Create your FREE Codefresh account and start making pipelines fast. Create Account

Running Twistlock scans in your Codefresh pipelines

4 min read

Twistlock is a container security platform with two primary components, a scanning service to validate images and a monitoring service that sits in your clusters. In this post, I’ll show you how to integrate with the image scanning capability using Twistlock Command Line Interface 2.3.98. This will give us a report of vulnerabilities along with their severity. We can set a threshold for when the pipeline shouldn’t continue based on the severity of the issues.


  • Codefresh Subscription with Dedicated Infrastructure or Hybrid k8s.
    Twistlock needs to talk with Docker to send Docker image to Twistlock Console for scanning.
  • Twistlock Subscription

Utilizing Docker-in-Docker in your pipeline YAML we can send the pipeline’s Docker image out to Twistlock Console using the images resource in twistcli and return results to your pipeline.

Twistlock resource used:
images – Inspect container images for vulnerabilities and compliance issues

Vulnerability Information:

Scan your Docker image and dependencies for vulnerabilities known to Twistlock.  Expose vulnerabilities to your developers and information on fixes in CI.

Set VULNERABILTY_THRESHOLD [ low, medium, high, critical ] in your Codefresh pipeline and prevent vulnerabilities from being introduced into your application.  Keep your Docker image secure and fail your pipelines before you merge vulnerabilities into your protected branches.

Compliance Information:

Examine your pipeline’s Docker image for violations against Internal and External Compliance configured in Twistlock.

Set COMPLIANCE_THRESHOLD [ low, medium, high ] in your Codefresh pipeline to fail your builds and prevent code that is in violation from getting back into your default branches when your Docker image exceeds the configured Compliance threshold.

Security Report:

Generate a Security report for your build to use later using Twistlock API.

The Report URL and Counts of Vulnerabilities and Compliance violations will be annotated your Docker image for traceability back to your Twistlock Security Report and additional information.  

See the example YAML below to add Twistlock Scanning Build Step to your pipeline.

The only thing you need to do before adding the YAML to build steps is set the required options below.


Full List of Options:

CODEFRESH_CLI_KEY null string Yes
CONSOLE_HOSTNAME null string Yes hostname/ip
CONSOLE_PORT null string Yes port
CONSOLE_USERNAME null string Yes username
CONSOLE_PASSWORD null string Yes password
TLSCACERT null string No CA Cert if provided TLS will be used
HASH [ sha1 ] string No [ md5, sha1, sha256 ] hashing algorithm
DETAILS null boolean No prints an itemized list of each vulnerability found by the scanner
INCLUDE_PACKAGE_FILES null boolean No List all packages in the image.
ONLY_FIXED null boolean No reports just the vulnerabilities that have fixes available
COMPLIANCE_THRESHOLD null string No [ low, medium, high ] sets the minimal severity compliance issue that returns a fail exit code
VULNERABILITY_THRESHOLD null string No [ low, medium, high, critical ] sets the minimal severity vulnerability that returns a fail exit code

Codefresh Build Step to execute Twistlock scan.
All ${{var}} variables must be put into Codefresh Build Parameters


This is what your Docker image will show after a scan is performed.  In this case, the scan succeeded.

If you’d like to get a trial of Twistlock to see how you can implement security and compliance scans in your Codefresh pipelines, visit:

Want more? We recorded an entire webinar with Twistlock and Steelcase on preventing vulnerabilities from escaping into production environments.

We called it “Introducing a Security Feedback Loop to your CI Pipelines”. 

Watch the webinar here

New to Codefresh? Get started with Codefresh by signing up for an account today!

Dustin Van Buskirk

Dustin Van Buskirk

A Senior Solution Architect at Codefresh

Leave a Reply

* All fields are required. Your email address will not be published.

See how Codefresh helps you
deploy more and fail less!