CI/CD
Make speed safe: ship fast without shipping risk
Secure pipelines minimize blast radius, protect credentials, and ensure artifacts are trustworthy. Here’s a pragmatic blueprint with Jenkins and Docker.
Hardening Checklist
- Run ephemeral, least-privileged agents (K8s agents or Docker in Docker with strict caps).
- Use Jenkins Credentials + sealed secrets. Never echo tokens. Mask logs.
- Scan images: Trivy/Grype; generate SBOM (Syft) and fail on critical CVEs.
- Sign images with Cosign, enforce signature verify in admission policy.
- Pin base images and actions by digest.
Sample Jenkinsfile Snippet
pipeline {
agent { label 'k8s-ephemeral' }
stages {
stage('Build') {
steps {
sh 'docker build -t registry/app:${GIT_COMMIT} .'
}
}
stage('Scan & SBOM') {
steps {
sh 'trivy image --exit-code 1 --severity CRITICAL,HIGH registry/app:${GIT_COMMIT}'
sh 'syft registry/app:${GIT_COMMIT} -o json > sbom.json'
}
}
stage('Sign') {
environment { COSIGN_EXPERIMENTAL = '1' }
steps { sh 'cosign sign --key env://COSIGN_KEY registry/app:${GIT_COMMIT}' }
}
}
}SEO Keywords Targeted
jenkins security, secure cicd, docker image scanning, software supply chain security, cosign signing, sbom jenkins, devsecops best practices, trivy syft pipeline
Key Takeaways
- Secrets stay in vaults/credentials providers—never in SCM.
- Every artifact must be scanned, SBOM’d, and signed.
- Use ephemeral agents and least privilege everywhere.
FAQs
Do I need Cosign? If you ship containers, signing + verification closes a big supply-chain gap—so yes.
Can I keep my current registry? Most support signatures & SBOMs—check docs and enable policies.