Security Scanning

How to scan for vulnerabilities with Codefresh pipelines

Codefresh can integrate with any security scanning platform that scans source code or Docker images for vulnerabilities.

The integration can happen via a freestyle step as long as the scanning solution offers any of :

  • A Docker image with the scanner
  • A CLI (that can be packaged in a Docker image)
  • An API

Since all security solutions offer an API, Codefresh can essentially use any scanning solution via that interface.

Existing security integrations

Codefresh already offers Docker images for the following security platforms:

  1. Anchore
  2. Aqua Security
  3. Clair
  4. Twistlock

You can find more integrations as they are being added in the plugin directory.

Security scanning strategies

Because you can insert a scanning step anywhere in your pipeline, you have great flexibility on when a security scan is happening. Common strategies are.

  1. Scanning the source code before being packaged in a Container
  2. Scanning a container before it is being stored to a registry
  3. Scanning a container before being deployed to production
  4. A Combination of the above.

Here is an example pipeline that scans a Docker image with [Aqua]https://www.aquasec.com/ after being pushed to the internal Codefresh registry but before being promoted to the external Azure Registry.

Scanning a Helm release with Aqua

Scanning a Helm release with Aqua

This is the full pipeline definition:

codefresh.yml

version: '1.0'
stages:
  - prepare
  - build
  - test
  - push 
  - deploy
steps:
  main_clone:
    title: Cloning main repository...
    type: git-clone
    repo: '${{CF_REPO_OWNER}}/${{CF_REPO_NAME}}'
    revision: '${{CF_REVISION}}'
    stage: prepare
  build:
    title: "Building Docker Image"
    type: "build"
    image_name: "${{CF_ACCOUNT}}/${{CF_REPO_NAME}}"
    tag: ${{CF_REVISION}}
    dockerfile: "Dockerfile"
    stage: "build"  
  AquaSecurityScan:
    title: 'Aqua Private scan'
    image: codefresh/cfstep-aqua
    stage: test
    environment:
      - 'AQUA_HOST=${{AQUA_HOST}}'
      - 'AQUA_PASSWORD=${{AQUA_PASSWORD}}'
      - 'AQUA_USERNAME=${{AQUA_USERNAME}}'
      - IMAGE=${{CF_ACCOUNT}}/${{CF_REPO_NAME}}
      - TAG=${{CF_REVISION}}
      - REGISTRY=codefresh
  push:
    title: "Pushing image to Azure registry"
    type: "push"
    stage: push
    image_name: "${{CF_ACCOUNT}}/${{CF_REPO_NAME}}"
    registry: "myazureregistry"
    candidate: "${{build}}"
    tags:
      - "${{CF_BRANCH_TAG_NORMALIZED}}"
      - "${{CF_REVISION}}"
      - "${{CF_BRANCH_TAG_NORMALIZED}}-${{CF_SHORT_REVISION}}"    

  createpullsecret:
    title: "Allowing cluster to pull Docker images"
    image: codefresh/cli
    stage: "deploy"  
    commands:
    - codefresh generate image-pull-secret --cluster 'mydemok8scluster' --registry myazureregistry 
  deploy:
    image: codefresh/cfstep-helm:2.12.0
    stage: deploy
    environment:
      - CHART_REF=deploy/helm/colors
      - RELEASE_NAME=color-coded
      - KUBE_CONTEXT=mydemok8scluster
      - CUSTOM_service.type=LoadBalancer
      - CUSTOM_deployment[0].track=release
      - CUSTOM_deployment[0].image.repository=registry3435454.azurecr.io/${{CF_REPO_OWNER}}/${{CF_REPO_NAME}}
      - CUSTOM_deployment[0].image.tag="${{CF_BRANCH_TAG_NORMALIZED}}-${{CF_SHORT_REVISION}}"
      - CUSTOM_deployment[0].image.version="${{CF_BRANCH_TAG_NORMALIZED}}-${{CF_SHORT_REVISION}}"
      - CUSTOM_deployment[0].image.pullSecret=codefresh-generated-registry3435454.azurecr.io-myazureregistry-default

The security scanning step is inserted after building the Docker image but before promoting the image to the Azure Docker registry.

Viewing Security reports

The easiest way to view security reports is to visit the portal/dashboard of the security platform that you are using

Snyk Security Analysis

Snyk Security Analysis

It is also possible however to attach Analysis Reports on Codefresh builds by using the test reporting feature.

  ArchiveClairReport:
  title: Upload Clair Report
  image: codefresh/cf-docker-test-reporting
  environment:
    - REPORT_DIR=reports
    - REPORT_INDEX_FILE=clair-scan.html

Here we attach the Clair Scan report to the build that created.

Attaching scanning results to a build

Attaching scanning results to a build

You can then click on the Test Report button and view the full report:

Clair security scan

Clair security scan

Security annotations

Security scan results are also a perfect candidate for adding extra metadata to your Docker images.

Security annotations

Security annotations

You can add any metadata such as the number of issues for each category or even the URL the full report. This allows you easily correlate docker images in Codefresh and security results of your scanning platform.