Documentation

Socket for Jenkins Jobs

Suggest Edits

Socket fights vulnerabilities and provides visibility, defense-in-depth, and proactive supply chain protection for your open source dependencies. It is easy to integrate Socket into your Jenkins Build Process to provide an extra layer of security against Supply Chain Attacks.

Adding Socket to your build process

Requirements

In order to run the Socket CLI you will need the following installed in your Jenkins Runners/Agents

  1. Python3
  2. pip
  3. git
  4. python3.11-venv

Example Dockerfile of Jenkins with requirements

FROM jenkins/jenkins:2.462.2-jdk17
USER root
RUN apt-get update && apt-get install -y lsb-release
RUN curl -fsSLo /usr/share/keyrings/docker-archive-keyring.asc \
  https://download.docker.com/linux/debian/gpg
RUN echo "deb [arch=$(dpkg --print-architecture) \
  signed-by=/usr/share/keyrings/docker-archive-keyring.asc] \
  https://download.docker.com/linux/debian \
  $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list
RUN apt-get update && apt-get install -y docker-ce-cli python3 python3-pip python3.11-venv
USER jenkins
RUN jenkins-plugin-cli --plugins "blueocean docker-workflow"

Create your Socket API Key

You can either create your API Key yourself if you have permissions in your socket.dev account or you can have your Admin create it for you with the Reports scope.

  1. Log into the socket.dev dashboard

  2. Go to Settings

  3. Go to the API Tokens tab

  4. Select Create API Token

  5. Give the token a name like Gitlab API Token

  6. Set up the scopes

    1. repo

      1. list
      2. create
      3. update

    2. full-scans

      1. list
      2. create
  1. Click Confirm
  2. Click on Show key
  3. Click on the API Token to copy

Setting Socket API Key

  1. Log into Jenkins

  2. Go to Dashboard -> Manage Jenkins

  3. Select Credentials

  4. Go to System

  5. Global Credentials

    1. Note: This can be whatever level that the Pipeline/Job that Socket will run in has access to

  6. Select Add Credentials

    1. Scope: Select the level needed for Socket to have access to

    2. Secret: Paste the Socket API Key

    3. id: SOCKET-API

    4. Description: Socket Security API Key

  7. Click Create

Example adding Socket as a Stage/Step in a Pipeline

  1. Log into Jenkins
  2. Select a Pipeline
  3. Scroll down to Pipeline
  4. Add the following stage 
    stage('run-socket') {
      steps {
        script {
            withCredentials([string(credentialsId: 'SOCKET-API', variable: 'SOCKET_SECURITY_API_KEY')]) {
                // Run Socket
                sh "python3 -m venv .venv && PATH=.venv/bin:$PATH && pip install socketsecurity --upgrade && socketcli --target_path ."
            }
          }
       }
    }
  5. Save

Example adding Socket as a Build Step in a Job

  1. Log into Jenkins

  2. Select a job, in the example we selected socket-example-job

  3. Select Configure

  4. Scroll down to Build Environment

  5. Select Use secret text(s) or file(s)

  6. Configure a Secret Text

    1. Variable: SOCKET_SECURITY_API_KEY

    2. Credential should be the Socket API key

  7. Scroll down to Build Steps

  8. Select Add a build step

  9. Select shell for the type

  10. Add the following shell script

    python3 -m venv .venv
PATH=.venv/bin:$PATH
pip install socketsecurity --upgrade
socketcli --target_path .

  11. Save

Testing pipeline

  1. Click Build Now
  2. Check the console output

Updated 11 days ago