Using Tidelift with Jenkins
This Article shows how to use the Tidelift CLI in a Jenkins pipeline to check catalog alignment during a build stage. This allows builds to fail that include unapproved packages as of a CI/CD process.
To get started, you will need:
1. A Tidelift Subscription account (Start your free trial)
2. A running Jenkins Server which can access Tidelift
With the appropriate configuration, Jenkins can use the Tidelift CLI to kick off and run a scan as part of your test runs. For each Tidelift Project, you will create a Project and API key in Tidelift and store that key in the appropriate secrets infrastructure provided by your CI system. In this example, the internal Jenkins Credential store is being used. Next, you need to add build stages to your Jenkins pipeline to set the Tidelift API Key, checkout code from version control, download the Tidelift CLI, and analyze the packages with the Tidelift CLI.
1. Create a Project in Tidelift and generate an API key
After logging into the Tidelift Subscription dashboard, select Projects and select Track New Project. Enter the project name as it appears in version control. When prompted, select the Catalog to use or leave the default Organization Catalog.
Close the Upload manifest files dialog to skip manually uploading manifests.
Select the Projects actions and settings gear on the left navigation, select Get Project Key then select Create Project Key.
Select Create API Key next to your project
Copy the CI/CD usage API_KEY and note the Organization-name/project-name.
In the above example:
- Organization-name: "Katz Education"
- project-name: my-bitbucket-project
2. Add Tidelift Project API Key to credentials store
NOTE: Always check with your Jenkins and Security Administrators to ensure you are following your companies policies for securing and storing secrets.
Next set the Tidelift API key in the Jenkins credentials store. This can be done from the dashboard by selecting Manage Jenkins > Manage Credentials > Global > Add Credentials. Select Secret Text from the Kind drop down and set the credential Scope as Global per the Jenkins handbook. Next, paste the Tidelift Project API key generated in Section 1 above into the Secret field. Give the credential an ID so it can be called from a Jenkinsfile and and optionally an identifying Description.
3. Add pipeline build stages to check alignment with Tidelift
In Jenkins, select the pipe line to use the Tidelift CLI with. Add stages to the Jenkins pipeline to set the Tidelift API Key, checkout code from version control, download the Tidelift CLI, and Analyze the packages with the Tidelift CLI.
Once the required stages have been added to the Jenkinsfile, select Save. Test the new pipeline configuration by selecting Build Now from pipelines dashboard.
Any unapproved packages that are included in the Jenkins pipeline will cause the check to fail. The output will include a Tidelift link with more info and actions a developer can take to either request new packages or switch to already-approved releases.