Use CircleCI version 2.1 at the top of your .circleci/config.yml file.
1
version: 2.1
Add the orbs
stanza below your version, invoking the orb:
1
2
orbs:
twistcli-scan: twistlock/twistcli-scan@1.0.5
Use twistcli-scan
elements in your existing workflows and jobs.
Opt-in to use of uncertified orbs on your organization’s Security settings page.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
version: 2.1
orbs:
twistcli: twistlock/twistcli-scan@1.0.5
jobs:
docker-build-and-save:
executor: twistcli/default
steps:
- checkout
- run: docker build -t myrepo/myimage:tag .
- run: mkdir -p workspace
- run: docker save myrepo/myimage:tag -o workspace/image.tar
- persist_to_workspace:
root: workspace
paths:
- image.tar
workflows:
scan-image:
jobs:
- docker-build-and-save
- twistcli/scan-image:
requires:
- docker-build-and-save
context: tl_scan_context
image: myrepo/myimage:tag
image-tar: image.tar
vuln-thresh: critical
comp-thresh: ''
only-fixed: true
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
tl_user | The Twistlock Console user with the CI User role | No | $TL_USER | string |
tl_pass | The Twistlock Console user's password | No | TL_PASS | env_var_name |
tl_console_url | The base URL for the console -- http://console.<my_company>.com:8083 -- without a trailing / | No | $TL_CONSOLE_URL | string |
vuln-thresh | Sets the minimum vulnerability severity that returns a fail exit code. Supported values are low, medium, high, and critical | No | '' | string |
comp-thresh | Sets the minimum compliance issue severity that returns a fail exit code. Supported values are low, medium, high, and critical | No | '' | string |
only-fixed | Whether to only report vulnerabilities with fixes available | No | false | boolean |
workspace-name | Name of workspace to docker save the image-tar into so it can be scanned by orb | No | workspace | string |
image-tar | The name of the image tar file stored in the workspace -- defaults to image.tar | No | image.tar | string |
image | The name of the image to scan -- myimage or myorg/myimage or myorg/myimage:latest | Yes | - | string |
Download the twistcli static binary from the Console
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
tl_user | The Twistlock Console user with the CI User role | Yes | - | string |
tl_pass | The Twistlock Console user's password | Yes | - | env_var_name |
tl_console_url | The base URL for the console -- http://console.<my_company>.com:8083 -- without a trailing / | Yes | - | string |
Load the image into the Executor machine from the tar file stashed in the Workspace
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
tl_image_tar | The name of the image tar file stored in the workspace | Yes | - | string |
tl_workspace_name | Name of workspace to docker save the image into so it can be scanned by orb | Yes | - | string |
Scan the container image with twistcli
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
tl_user | The Twistlock Console user with the CI User role | Yes | - | string |
tl_pass | The Twistlock Console user's password | Yes | - | env_var_name |
tl_console_url | The base URL for the console -- http://console.<my_company>.com:8083 -- without a trailing / | Yes | - | string |
tl_image | The name of the image to scan -- myimage or myorg/myimage or myorg/myimage:latest | Yes | - | string |
tl_vuln_thresh | Sets the minimum vulnerability severity that returns a fail exit code. Supported values are low, medium, high, and critical | Yes | - | string |
tl_comp_thresh | Sets the minimum compliance issue severity that returns a fail exit code. Supported values are low, medium, high, and critical | Yes | - | string |
tl_only_fixed | Whether to only report vulnerabilities with fixes available | Yes | - | boolean |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
# This code is licensed from CircleCI to the user under the MIT license.
# See here for details: https://circleci.com/developer/ja/orbs/licensing
version: 2.1
description: >
This orb is a wrapper for the Twistlock twistcli scanning tool.
To use this orb, you must have a licensed Twistlock installation
and credentials for a user with the CI User role in the Twistlock Console.
For detailed usage information, see https://github.com/add-twistlock/twistcli-scan-image-orb
examples:
docker-build-save-load-scan:
usage:
version: 2.1
orbs:
twistcli: twistlock/twistcli-scan@1.0.5
jobs:
docker-build-and-save:
executor: twistcli/default
steps:
- checkout
- run: docker build -t myrepo/myimage:tag .
- run: mkdir -p workspace
- run: docker save myrepo/myimage:tag -o workspace/image.tar
- persist_to_workspace:
root: workspace
paths:
- image.tar
workflows:
scan-image:
jobs:
- docker-build-and-save
- twistcli/scan-image:
requires:
- docker-build-and-save
context: tl_scan_context
image: myrepo/myimage:tag
image-tar: image.tar
vuln-thresh: critical
comp-thresh: ''
only-fixed: true
executors:
default:
machine: true
working_directory: /tmp/twistlock-scan
commands:
install:
description: Download the twistcli static binary from the Console
parameters:
tl_user:
description: The Twistlock Console user with the CI User role
type: string
tl_pass:
description: The Twistlock Console user's password
type: env_var_name
tl_console_url:
description: The base URL for the console -- http://console.<my_company>.com:8083 -- without a trailing /
type: string
steps:
- run: curl -k -u <<parameters.tl_user>>:${<<parameters.tl_pass>>} --output ./twistcli <<parameters.tl_console_url>>/api/v1/util/twistcli
- run: sudo chmod a+x ./twistcli
load:
description: Load the image into the Executor machine from the tar file stashed in the Workspace
parameters:
tl_image_tar:
description: The name of the image tar file stored in the workspace
type: string
tl_workspace_name:
description: Name of workspace to docker save the image into so it can be scanned by orb
type: string
steps:
- attach_workspace:
at: <<parameters.tl_workspace_name>>
- run: docker load -i <<parameters.tl_workspace_name>>/<<parameters.tl_image_tar>>
scan:
description: Scan the container image with twistcli
parameters:
tl_user:
description: The Twistlock Console user with the CI User role
type: string
tl_pass:
description: The Twistlock Console user's password
type: env_var_name
tl_console_url:
description: The base URL for the console -- http://console.<my_company>.com:8083 -- without a trailing /
type: string
tl_image:
description: The name of the image to scan -- myimage or myorg/myimage or myorg/myimage:latest
type: string
tl_vuln_thresh:
description: Sets the minimum vulnerability severity that returns a fail exit code. Supported values are low, medium, high, and critical
type: string
tl_comp_thresh:
description: Sets the minimum compliance issue severity that returns a fail exit code. Supported values are low, medium, high, and critical
type: string
tl_only_fixed:
description: Whether to only report vulnerabilities with fixes available
type: boolean
steps:
- run: >
args=();
[[ '<<parameters.tl_vuln_thresh>>' != '' ]] && args+=( '--vulnerability-threshold <<parameters.tl_vuln_thresh>>' );
[[ '<<parameters.tl_comp_thresh>>' != '' ]] && args+=( '--compliance-threshold <<parameters.tl_comp_thresh>>' );
[[ <<parameters.tl_only_fixed>> == true ]] && args+=( '--only-fixed' );
./twistcli images scan --details -address <<parameters.tl_console_url>> -u <<parameters.tl_user>> -p ${<<parameters.tl_pass>>}
${args[@]}
<<parameters.tl_image>>
jobs:
scan-image:
executor: default
parameters:
tl_user:
description: The Twistlock Console user with the CI User role
type: string
default: $TL_USER
tl_pass:
description: The Twistlock Console user's password
type: env_var_name
default: TL_PASS
tl_console_url:
description: The base URL for the console -- http://console.<my_company>.com:8083 -- without a trailing /
type: string
default: $TL_CONSOLE_URL
vuln-thresh:
description: Sets the minimum vulnerability severity that returns a fail exit code. Supported values are low, medium, high, and critical
type: string
default: ''
comp-thresh:
description: Sets the minimum compliance issue severity that returns a fail exit code. Supported values are low, medium, high, and critical
type: string
default: ''
only-fixed:
description: Whether to only report vulnerabilities with fixes available
type: boolean
default: false
workspace-name:
description: Name of workspace to docker save the image-tar into so it can be scanned by orb
type: string
default: workspace
image-tar:
description: The name of the image tar file stored in the workspace -- defaults to image.tar
type: string
default: image.tar
image:
description: The name of the image to scan -- myimage or myorg/myimage or myorg/myimage:latest
type: string
steps:
- install:
tl_user: <<parameters.tl_user>>
tl_pass: <<parameters.tl_pass>>
tl_console_url: <<parameters.tl_console_url>>
- load:
tl_workspace_name: <<parameters.workspace-name>>
tl_image_tar: <<parameters.image-tar>>
- scan:
tl_user: <<parameters.tl_user>>
tl_pass: <<parameters.tl_pass>>
tl_console_url: <<parameters.tl_console_url>>
tl_vuln_thresh: <<parameters.vuln-thresh>>
tl_comp_thresh: <<parameters.comp-thresh>>
tl_only_fixed: <<parameters.only-fixed>>
tl_image: <<parameters.image>>