Currently all the Jenkins server both master and nodes have wide open internet access. Our security team is trying to narrow down the internet access on these servers by asking Jenkins admin team to provide for DNS/ IP’s that Jenkins is accessing. Biggest problem here is we doesn’t know what public IP’s it’s accessing while building the code and even if we’re setting up a new build job It goes out to get build time dependencies at this build fails due to firewall? Any idea what would be the best solution to tackle this issue?
Asked
Active
Viewed 82 times
0
-
I hope you don't mean publicly accessible - wide open! What kind of dependencies are you using? [Maven Central](https://search.maven.org/) (via http://repo.maven.org) is where we retrieve 99% of our jars, npmjs website from https://www.npmjs.org, for our npm packages, Docker images from https://hub.docker.com/. Actually, we retrieve everything indirectly from a Nexus (https://help.sonatype.com/repomanager3) repository that caches everything and proxies those sites.. That's one entry point and known endpoints; you should be able to go define a list pretty easily. – Ian W Jan 28 '20 at 10:15
-
@IanW when building docker images we’re concerned if about the vulnerabilities when pulling from docker hub that’s one scenario.. – chris Jan 28 '20 at 11:46
-
The concern in your comment, while legitimate, has nothing to do with the questions raised in the question. Knowing where it came from has little to do whether the content is vulnerable. Most vulnerabilities are legitimately in the code, not as a result of hacked packages, though I'd still strongly encourage you to pull form official, central repositories than random locations. – Ian W Jan 28 '20 at 20:01