{"id":25552481,"url":"https://github.com/jenkinsci/xygeni-sensor-plugin","last_synced_at":"2025-04-11T22:11:46.314Z","repository":{"id":224688106,"uuid":"692208116","full_name":"jenkinsci/xygeni-sensor-plugin","owner":"jenkinsci","description":"Jenkins plugin for Xygeni - End to end software development and delivery security ","archived":false,"fork":false,"pushed_at":"2025-04-01T17:36:39.000Z","size":707,"stargazers_count":2,"open_issues_count":1,"forks_count":5,"subscribers_count":2,"default_branch":"main","last_synced_at":"2025-04-11T22:11:40.584Z","etag":null,"topics":["ci-cd-security","iac-security","secrets-scan","security","software-attestation","software-supply-chain-security"],"latest_commit_sha":null,"homepage":"https://xygeni.io/","language":"Java","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/jenkinsci.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2023-09-15T20:08:24.000Z","updated_at":"2025-04-04T04:18:56.000Z","dependencies_parsed_at":"2025-01-20T09:24:46.548Z","dependency_job_id":"784c2155-0499-4943-8b8e-e8c1a1194bcc","html_url":"https://github.com/jenkinsci/xygeni-sensor-plugin","commit_stats":null,"previous_names":["jenkinsci/xygeni-sensor-plugin"],"tags_count":7,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jenkinsci%2Fxygeni-sensor-plugin","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jenkinsci%2Fxygeni-sensor-plugin/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jenkinsci%2Fxygeni-sensor-plugin/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/jenkinsci%2Fxygeni-sensor-plugin/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/jenkinsci","download_url":"https://codeload.github.com/jenkinsci/xygeni-sensor-plugin/tar.gz/refs/heads/main","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248487692,"owners_count":21112190,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["ci-cd-security","iac-security","secrets-scan","security","software-attestation","software-supply-chain-security"],"created_at":"2025-02-20T11:24:54.381Z","updated_at":"2025-04-11T22:11:46.298Z","avatar_url":"https://github.com/jenkinsci.png","language":"Java","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u0026emsp;\u0026emsp; ![Xygeni Logo](docs/images/xygenilogo.png)\n\n# Protect the integrity and security of your software assets, pipelines and infrastructure\n\n[Xygeni](https://xygeni.io/?utm_source=jenkins\u0026utm_medium=marketplace)  seamlessly evaluates the security posture of every asset of your Software Development Life Cycle (SDLC). It offers automated asset discovery and a comprehensive inventory, ensuring total transparency over your software projects. Cataloging all artifacts, resources, and dependencies aids in making informed decisions for asset protection and implementing preventive and mitigative strategies.\n\nStay proactive with Xygeni's integrated anomaly detection. This feature safeguards your business operations by identifying unusual patterns that indicate emerging threats. Our code tampering prevention ensures the integrity of critical pipelines and files, and enforces security and build procedures. Additionally, Xygeni allows you to proactively identify risky or suspicious user actions, providing automated real-time alerts.\n\n\n## Global and project security posture\n\nAssess the security posture of all of the components in your SDLC effortlessly using the automatic inventory and assessment capabilities of Xygeni.\n\n![Security Posture](docs/images/xygeni-sec-posture.png)\n\n\n## Prevention and remediation\n\nSystematically prevent and remediate risks everywhere in the Software Supply Chain, including open-source packages, pipelines, artifacts, runtime assets and infrastructure.\n\n![docs/images/xygeni-prevention.png](docs/images/xygeni-prevention.png)\n\n\n## Attack Detection\nIntegrating anomaly detection is a proactive measure to safeguard your business operations by identifying unusual patterns indicating emerging threats.\n\n![docs/images/xygeni-unusual-activity.png](docs/images/xygeni-unusual-activity.png)\n\n\n# Key features\nXygeni streamlines security processes, improves collaboration, and provides detailed reporting for effective software supply chain security management. It offers a range of essential features, including:\n\n- **Identifying and tracking all components in software projects** to enhance security visibility and control.\n- **Continuously scanning and assessing components and dependencies** for vulnerabilities and anomalies.\n- **Prioritizing and supporting teams in efficiently remediating** software supply chain issues. Offering remediation support capabilities and **integration with ticketing tools**.\n- Offering **advanced reporting capabilities** for tracking and monitoring changes and progress.\n\n\n# Pre-Requisites\nPlease note that to utilize this plugin, a license of Xygeni Platform is required. You can easily request your license on our contact page. Dive in and experience the next level of efficiency!\n\n# Contact us\nGet in touch today! [Book a demo](https://xygeni.io/book-a-demo?utm_source=jenkins\u0026utm_medium=marketplace) and let us know how we can help you.\n\n\nTable of contents\n=================\n\n* [Installing the Xygeni-Sensor plugin](#installing-the-plugin)\n  * [Set up credentials](#1-set-up-credentials)\n  * [Configure plugin settings](#2-configure-xygeni-sensor-plugin-settings-)\n* Xygeni pipeline-compatible Steps\n  * [Xygeni-Salt Custom Attestation](#xygeni-salt-custom-attestation)\n  * [Xygeni Salt SLSA Attestation Provenance Step](#xygeni-salt-slsa-step)\n\n\n# Installing the plugin\n\n### Requirements:\n- Java \u003e= 11\n- Jenkins \u003e= 2.387.2\n\n### 1. Set up credentials\n- In Jenkins, navigate to `Manage Jenkins \u003e Manage Credentials \u003e System \u003e Global Credentials \u003e Add Credentials`\n    * Select `Secret text` as Kind and fill out required information\n  ![Global Credentials](docs/images/global_credentials.png)\n\n### 2. Configure Xygeni Sensor plugin settings \n- In Jenkins, navigate to `Manage Jenkins \u003e Configure System \u003e Xygeni Sensor`,\n    * Set the `Xygeni Token Credential ID` (generated above).\n    * Set the `Xygeni API Url` (https://api.xygeni.io).\n    * Optionally click the `TestToken` button to check url connection and token validity.\n    * Click the `Save` button. \n    ![Xygeni Configuration](docs/images/xygeni-config.png)\n\n# Xygeni pipeline-compatible Steps\n\nThe Xygeni Sensor plugin adds some pipeline-compatible steps that help using the ``Software Attestations Layer for Trust (XygeniSalt)`` tool by Xygeni Security in the pipeline.\n\n## Xygeni-Salt Custom Attestation\nCreating and verifying software attestations is the core of the SALT framework. Attestations in SALT follow the in-toto Attestations Framework.\nGet more info at Xygeni Docs: https://docs.xygeni.io/xydocs/build_security/salt_cli.html#_generate_custom_attestation (Subscription required).\n\n![Custom attestation](docs/images/custom_attestation.png)\n\n### Init Step\nCreates the initial draft with initial information\n\n### Add Step\nAdds elements (material, subject, product or statement) to the current draft attestation.\n\n### Run Step\nRuns a command and adds an attestation predicate for the command execution.\n\n### Commit Step\nBuilds the final attestation as in-toto Statement, serializes it as JSON, signs it with the passed key material, creates an in-toto Envelope with the statement as payload, the signature and the reference for the signing key, and publishes it in the attestation registry.\n\n## Xygeni-Salt SLSA-Provenance Step\n\n### Pipeline Step for building a SLSA Provenance attestation\n\nSoftware attestations provide context (metadata) about artifacts like versions, origins (provenance) of the source code and its git repository plus branch / tag, the build process from which it was created, dependencies or security checks passed. The attestation is typically a signed document that gives software consumers a trusted context on the built artifacts. A common attestation format is SLSA provenance.\n\nThe Xygeni Sensor plugin adds a Post Build Step to generate [SLSA provenance attestations](https://slsa.dev/provenance/).\nThis step command will generate an slsa attestation provenance ``xygeni-salt-attestation.json`` in SLSA format and upload attestation to ``salt.xygeni.io`` server.\n\n### Job configuration - Pipeline project\n\n**Pipeline Syntax tool** could help to define ``xygeniSalt`` steps with their arguments. \n\n * The ``xygeniSaltAt(Init|Add|Run|Commit)``  steps could be invoked for generating custom SALT attestations. \n * The ``xygeniSaltSlsa`` post step could be invoked for generating SALT provenance. Build information for the registered attestation **subjects** (also known as software 'products' or 'artifacts') will be registered in the signed attestation.\n * The ``xygeniSaltVerify`` post step could run Salt verify command to perform post-build and attestation validations.\n\nPipeline syntax example:\n![Pipeline Syntax](docs/images/pipeline-syntax.png)\n\n### Step parameters\n\n#### Subjects \n\nSubjects could be provided explicitly as a list in the ``subjects`` property. Each item in the list is a map with a given ``name`` and a content, either a Docker image published in a remote registry as part of the build (``image: 'REGISTRY/IMAGE_NAME:TAG'``), a local file produced by the build as a packaged artifact (``file: 'path/to/file.zip'``), or a value (which could be a SHA digest of a given artifact, a base-64 encoded binary value, or a string representing the artifact (``value: 'sha:03afb3...1c24'``).\n\nAlternatively, subjects could be referenced by pattern using the ``artifactFilter`` pattern (an Ant-like pattern), which matches files in the workspace that will be used as subjects for the SLSA provenance attestation.\n\n#### Signer configuration\n\nThe ``key`` / ``publicKey`` parameters contain the key pair to use for signing the provenance file. The signature is done with the private key, and the public key is added to the signed attestation for verification by software consumers. The keys are provided as either PEM-encoded values (text format with key enclosed between ``-----BEGIN...-----`` and ``-----END ...-----`` delimiters). The PEM-encoded key could be provided also as a path to the key file relative to the workspace directory (prefix the path with ``file:`` prefix), or as an environment variable prefixed with ``env:``.\n\nAn optional X.509 certificate could be used for helping the software consumer to trust the signature, using the ``certificate`` parameter with a similar format.\n\nThe ``pkiFormat`` specifies the signature format (one of ``x509``, ``minisign``, ``ssh``, ``pkcs7`` or ``tuf``). Use ``x509`` as a good default.\n\nRemember to encrypt the signing private ``key`` with a strong password !\nFor the ``key-password``, create a Jenkins secret and use the secret name as value for the field.\n\nYou can use ``xygeniSalt keygen`` command option to generate and save signing keys to use in this attestation command.\n\n![xygenisalt-signer.png](docs/images/xygenisalt-signer.png)\n\n#### Keyless signatures\n\n\nTo use keyless signing, the --keyless option could be passed to the salt commit | provenance commands. An ephemeral keypair is generated, and an ephemeral X.509 certificate will be issued by the [SigStore Fulcio CA](https://docs.sigstore.dev/certificate_authority/overview/).\n\nTo authenticate the Jenkins build, Fulcio needs an OpenID Connect (OIDC) id token, as explained in [OIDC Usage in Fulcio](https://docs.sigstore.dev/certificate_authority/oidc-in-fulcio/). Such OIDC token could be generated using the Jenkins [OpenID Connect Provider plugin](https://plugins.jenkins.io/oidc-provider/). The claims to be included in the token for proper authentication with Fulcio CA are `iss`, the issuer (which should be set to `https://oauth2.sigstore.dev/auth`) and aud, the audience (which should be set to `sigstore`). The `sub`, subject is set by the plugin as the default URL of the Jenkins job, which is adequate as the \"identity\" of the signer in this context. See [Registering the identity provider](https://plugins.jenkins.io/oidc-provider/#plugin-content-registering-the-identity-provider) for further information.\n\nJobs running in Jenkins runners use the plugin's OIDC provider that authenticates the job and generates a short-lived OIDC ID token. The OIDC plugin will store the token either in an environment variable or in a CI/CD file, so the `xygeniSalt commit` or `xygeniSaltSlsa` commands will fetch it to use for authentication with Fulcio CA.The variable and the path are configured in the `conf/salt.yaml` file, and the default values are `SIGSTORE_ID_TOKEN` or `/var/run/sigstore/cosign/oidc-token` path, respectively.\n\nThe ephemeral certificate has a life of 10 minutes, and the event is registered in a transparency log. Verifiers of the attestation can check that the certificate was valid at the moment where the attestation was signed, and validate the certificate chain. The identity (the Jenkins build URI) will be registered as an URI field in the X509 certificate's SAN (Subject Alternative Name), so the verifier knows which Jenkins job created the attestation. For full details, read [Certificate Issuing Overview](https://docs.sigstore.dev/certificate_authority/certificate-issuing-overview/).\n\n#### Adding XygeniSalt-SLSA attestation provenance step to a Pipeline\n\n```\npost {\n    success {\n       \n        archiveArtifacts: 'target/*.jar, ouput/report*.html'\n    \n        withCredentials([string(credentialsId: 'slsa-key-pass', variable: 'KEY_PASS')]) {\n            xygeniSaltSlsa( \n              artifactFilter: 'target/*.jar', \n              subjects: [[\n                name:'build image', \n                image:'index.docker.io/my_org/my_image:latest']], \n              key:'my.key', \n              publicKey:'mypub.pem', \n              keyPassword:'$KEY_PASS', \n              pkiFormat: 'x509'        \n            )\n        }\n    }\n}\n```\n\n\n#### Adding XygeniSalt-Custom attestation steps to a Pipeline\n\n```\npipeline {\n    agent any\n\n    stages {\n        stage(\"Init\") {\n            steps {\n               xygeniSaltAtInit(\n                 materials: [[material: 'src/']]\n               )\n            }\n        }\n        stage('Add') {\n            steps {\n               xygeniSaltAtAdd(\n                 items: [[name: 'name', value: 'value']])\n            }\n        }\n        stage('Run') {\n            steps {\n               xygeniSaltAtRun(\n                 command: 'dir', \n                 items: [[name: 'name', value: 'value']],\n                 maxerr: 100, \n                 maxout: 100, \n                 step: 'mystep', \n                 timeout: 10)\n            }\n        }\n    }\n    post {\n        success {\n            withCredentials(\n              [string(credentialsId: 'OIDC_TOKEN', \n              variable: 'SIGSTORE_ID_TOKEN')]\n            ) {\n                xygeniSaltAtCommit(\n                  certs:[keyless:true],  \n                  outputOptions: [output: 'out.json', outputUnsigned: '-', prettyPrint: true])\n            }\n        }\n    }\n}\n\n```\n\n### Job configuration - Freestyle project\n\nThe plugin provides following actions:\n * `Build actions`\n   * **XygeniSaltAtInit** to Initialize a draft attestation \n   * **XygeniSaltAtAdd** to add an attestation predicate\n   * **XygeniSaltAtRun** to capture a build step\n * ```Post-build actions``` \n   * **XygeniSaltAtCommit** to sign and publish a draft attestation.\n   * **XygeniSaltSlsa** which will generate SLSA provenance attestations.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjenkinsci%2Fxygeni-sensor-plugin","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fjenkinsci%2Fxygeni-sensor-plugin","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fjenkinsci%2Fxygeni-sensor-plugin/lists"}