Project goal: Create a new Jenkins plugin to automate polling of image changes and security scans
Skills to study/improve: Java, Docker
Keeping Docker images up-to-date is important to keep systems patched from known security vulnerabilities. Today, there isn’t a good way to subscribe to public docker images and update any of your own that depend on them. When depending on public images, Jenkins users are faced with several less-than-ideal choices: Build at a time cadence or manually trigger their Docker image builds.
Today, a Dockerhub Notification Plugin exists which can help, but it requires a webhook. You can only use it if you own the images or the registry. The goal of this project is to be able to kick off your own Jenkins jobs when images that you don’t own change. For example, when debian:latest has an update, we want to detect when it changes by polling. The source registry should not matter. The ability to set default registry would be useful for seamless adoption by users running their own private registries.
Mechanically, we need to keep track of the image digests for a given docker image tag. If a digest change is detected between polling periods, we need to start a build. If we are successful, a plugin can be installed by Jenkins users that can be used in both freestyle jobs and Jenkinsfiles to trigger the respective jobs. Alternative approaches are possible and welcome as well.
Additional things that can be added is support for scanning target images for security vulnerabilities. Some organizations might only want update their child images if there are changes related to security. The work to track image digests can be used to scan a set of target images that are created and provide alerts if vulnerabilities are found. The Docker Traceability Plugin can be reused to provide a lot of the heavy lifting.