Create your FREE Codefresh account and start making pipelines fast. Create Account

Running Twistlock scans in your Codefresh pipelines

4 min read

Twistlock is a container security platform with two primary components, a scanning service to validate images and a monitoring service that sits in your clusters. In this post, I’ll show you how to integrate with the image scanning capability using Twistlock Command Line Interface 2.3.98. This will give us a report of vulnerabilities along with their severity. We can set a threshold for when the pipeline shouldn’t continue based on the severity of the issues.

Pre-requisites

  • Codefresh Subscription with Dedicated Infrastructure or Hybrid k8s.
    Twistlock needs to talk with Docker to send Docker image to Twistlock Console for scanning.
  • Twistlock Subscription

Utilizing Docker-in-Docker in your pipeline YAML we can send the pipeline’s Docker image out to Twistlock Console using the images resource in twistcli and return results to your pipeline.

Twistlock resource used:
images – Inspect container images for vulnerabilities and compliance issues


Vulnerability Information:

Scan your Docker image and dependencies for vulnerabilities known to Twistlock.  Expose vulnerabilities to your developers and information on fixes in CI.

Set VULNERABILTY_THRESHOLD [ low, medium, high, critical ] in your Codefresh pipeline and prevent vulnerabilities from being introduced into your application.  Keep your Docker image secure and fail your pipelines before you merge vulnerabilities into your protected branches.

Compliance Information:

Examine your pipeline’s Docker image for violations against Internal and External Compliance configured in Twistlock.

Set COMPLIANCE_THRESHOLD [ low, medium, high ] in your Codefresh pipeline to fail your builds and prevent code that is in violation from getting back into your default branches when your Docker image exceeds the configured Compliance threshold.


Security Report:

Generate a Security report for your build to use later using Twistlock API.

The Report URL and Counts of Vulnerabilities and Compliance violations will be annotated your Docker image for traceability back to your Twistlock Security Report and additional information.  

See the example YAML below to add Twistlock Scanning Build Step to your pipeline.

The only thing you need to do before adding the YAML to build steps is set the required options below.

 

Full List of Options:

ENVIRONMENT VARIABLE DEFAULT TYPE REQUIRED DESCRIPTION
CODEFRESH_CLI_KEY null string Yes https://g.codefresh.io/account/tokens
CONSOLE_HOSTNAME null string Yes hostname/ip
CONSOLE_PORT null string Yes port
CONSOLE_USERNAME null string Yes username
CONSOLE_PASSWORD null string Yes password
TLSCACERT null string No CA Cert if provided TLS will be used
HASH [ sha1 ] string No [ md5, sha1, sha256 ] hashing algorithm
DETAILS null boolean No prints an itemized list of each vulnerability found by the scanner
INCLUDE_PACKAGE_FILES null boolean No List all packages in the image.
ONLY_FIXED null boolean No reports just the vulnerabilities that have fixes available
COMPLIANCE_THRESHOLD null string No [ low, medium, high ] sets the minimal severity compliance issue that returns a fail exit code
VULNERABILITY_THRESHOLD null string No [ low, medium, high, critical ] sets the minimal severity vulnerability that returns a fail exit code

Codefresh Build Step to execute Twistlock scan.
All ${{var}} variables must be put into Codefresh Build Parameters
codefresh.yml

version: '1.0'
steps:
  BuildingDockerImage: # This is an association example you can skip copying
    title: Building Docker Image
    type: build
    image_name: codefresh/demochat # Replace with your Docker image name
    working_directory: ./
    dockerfile: Dockerfile
    tag: '${{CF_BRANCH_TAG_NORMALIZED}}-${{CF_SHORT_REVISION}}'
  TwistlockScanImage:
    type: composition
    composition:
      version: '2'
      services:
        targetimage:
          image: ${{BuildingDockerImage}} # Must be the Docker build step name
          command: sh -c "exit 0"
          labels:
            build.image.id: ${{CF_BUILD_ID}} # Provides a lookup for the composition
    composition_candidates:
      scan_service:
        image: sctechdev/docker-twistcli:latest # Recommend replacing with current Twistlock Console version
        environment: # Add only the Environment Variables you need
          - CODEFRESH_CLI_KEY=${{CODEFRESH_CLI_KEY}} # Required
          - CONSOLE_HOSTNAME=${{CONSOLE_HOSTNAME}} # Required
          - CONSOLE_PORT=${{CONSOLE_PORT}} # Required
          - CONSOLE_USERNAME=${{CONSOLE_USERNAME}} # Required
          - CONSOLE_PASSWORD=${{CONSOLE_PASSWORD}} # Required
          - COMPLIANCE_THRESHOLD=${{COMPLIANCE_THRESHOLD}} # Optional Example
          - VULNERABILITY_THRESHOLD=${{VULNERABILITY_THRESHOLD}} # Optional Example
        command: python /twistlock-cli.py "docker inspect $$(docker inspect $$(docker ps -aqf label=build.image.id=${{CF_BUILD_ID}}) -f {{.Config.Image}}) -f {{.Id}} | sed 's/sha256://g'"
        depends_on:
          - targetimage
        volumes: # Volumes required to run DIND
          - /var/run/docker.sock:/var/run/docker.sock
          - /var/lib/docker:/var/lib/docker
    add_flow_volume_to_composition: true
    on_success: # Execute only once the step succeeded
      metadata: # Declare the metadata attribute
        set: # Specify the set operation
          - ${{BuildingDockerImage.imageId}}: # Select any number of target images
            - SECURITY_SCAN: true

    on_fail: # Execute only once the step failed
      metadata: # Declare the metadata attribute
        set: # Specify the set operation
          - ${{BuildingDockerImage.imageId}}: # Select any number of target images
            - SECURITY_SCAN: false

 

This is what your Docker image will show after a scan is performed.  In this case, the scan succeeded.

If you’d like to get a trial of Twistlock to see how you can implement security and compliance scans in your Codefresh pipelines, visit: https://www.twistlock.com/get-twistlock/

Want more? We recorded an entire webinar with Twistlock and Steelcase on preventing vulnerabilities from escaping into production environments.

We called it “Introducing a Security Feedback Loop to your CI Pipelines”. 

Watch the webinar here

New to Codefresh? Get started with Codefresh by signing up for an account today!

Dustin Van Buskirk

A Senior Solution Architect at Codefresh

Leave a Reply

* All fields are required. Your email address will not be published.