Azure DevOps Plugin: Jacked
Introduction
Jacked provides organizations with a more comprehensive look at their application to take calculated actions and create a better security approach. Its primary purpose is to scan vulnerabilities to implement subsequent risk mitigation measures.
Pipeline Scripts: Image, Tar File, and Directory.
Image Scanning Pipeline Script:
trigger:
- main
pool:
vmImage: ubuntu-latest
steps:
- task: Jacked@1
inputs:
token: ''
token: ''
scanType: 'image'
scanName: 'ubuntu:latest'
failCriteria: 'medium'
skipBuildFail: 'false'
Tar File Scanning Pipeline Script:
trigger:
- main
pool:
vmImage: ubuntu-latest
steps:
- script: |
echo "Pulling Docker image: ubuntu"
docker pull ubuntu
echo "Saving image to ubuntu.tar"
docker save ubuntu -o ubuntu.tar
displayName: 'Pull and Save Docker Image'
- script: |
echo "Listing generated tar file..."
ls -lh ubuntu.tar
displayName: 'List Tar File'
- task: Jacked@1
inputs:
token: ''
scanType: 'tarball'
scanName: 'ubuntu.tar'
failCriteria: 'medium'
skipBuildFail: 'false'
Cloned Repository Directory Scanning Script:
trigger:
- main
pool:
vmImage: ubuntu-latest
steps:
- script: |
echo "Listing contents of the repository..."
ls -la $(Build.SourcesDirectory)
displayName: 'List Repo Directory'
- task: Jacked@1
inputs:
token: ''
scanType: 'filesystem'
scanName: '$(Build.SourcesDirectory)'
failCriteria: 'medium'
skipBuildFail: 'false'
Prerequisites
- Docker Plugin for image pulling.
| Input Name |
Description |
| token * |
Carbonetes Personal Access Token. |
| scanType * |
Choose: image, filesystem, or tarball. |
| scanName * |
Input image name image:tag, filesystem directory path, or tarball file path. |
| failCriteria * |
Input a severity that will be found at or above given severity([unknown negligible low medium high critical]). Default: medium. |
| skipBuildFail * |
Default false. Warning: If the value is true, it will restrict the plugin from failing the build based on the analysis result. |
* = required inputs.
Output Description
| Table |
Description |
| SBOM |
Show a list of packages. |
| Vulnerability Scan |
Show list of vulnerabilities found. |
| Recommendation |
Show available recommendation to fix vulnerabilities. |
| Assessment |
Based on fail-criteria severity. Pass-Fail Assessment. |
Pipeline
trigger:
- main
pool:
vmImage: ubuntu-latest
steps:
- task: Jacked@1
inputs:
token: '' // Personal Access Token
scanType: 'image' // Choose: image, filesystem, or tarball.
scanName: 'carbonetes/broker' // Input image:tag, filesystem directory path, or tarball file path.
failCriteria: 'high' // Select a threshold that will fail the build when equal to or above the severity found in the results.
// Select Severity, critical, high, medium, low, negligible, unknown.
skipBuildFail: 'false' // Default as false. Skip build to fail based on the assessment.
Support
To help with this task extension, or have an issue or feature request, please contact us: here
If reporting an issue, please include:
- the version of the task extension
- relevant logs and error messages
- steps to reproduce
License and Copyright
Licensed under MIT License.
