Twistlock is a container security platform with two primary components, a scanning service to validate images and a monitoring service that sits in your clusters. In this post, I’ll show you how to integrate with the image scanning capability using Twistlock Command Line Interface 2.3.98. This will give us a report of vulnerabilities along with their severity. We can set a threshold for when the pipeline shouldn’t continue based on the severity of the issues.
Pre-requisites
- Codefresh Subscription with Dedicated Infrastructure or Hybrid k8s.
Twistlock needs to talk with Docker to send Docker image to Twistlock Console for scanning. - Twistlock Subscription
Utilizing Docker-in-Docker in your pipeline YAML we can send the pipeline’s Docker image out to Twistlock Console using the images resource in twistcli and return results to your pipeline.
Twistlock resource used:
images – Inspect container images for vulnerabilities and compliance issues
Vulnerability Information:
Scan your Docker image and dependencies for vulnerabilities known to Twistlock. Expose vulnerabilities to your developers and information on fixes in CI.
Set VULNERABILTY_THRESHOLD [ low, medium, high, critical ] in your Codefresh pipeline and prevent vulnerabilities from being introduced into your application. Keep your Docker image secure and fail your pipelines before you merge vulnerabilities into your protected branches.
Compliance Information:
Examine your pipeline’s Docker image for violations against Internal and External Compliance configured in Twistlock.
Set COMPLIANCE_THRESHOLD [ low, medium, high ] in your Codefresh pipeline to fail your builds and prevent code that is in violation from getting back into your default branches when your Docker image exceeds the configured Compliance threshold.
Security Report:
Generate a Security report for your build to use later using Twistlock API.
The Report URL and Counts of Vulnerabilities and Compliance violations will be annotated your Docker image for traceability back to your Twistlock Security Report and additional information.
See the example YAML below to add Twistlock Scanning Build Step to your pipeline.
The only thing you need to do before adding the YAML to build steps is set the required options below.
Full List of Options:
| ENVIRONMENT VARIABLE | DEFAULT | TYPE | REQUIRED | DESCRIPTION |
|---|---|---|---|---|
| CODEFRESH_CLI_KEY | null | string | Yes | https://g.codefresh.io/account/tokens |
| CONSOLE_HOSTNAME | null | string | Yes | hostname/ip |
| CONSOLE_PORT | null | string | Yes | port |
| CONSOLE_USERNAME | null | string | Yes | username |
| CONSOLE_PASSWORD | null | string | Yes | password |
| TLSCACERT | null | string | No | CA Cert if provided TLS will be used |
| HASH | [ sha1 ] | string | No | [ md5, sha1, sha256 ] hashing algorithm |
| DETAILS | null | boolean | No | prints an itemized list of each vulnerability found by the scanner |
| INCLUDE_PACKAGE_FILES | null | boolean | No | List all packages in the image. |
| ONLY_FIXED | null | boolean | No | reports just the vulnerabilities that have fixes available |
| COMPLIANCE_THRESHOLD | null | string | No | [ low, medium, high ] sets the minimal severity compliance issue that returns a fail exit code |
| VULNERABILITY_THRESHOLD | null | string | No | [ low, medium, high, critical ] sets the minimal severity vulnerability that returns a fail exit code |
Codefresh Build Step to execute Twistlock scan.
All ${{var}} variables must be put into Codefresh Build Parameters
codefresh.yml
version: '1.0'
steps:
BuildingDockerImage: # This is an association example you can skip copying
title: Building Docker Image
type: build
image_name: codefresh/demochat # Replace with your Docker image name
working_directory: ./
dockerfile: Dockerfile
tag: '${{CF_BRANCH_TAG_NORMALIZED}}-${{CF_SHORT_REVISION}}'
TwistlockScanImage:
type: composition
composition:
version: '2'
services:
targetimage:
image: ${{BuildingDockerImage}} # Must be the Docker build step name
command: sh -c "exit 0"
labels:
build.image.id: ${{CF_BUILD_ID}} # Provides a lookup for the composition
composition_candidates:
scan_service:
image: sctechdev/docker-twistcli:latest # Recommend replacing with current Twistlock Console version
environment: # Add only the Environment Variables you need
- CODEFRESH_CLI_KEY=${{CODEFRESH_CLI_KEY}} # Required
- CONSOLE_HOSTNAME=${{CONSOLE_HOSTNAME}} # Required
- CONSOLE_PORT=${{CONSOLE_PORT}} # Required
- CONSOLE_USERNAME=${{CONSOLE_USERNAME}} # Required
- CONSOLE_PASSWORD=${{CONSOLE_PASSWORD}} # Required
- COMPLIANCE_THRESHOLD=${{COMPLIANCE_THRESHOLD}} # Optional Example
- VULNERABILITY_THRESHOLD=${{VULNERABILITY_THRESHOLD}} # Optional Example
command: python /twistlock-cli.py "docker inspect $$(docker inspect $$(docker ps -aqf label=build.image.id=${{CF_BUILD_ID}}) -f {{.Config.Image}}) -f {{.Id}} | sed 's/sha256://g'"
depends_on:
- targetimage
volumes: # Volumes required to run DIND
- /var/run/docker.sock:/var/run/docker.sock
- /var/lib/docker:/var/lib/docker
add_flow_volume_to_composition: true
on_success: # Execute only once the step succeeded
metadata: # Declare the metadata attribute
set: # Specify the set operation
- ${{BuildingDockerImage.imageId}}: # Select any number of target images
- SECURITY_SCAN: true
on_fail: # Execute only once the step failed
metadata: # Declare the metadata attribute
set: # Specify the set operation
- ${{BuildingDockerImage.imageId}}: # Select any number of target images
- SECURITY_SCAN: false
This is what your Docker image will show after a scan is performed. In this case, the scan succeeded.
If you’d like to get a trial of Twistlock to see how you can implement security and compliance scans in your Codefresh pipelines, visit: https://www.twistlock.com/get-twistlock/
Want more? We recorded an entire webinar with Twistlock and Steelcase on preventing vulnerabilities from escaping into production environments.
We called it “Introducing a Security Feedback Loop to your CI Pipelines”.
New to Codefresh? Get started with Codefresh by signing up for an account today!