技术文档 | 在Jenkins及GitlabCI中集成OpenSCA,轻松实现CICD开源风险治理
字数 956 2025-08-18 11:36:53
OpenSCA在Jenkins及GitLab CI中的集成指南
一、OpenSCA简介
OpenSCA是一款开源组件安全分析工具,用于检测项目中的开源组件安全风险。它可以通过CI/CD流水线集成,实现自动化安全扫描。
安装方式
- Mac/Linux:
brew install opensca-cli - Windows:
winget install opensca-cli - 脚本安装:
curl -sSL https://raw.githubusercontent.com/XmirrorSecurity/OpenSCA-cli/master/scripts/install.sh | sh
二、Jenkins集成
1. 前置准备
- 在Jenkins构建机器上安装OpenSCA-cli
- 支持Windows、Linux、MacOS系统
- 也可通过Docker镜像运行
2. 自由风格项目配置
在构建步骤中添加执行命令:
Linux/Mac (Execute shell):
# 安装opensca-cli
curl -sSL https://raw.githubusercontent.com/XmirrorSecurity/OpenSCA-cli/master/scripts/install.sh | sh
# 添加到PATH
export PATH=/var/jenkins_home/.config/opensca-cli:$PATH
# 执行扫描并生成报告(替换{put_your_token_here}为你的token)
opensca-cli -path $WORKSPACE -token {put_your_token_here} -out $WORKSPACE/results/result.html,$WORKSPACE/results/result.dsdx.json
Windows (Execute Windows batch command):
:: 安装和扫描命令类似,使用相应的Windows版本
3. 流水线项目配置
pipeline {
agent any
stages {
stage('Security Scan') {
steps {
// 安装opensca-cli
sh "curl -sSL https://raw.githubusercontent.com/XmirrorSecurity/OpenSCA-cli/master/scripts/install.sh | sh"
// 执行扫描(替换{put_your_token_here}为你的token)
sh "/var/jenkins_home/.config/opensca-cli/opensca-cli -path $WORKSPACE -token {put_your_token_here} -out $WORKSPACE/results/result.html,$WORKSPACE/results/result.dsdx.json"
}
}
}
}
4. 构建后处理
修改Jenkins CSP策略
在Manage Jenkins -> Script Console中执行:
System.setProperty("hudson.model.DirectoryBrowserSupport.CSP", "sandbox allow-scripts; default-src 'self'; img-src 'self' data:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval';")
执行后需重启Jenkins服务。
发布HTML报告
- 安装
Publish HTML reports插件 - 在Post-build Actions中添加HTML报告发布
流水线脚本示例:
post {
always {
publishHTML([
allowMissing: false,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'results',
reportFiles: 'result.html',
reportName: 'OpenSCA Report',
reportTitles: 'OpenSCA Report',
useWrapperFileDirectly: true
])
}
}
三、GitLab CI集成
1. 前置准备
- 在GitLab Runner中安装OpenSCA-cli
- 支持Windows、Linux、MacOS系统
- 也可通过Docker镜像运行
2. 基础配置示例
security-test-job:
stage: test
script:
- echo "do opensca scan..."
- curl -sSL https://raw.githubusercontent.com/XmirrorSecurity/OpenSCA-cli/master/scripts/install.sh | sh
- /root/.config/opensca-cli/opensca-cli -path $CI_PROJECT_DIR -token {put_your_token_here} -out $CI_PROJECT_DIR/results/result.html,$CI_PROJECT_DIR/results/result.dsdx.json
artifacts:
paths:
- results/
untracked: false
when: on_success
expire_in: 30 days
3. 完整流水线示例
stages:
- build
- test
- deploy
build-job:
stage: build
script:
- echo "Compiling the code..."
- echo "Compile complete."
unit-test-job:
stage: test
script:
- echo "do unit test..."
- sleep 10
- echo "Code coverage is 90%"
lint-test-job:
stage: test
script:
- echo "do lint test..."
- sleep 10
- echo "No lint issues found."
security-test-job:
stage: test
script:
- echo "do opensca scan..."
- curl -sSL https://raw.githubusercontent.com/XmirrorSecurity/OpenSCA-cli/master/scripts/install.sh | sh
- /root/.config/opensca-cli/opensca-cli -path $CI_PROJECT_DIR -token {put_your_token_here} -out $CI_PROJECT_DIR/results/result.html,$CI_PROJECT_DIR/results/result.dsdx.json
artifacts:
paths:
- results/
untracked: false
when: on_success
expire_in: 30 days
deploy-job:
stage: deploy
environment: production
script:
- echo "Deploying application..."
- echo "Application successfully deployed."
四、注意事项
- 安装脚本默认将OpenSCA安装在用户家目录
.config下,需根据实际情况调整PATH或使用绝对路径 - OpenSCA生成的HTML报告需要启用JavaScript才能正常显示
- 修改Jenkins CSP策略会降低安全性,请谨慎操作
- 确保替换所有
{put_your_token_here}为实际的token - 报告文件可同时生成多种格式(如.html和.dsdx.json)