CircleCI

Scan for Vulnerabilities in the CircleCI Build Pipeline

The SUSE® Security CircleCI ORB triggers a vulnerability scan on an image in the CircleCI pipeline. The ORB is available in the CircleCI catalog and is also documented on the SUSE® Security GitHub page.

Deploy the SUSE® Security Allinone or Controller container if you haven’t already done so on a host reachable by the CircleCI ORB. Make a note of the IP address of the host where the Allinone or Controller is running.

The ORB supports two use cases:

  1. Triggering the scan to be performed outside the CirclCI infrastructure. The ORB contacts the SUSE® Security scanner, which then pulls the image from a registry to be scanned. Make sure the ORB has network connectivity to the host where the SUSE® Security Controller/Allinone is running.

  2. Dynamically launching a SUSE® Security controller and scanner on a temporary vm running on the CircleCI platform. After launching and auto-configuring, the scan be done on image in the build, and after completion the SUSE® Security deployment is stopped and removed. For this use case, please see the documentation on the CircleCI ORB for SUSE® Security.

In addition, make sure there is a SUSE® Security scanner container deployed and configured to connect to the Allinone or Controller. In 4.0 and later, the neuvector/scanner container must be deployed separate from the allinone or controller.

Create a Context in Your CircleCI App

context

Configure Settings

Configure the Environment Variables for Connecting to and Authenticating

settings

Add the SUSE® Security orb to Your Build config.yaml

version: 2.1
orbs:
  neuvector: neuvector/neuvector-orb@1.0.0
workflows:
  scan-image:
    jobs:
      - neuvector/scan-image:
          context: myContext
          registry_url: https://registry.hub.docker.com
          repository: alpine
          tag: "3.4"
          scan_layers: false
          high_vul_to_fail: 0
          medium_vul_to_fail: 3

The registry_url is the location to find the image to be scanned. Configure the repository name, tag, and if a layered scan should be performed. Add criteria for the build task to fail based on number of high or medium vulnerabilities detected.

Review the Results

The build task will pass or fail based on the criteria set. In either case you can review the full scan report. fail