Streamline your container workflow with Codefresh!

Running Twistlock scans in your Codefresh pipelines

Security-Testing | March 27, 2018

Twistlock is a container security platform with two primary components, a scanning service to validate images and a monitoring service that sits in your clusters. In this post, I’ll show you how to integrate with the image scanning capability using Twistlock Command Line Interface 2.3.98. This will give us a report of vulnerabilities along with their severity. We can set a threshold for when the pipeline shouldn’t continue based on the severity of the issues.

Pre-requisites

  • Codefresh Subscription with Dedicated Infrastructure or Hybrid k8s.
    Twistlock needs to talk with Docker to send Docker image to Twistlock Console for scanning.
  • Twistlock Subscription

Utilizing Docker-in-Docker in your pipeline YAML we can send the pipeline’s Docker image out to Twistlock Console using the images resource in twistcli and return results to your pipeline.

Twistlock resource used:
images – Inspect container images for vulnerabilities and compliance issues


Vulnerability Information:

Scan your Docker image and dependencies for vulnerabilities known to Twistlock.  Expose vulnerabilities to your developers and information on fixes in CI.

Set VULNERABILTY_THRESHOLD [ low, medium, high, critical ] in your Codefresh pipeline and prevent vulnerabilities from being introduced into your application.  Keep your Docker image secure and fail your pipelines before you merge vulnerabilities into your protected branches.

Compliance Information:

Examine your pipeline’s Docker image for violations against Internal and External Compliance configured in Twistlock.

Set COMPLIANCE_THRESHOLD [ low, medium, high ] in your Codefresh pipeline to fail your builds and prevent code that is in violation from getting back into your default branches when your Docker image exceeds the configured Compliance threshold.


Security Report:

Generate a Security report for your build to use later using Twistlock API.

The Report URL and Counts of Vulnerabilities and Compliance violations will be annotated your Docker image for traceability back to your Twistlock Security Report and additional information.  

See the example YAML below to add Twistlock Scanning Build Step to your pipeline.

The only thing you need to do before adding the YAML to build steps is set the required options below.

 

Full List of Options:

ENVIRONMENT VARIABLEDEFAULTTYPEREQUIREDDESCRIPTION
CODEFRESH_CLI_KEYnullstringYeshttps://g.codefresh.io/account/tokens
CONSOLE_HOSTNAMEnullstringYeshostname/ip
CONSOLE_PORTnullstringYesport
CONSOLE_USERNAMEnullstringYesusername
CONSOLE_PASSWORDnullstringYespassword
TLSCACERTnullstringNoCA Cert if provided TLS will be used
HASH[ sha1 ]stringNo[ md5, sha1, sha256 ] hashing algorithm
DETAILSnullbooleanNoprints an itemized list of each vulnerability found by the scanner
INCLUDE_PACKAGE_FILESnullbooleanNoList all packages in the image.
ONLY_FIXEDnullbooleanNoreports just the vulnerabilities that have fixes available
COMPLIANCE_THRESHOLDnullstringNo[ low, medium, high ] sets the minimal severity compliance issue that returns a fail exit code
VULNERABILITY_THRESHOLDnullstringNo[ low, medium, high, critical ] sets the minimal severity vulnerability that returns a fail exit code

Codefresh Build Step to execute Twistlock scan.
All ${{var}} variables must be put into Codefresh Build Parameters
codefresh.yml

 

This is what your Docker image will show after a scan is performed.  In this case, the scan succeeded.

If you’d like to get a trial of Twistlock to see how you can implement security and compliance scans in your Codefresh pipelines, visit: https://www.twistlock.com/get-twistlock/

Want more? We recorded an entire webinar with Twistlock and Steelcase on preventing vulnerabilities from escaping into production environments.

We called it “Introducing a Security Feedback Loop to your CI Pipelines”. 

Watch the webinar here

New to Codefresh? Get started with Codefresh by signing up for an account today!

About Dustin Van Buskirk

A Senior Solution Architect at Codefresh

Reader Interactions

Enjoy this article? Don't forget to share.

Comments

Your email address will not be published. Required fields are marked *

Follow me on Twitter