Skip to main content
Version: 5.3

Build Phase Image Scanning

CI/CD Build Phase Vulnerability Scanning

Scan for vulnerabilities during the build phase of the pipeline using plug-ins such as Jenkins, Azure Devops, Github Action, gitlab, Bamboo, and CircleCI, or use the REST API. NeuVector supports two types of build-phase scanning: registry and local. For registry scanning, the NeuVector controller and scanner must be able to connect to the registry to pull the image.

To trigger a build-phase scan, the plug-in (e.g. Jenkins) must be able to connect to the Controller or Allinone. Note: The default REST API port for plug-ins to call the scanner is 10443. This port must be exposed through the Allinone or Controller through a service in Kubernetes or a port map (e.g. - 10443:10443) in the Docker run or compose file.

Make sure there is a NeuVector scanner container deployed and properly configured to connect to the Allinone or Controller. In 4.0 and later, the neuvector/scanner container must be deployed separately from the allinone or controller, and is included in the sample deployment yaml files.

You can download the plug-in from the Jenkins Plug-in Manager. Other plug-ins are accessible through the catalogs of the build tool, or on the NeuVector github page. The Bamboo scanner is available at The CircleCI ORB is available at and through the CircleCI ORB catalog.

Local Build-Phase Scanning

For local scanning, the NeuVector scanner will try to scan the image on a local host (or a host reachable by the remote host docker command).

For Kubernetes or OpenShift-based local scanning, remove the commented-out section of the sample scanner deployment yaml file, shown in the Deploying NeuVector sections. The commented out section looks like this:

# Commented out sections are required only for local build-phase scanning
# value: tcp://
value: neuvector-svc-controller.neuvector
fieldPath: status.podIP
fieldPath: status.podIP
# volumeMounts:
# - mountPath: /var/run/docker.sock
# name: docker-sock
# readOnly: true
# volumes:
# - name: docker-sock
# hostPath:
# path: /var/run/docker.sock
restartPolicy: Always

For Docker-native local scanning, follow the instructions for Docker scanner deployments in the Docker Production deployments section for the scanner.

Local Build-Phase Scanning - Scanner Only (No Controller Required)

NeuVector supports standalone scanner deployments for local image scanning (which does not require a Controller). Certain plug-in's such as the CircleCI ORB have an option to dynamically deploy a scanner when a build job requires image scanning, then remove the scanner when the results are sent back through the ORB. These dynamic scanner deployments are automatically invoked through the plug-in if supported.

Please see the scanner section for more details on stand alone scanners.