Open in app

Sign in

Write

Sign in

Running Twistlock scans in your Codefresh pipelines

Codefresh
Container Hub
Published in
3 min readMar 30, 2018

Twistlock is a container security platform with two primary components, a scanning service to validate images and a monitoring service that sits in your clusters. In this post, I’ll show you how to integrate with the image scanning capability using Twistlock Command Line Interface 2.3.98. This will give us a report of vulnerabilities along with their severity. We can set a threshold for when the pipeline shouldn’t continue based on the severity of the issues.

Pre-requisites

  • Codefresh Subscription with Dedicated Infrastructure or Hybrid k8s.
    Twistlock needs to talk with Docker to send Docker image to Twistlock Console for scanning.
  • Twistlock Subscription

Utilizing Docker-in-Docker in your pipeline YAML we can send the pipeline’s Docker image out to Twistlock Console using the images resource in twistcli and return results to your pipeline.

Twistlock resource used:
images – Inspect container images for vulnerabilities and compliance issues

Vulnerability Information:

Scan your Docker image and dependencies for vulnerabilities known to Twistlock. Expose vulnerabilities to your developers and information on fixes in CI.

Set VULNERABILTY_THRESHOLD [ low, medium, high, critical ] in your Codefresh pipeline and prevent vulnerabilities from being introduced into your application. Keep your Docker image secure and fail your pipelines before you merge vulnerabilities into your protected branches.

Compliance Information:

Examine your pipeline’s Docker image for violations against Internal and External Compliance configured in Twistlock.

Set COMPLIANCE_THRESHOLD [ low, medium, high ] in your Codefresh pipeline to fail your builds and prevent code that is in violation from getting back into your default branches when your Docker image exceeds the configured Compliance threshold.

Security Report:

Generate a Security report for your build to use later using Twistlock API.

The Report URL and Counts of Vulnerabilities and Compliance violations will be annotated your Docker image for traceability back to your Twistlock Security Report and additional information.

See the example YAML below to add Twistlock Scanning Build Step to your pipeline.

The only thing you need to do before adding the YAML to build steps is set the required options below.

Full List of Options:

Codefresh Build Step to execute Twistlock scan.
All ${{var}} variables must be put into Codefresh Build Parameters
codefresh.yml

(Full code at https://codefresh.io/security-testing/running-twistlock-scans-codefresh-pipelines/)

This is what your Docker image will show after a scan is performed. In this case, the scan succeeded.

If you’d like to get a trial of Twistlock to see how you can implement security and compliance scans in your Codefresh pipelines, visit: https://www.twistlock.com/get-twistlock/

Want more? We recorded an entire webinar with Twistlock and Steelcase on preventing vulnerabilities from escaping into production environments.

We called it “Introducing a Security Feedback Loop to your CI Pipelines”.

Watch the webinar here

Originally published at codefresh.io on March 27, 2018.

Docker
Kubernetes
Containers
Security
Codefresh

--

--

Codefresh
Container Hub

Written by Codefresh

873 Followers
Editor for

Codefresh is a next-generation CI/CD for modern applications. Automate from code to cloud with fast ⚡️ builds and Canary and Blue/Green GitOps deployments.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams