path $CI_PROJECT_DIR -token {put_your_token_here} -out $CI_PROJECT_DIR/results/result.html,$CI_PROJECT_DIR/results/result.dsdx.json
artifacts:
paths:
- results/
untracked: false
when: on_success
expire_in: 30 days
3.3 完整CI/CD流水线示例
stages:
- build
- test
- deploy
build-job:
stage: build
script:
- echo "Compiling the code..."
- echo "Compile complete."
unit-test-job:
stage: test
script:
- echo "do unit test..."
- sleep 10
- echo "Code coverage is 90%"
lint-test-job:
stage: test
script:
- echo "do lint test..."
- sleep 10
- echo "No lint issues found."
security-test-job:
stage: test
script:
- echo "do opensca scan..."
- curl -sSL https://raw.githubusercontent.com/XmirrorSecurity/OpenSCA-cli/master/scripts/install.sh | sh
- /root/.config/opensca-cli/opensca-cli -path $CI_PROJECT_DIR -token {put_your_token_here} -out $CI_PROJECT_DIR/results/result.html,$CI_PROJECT_DIR/results/result.dsdx.json
artifacts:
paths:
- results/
untracked: false
when: on_success
expire_in: 30 days
deploy-job:
stage: deploy
environment: production
script:
- echo "Deploying application..."
- echo "Application successfully deployed."
4. 注意事项
- 替换所有示例中的
{put_your_token_here}为实际token - OpenSCA生成的HTML报告需要JavaScript支持
- 在Jenkins中展示HTML报告需要修改CSP策略,这会降低安全性
- 报告路径和安装路径可根据实际情况调整
- 建议将扫描结果作为制品保存,便于后续分析
5. 贡献指南
OpenSCA社区欢迎用户分享其他集成方式和使用经验,可以向项目组投稿,将经验分享给社区。