1. neuvector/neuvector-orb@1.0.2

neuvector/neuvector-orb@1.0.2

Partner
Sections
This orb is for NeuVector vulnerability scanning.
Created: July 11, 2019Version Published: December 7, 2020Releases: 3
Org Usage:
< 25

Orb Quick Start Guide

Use CircleCI version 2.1 at the top of your .circleci/config.yml file.

1 version: 2.1

Add the orbs stanza below your version, invoking the orb:

1 2 orbs: neuvector-orb: neuvector/neuvector-orb@1.0.2

Use neuvector-orb elements in your existing workflows and jobs.

Opt-in to use of uncertified orbs on your organization’s Security settings page.

Usage Examples

image-scan

Scan a image

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 version: 2.1 orbs: neuvector: neuvector/neuvector-orb@1.0.2 jobs: build_image: docker: - image: docker:stable-git steps: - setup_remote_docker - checkout - run: name: build container command: | docker pull alpine:3.2 - run: name: Save Docker image command: | rm -rf /tmp/neuvector/ mkdir /tmp/neuvector/ -p docker save -o /tmp/neuvector/alpine-3.2.tar alpine:3.2 - persist_to_workspace: root: /tmp/neuvector/ paths: - ./ workflows: scan-image: jobs: - neuvector/scan-image: context: myContext registry_url: https://registry.hub.docker.com repository: library/alpine tag: 3.12.0 scan_layers: false high_vul_to_fail: 0 medium_vul_to_fail: 3 scan-private-registry: jobs: - neuvector/scan-image: context: myContext registry_url: 127.100.12.157:5000 registry_username: ${registry_username} registry_password: ${registry_password} repository: ci_demo_image tag: v1.2 scan_layers: false high_vul_to_fail: 10 medium_vul_to_fail: 30 scan-local-image: jobs: - build_image - neuvector/scan-image: requires: - build_image context: myContext scan_local_image: true image_name: alpine image_tag: '3.2' path: /tmp/neuvector/ image_tar_file: /tmp/neuvector/alpine-3.2.tar scan_layers: false high_vul_to_fail: 0 medium_vul_to_fail: 3

Jobs

scan-image

Show job Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
scan_local_image
To scan the image on the same host
No
false
boolean
image_tar_file
Tar file exported from docker running container
Yes
-
string
path
The absolute path to store the tar file
Yes
-
string
image_name
Name of the image to be scanned
Yes
-
string
image_tag
Tag of the image to be scanned
Yes
-
string
nv_registry_url
Registry URL to pull NeuVector Scanner Image
No
${nv_registry_url}
string
nv_registry_username
Login user to pull NeuVector Scanner Image
No
${nv_registry_username}
string
nv_registry_password
Login password pull NeuVector Scanner Image
No
${nv_registry_password}
string
nv_scanner_image
The Neuvector Scanner image
No
neuvector/scanner:latest
string
nv_license
The Neuvector license
No
$nv_license
string
controller_ip
The IP address of the Controller or Allinone host or service external ip
No
$controller_ip
string
controller_port
The port for REST API
No
$controller_port
string
controller_username
Username for a NeuVector admin
No
$controller_username
string
controller_password
Password for a NeuVector admin
No
$controller_password
string
registry_url
The registry URL full path
No
''
string
registry_username
The registry Username
No
''
string
registry_password
The registry password
No
''
string
repository
The repository to scan
No
''
string
tag
Tag of the repository to scan
No
''
string
scan_layers
Scan layer
No
false
boolean
high_vul_to_fail
Minimum number of high vulnerabilities to fail the build
No
0
integer
medium_vul_to_fail
Minimum number of medium vulnerabilities to fail the build
No
0
integer
md_source
Metadata source name
No
CircleCI
string

Commands

load_image

Load image

Show command Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
image_tar_file
The tar archive file that stores the to-be-scan image
Yes
-
string
path
The absolute path to store the tar archive file
Yes
-
string

scan_on_dynamic

run NeuVector Scanner

Show command Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
registry
The registry to pull NeuVector Scanner
Yes
-
string
username
The registry's login user
Yes
-
string
password
The registry's login password
Yes
-
string
scanner_image
Neuvector Scanner image
Yes
-
string
nv_license
License for NeuVector Scanner
Yes
-
string
repository
The repository to scan
Yes
-
string
tag
Tag of the repository to scan
Yes
-
string

scan

Scan image

Show command Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
controller_ip
The IP address of NeuVector Scanner
No
$controller_ip
string
controller_port
The port to access NeuVector Scanner
No
$controller_port
string
controller_username
Username to sign in NeuVector Scanner
No
$controller_username
string
controller_password
Password to sign in NeuVector Scanner
No
$controller_password
string
registry_url
The registry URL full path
No
''
string
registry_username
The registry Username
No
''
string
registry_password
The registry password
No
''
string
repository
The repository to scan
Yes
-
string
tag
Tag of the repository to scan
Yes
-
string
scan_layers
Scan layer
No
false
boolean
md_source
Source name
No
''
string

report

Print the report

Show command Source

checkpoint

Pass or fail based on criteria

Show command Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
high_vul_to_fail
Minimum number of high vulnerabilities to fail the build
No
0
integer
medium_vul_to_fail
Minimum number of medium vulnerabilities to fail the build
No
0
integer

Executors

Orb Source

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 # This code is licensed from CircleCI to the user under the MIT license. # See here for details: https://circleci.com/developer/orbs/licensing version: 2.1 description: | This orb is for NeuVector vulnerability scanning. display: home_url: https://neuvector.com/ source_url: https://github.com/neuvector/circleci-orb/ examples: image-scan: description: Scan a image usage: version: 2.1 orbs: neuvector: neuvector/neuvector-orb@1.0.2 jobs: build_image: docker: - image: docker:stable-git steps: - setup_remote_docker - checkout - run: name: build container command: | docker pull alpine:3.2 - run: name: Save Docker image command: | rm -rf /tmp/neuvector/ mkdir /tmp/neuvector/ -p docker save -o /tmp/neuvector/alpine-3.2.tar alpine:3.2 - persist_to_workspace: root: /tmp/neuvector/ paths: - ./ workflows: scan-image: jobs: - neuvector/scan-image: context: myContext registry_url: https://registry.hub.docker.com repository: library/alpine tag: "3.12.0" scan_layers: false high_vul_to_fail: 0 medium_vul_to_fail: 3 scan-private-registry: jobs: - neuvector/scan-image: context: myContext registry_url: 127.100.12.157:5000 registry_username: ${registry_username} registry_password: ${registry_password} repository: ci_demo_image tag: "v1.2" scan_layers: false high_vul_to_fail: 10 medium_vul_to_fail: 30 scan-local-image: jobs: - build_image - neuvector/scan-image: requires: - build_image context: myContext scan_local_image: true image_name: alpine image_tag: "3.2" path: "/tmp/neuvector/" image_tar_file: /tmp/neuvector/alpine-3.2.tar scan_layers: false high_vul_to_fail: 0 medium_vul_to_fail: 3 executors: default: machine: true commands: load_image: description: Load image parameters: image_tar_file: description: The tar archive file that stores the to-be-scan image type: string path: description: The absolute path to store the tar archive file type: string steps: - run: name: Load the to-be-scan image from the attached tar archive file command: | docker load -i <<parameters.path>><<parameters.image_tar_file>> scan_on_dynamic: description: run NeuVector Scanner parameters: registry: description: The registry to pull NeuVector Scanner type: string username: description: The registry's login user type: string password: description: The registry's login password type: string scanner_image: description: Neuvector Scanner image type: string nv_license: description: License for NeuVector Scanner type: string repository: description: The repository to scan type: string tag: description: Tag of the repository to scan type: string steps: - run: name: Start up Neuvector Scanner command: | echo "<<parameters.password>>" | docker login --username "<<parameters.username>>" <<parameters.registry>> --password-stdin docker run --name neuvector.scanner --rm -e SCANNER_REPOSITORY=<<parameters.repository>> -e SCANNER_TAG=<<parameters.tag>> -e SCANNER_LICENSE=<<parameters.nv_license>> -v /var/run/docker.sock:/var/run/docker.sock -v /var/neuvector:/var/neuvector '<<parameters.scanner_image>>' mkdir nvreport cp /var/neuvector/scan_result.json ./nvreport/scan_repository.json scan: description: Scan image parameters: controller_ip: description: The IP address of NeuVector Scanner type: string default: $controller_ip controller_port: description: The port to access NeuVector Scanner type: string default: $controller_port controller_username: description: Username to sign in NeuVector Scanner type: string default: $controller_username controller_password: description: Password to sign in NeuVector Scanner type: string default: $controller_password registry_url: description: The registry URL full path type: string default: '' registry_username: description: The registry Username type: string default: '' registry_password: description: The registry password type: string default: '' repository: description: The repository to scan type: string tag: description: Tag of the repository to scan type: string scan_layers: description: Scan layer type: boolean default: false md_source: description: Source name type: string default: '' steps: - run: name: Scan Image command: | mkdir nvtemp mkdir nvreport curl --silent --write-out "HTTPSTATUS:%{http_code}" -k -H "Content-Type: application/json" -d '{"password": {"username": "'<<parameters.controller_username>>'", "password": "'<<parameters.controller_password>>'"}}' "https://<<parameters.controller_ip>>:<<parameters.controller_port>>/v1/auth" > ./nvtemp/tokenResponse HTTP_STATUS=$(cat ./nvtemp/tokenResponse | tr -d '\n' | sed -e 's/.*HTTPSTATUS://') if [ "$HTTP_STATUS" == "200" ]; then cat ./nvtemp/tokenResponse | sed -e 's/HTTPSTATUS\:.*//g' > ./nvtemp/token.json elif [ "$HTTP_STATUS" == "401" -o "$HTTP_STATUS" == "404" -o "$HTTP_STATUS" == "405" ]; then echo Invalid credential of NeuVector controller. exit 1 else echo Failed to get token. Http status code: $HTTP_STATUS. exit 1 fi curl --silent --write-out "HTTPSTATUS:%{http_code}" -k -H "Content-Type: application/json" -H "X-Auth-Token: `cat ./nvtemp/token.json | jq -r '.token.token'`" "https://<<parameters.controller_ip>>:<<parameters.controller_port>>/v1/scan/scanner" > ./nvtemp/scannerResponse _status_=$(cat ./nvtemp/scannerResponse | sed -e 's/HTTPSTATUS\:.*//g' | jq .scanners[]) _counter_="0" while [ -z "$_status_" -a "$_counter_" != "20" ]; do _counter_=$((( _counter_ + 1 ))) sleep 5 curl --silent --write-out "HTTPSTATUS:%{http_code}" -k -H "Content-Type: application/json" -H "X-Auth-Token: `cat ./nvtemp/token.json | jq -r '.token.token'`" "https://<<parameters.controller_ip>>:<<parameters.controller_port>>/v1/scan/scanner" > ./nvtemp/scannerResponse _status_=$(cat ./nvtemp/scannerResponse | sed -e 's/HTTPSTATUS\:.*//g' | jq .scanners[]) done if [ "$_counter_" = "20" ]; then echo Neuvector Scanner is not available. exit 1 fi curl --silent --write-out "HTTPSTATUS:%{http_code}" -k -H "Content-Type: application/json" -H "X-Auth-Token: `cat ./nvtemp/token.json | jq -r '.token.token'`" -d '{"request": { "metadata":{"source": "'<<parameters.md_source>>'", "user": "${CIRCLE_PROJECT_USERNAME}", "job": "${CIRCLE_PROJECT_REPONAME} ", "workspace": "${CIRCLE_WORKING_DIRECTORY}"}, "registry": "'<<parameters.registry_url>>'", "username": "'<<parameters.registry_username>>'", "password": "'<<parameters.registry_password>>'", "repository": "'<<parameters.repository>>'", "tag": "'<<parameters.tag>>'", "scan_layers": <<parameters.scan_layers>>}}' "https://<<parameters.controller_ip>>:<<parameters.controller_port>>/v1/scan/repository" > ./nvtemp/scanResponse HTTP_STATUS=$(cat ./nvtemp/scanResponse | tr -d '\n' | sed -e 's/.*HTTPSTATUS://') while [ "$HTTP_STATUS" == "304" ]; do curl --silent --write-out "HTTPSTATUS:%{http_code}" -k -H "Content-Type: application/json" -H "X-Auth-Token: `cat ./nvtemp/token.json | jq -r '.token.token'`" -d '{"request": { "metadata":{"source": "'<<parameters.md_source>>'", "user": "${CIRCLE_PROJECT_USERNAME}", "job": "${CIRCLE_PROJECT_REPONAME} ", "workspace": "${CIRCLE_WORKING_DIRECTORY}"}, "registry": "'<<parameters.registry_url>>'", "username": "'<<parameters.registry_username>>'", "password": "'<<parameters.registry_password>>'", "repository": "'<<parameters.repository>>'", "tag": "'<<parameters.tag>>'", "scan_layers": <<parameters.scan_layers>>}}' "https://<<parameters.controller_ip>>:<<parameters.controller_port>>/v1/scan/repository" > ./nvtemp/scanResponse HTTP_STATUS=$(cat ./nvtemp/scanResponse | tr -d '\n' | sed -e 's/.*HTTPSTATUS://') done if [ "$HTTP_STATUS" == "200" ]; then cat ./nvtemp/scanResponse | sed -e 's/HTTPSTATUS\:.*//g' > ./nvreport/scan_repository.json echo Scan successfully. else echo Scan failed. Http status code: $HTTP_STATUS. exit 1 fi curl -k -X "DELETE" -H "Content-Type: application/json" -H "X-Auth-Token: `cat ./nvtemp/token.json | jq -r '.token.token'`" "https://<<parameters.controller_ip>>:<<parameters.controller_port>>/v1/auth" report: description: Print the report steps: - run: name: Short report command: | VUL_NUM=$(cat ./nvreport/scan_repository.json | jq '.report.vulnerabilities | length') if [ "$VUL_NUM" -eq 0 ]; then echo No vulnerabilities found. else echo Total number of vulnerabilities: $VUL_NUM, grouped by package name with vulnerability name. jq '[.report.vulnerabilities | group_by(.package_name) | .[] | {package_name: .[0].package_name, vuln_name: [.[].name]}]' ./nvreport/scan_repository.json fi - run: name: Full report command: | echo Full report in json. cat ./nvreport/scan_repository.json | jq . checkpoint: description: Pass or fail based on criteria parameters: high_vul_to_fail: description: Minimum number of high vulnerabilities to fail the build type: integer default: 0 medium_vul_to_fail: description: Minimum number of medium vulnerabilities to fail the build type: integer default: 0 steps: - run: name: Check criteria command: | FOUND_HIGH=$(cat ./nvreport/scan_repository.json | jq '.report.vulnerabilities[] | select(.severity == "High") | .severity' | wc -l) FOUND_MEDIUM=$(cat ./nvreport/scan_repository.json | jq '.report.vulnerabilities[] | select(.severity == "Medium") | .severity' | wc -l) echo Criteria high_vul_to_fail: <<parameters.high_vul_to_fail>>, medium_vul_to_fail: <<parameters.medium_vul_to_fail>>. echo Found high vulnerabilities: $FOUND_HIGH, found medium vulnerabilities: $FOUND_MEDIUM. if [ <<parameters.high_vul_to_fail>> -ne 0 -a "$FOUND_HIGH" -ge <<parameters.high_vul_to_fail>> ]; then echo Fail due to high vulnerabilities found meets the criteria. exit 1 elif [ <<parameters.medium_vul_to_fail>> -ne 0 -a "$FOUND_MEDIUM" -ge <<parameters.medium_vul_to_fail>> ]; then echo Fail due to medium vulnerabilities found meets the criteria. exit 1 else echo Pass the criteria check. fi jobs: scan-image: executor: default parameters: scan_local_image: description: To scan the image on the same host type: boolean default: false image_tar_file: description: Tar file exported from docker running container type: string path: description: The absolute path to store the tar file type: string image_name: description: Name of the image to be scanned type: string image_tag: description: Tag of the image to be scanned type: string nv_registry_url: description: Registry URL to pull NeuVector Scanner Image type: string default: ${nv_registry_url} nv_registry_username: description: Login user to pull NeuVector Scanner Image type: string default: ${nv_registry_username} nv_registry_password: description: Login password pull NeuVector Scanner Image type: string default: ${nv_registry_password} nv_scanner_image: description: The Neuvector Scanner image type: string default: "neuvector/scanner:latest" nv_license: description: The Neuvector license type: string default: $nv_license controller_ip: description: The IP address of the Controller or Allinone host or service external ip type: string default: $controller_ip controller_port: description: The port for REST API type: string default: $controller_port controller_username: description: Username for a NeuVector admin type: string default: $controller_username controller_password: description: Password for a NeuVector admin type: string default: $controller_password registry_url: description: The registry URL full path type: string default: '' registry_username: description: The registry Username type: string default: '' registry_password: description: The registry password type: string default: '' repository: description: The repository to scan type: string default: '' tag: description: Tag of the repository to scan type: string default: '' scan_layers: description: Scan layer type: boolean default: false high_vul_to_fail: description: Minimum number of high vulnerabilities to fail the build type: integer default: 0 medium_vul_to_fail: description: Minimum number of medium vulnerabilities to fail the build type: integer default: 0 md_source: description: Metadata source name type: string default: "CircleCI" steps: - when: condition: <<parameters.scan_local_image>> steps: - attach_workspace: at: <<parameters.path>> - load_image: image_tar_file: <<parameters.image_tar_file>> path: <<parameters.path>> - scan_on_dynamic: registry: <<parameters.nv_registry_url>> username: <<parameters.nv_registry_username>> password: <<parameters.nv_registry_password>> scanner_image: <<parameters.nv_scanner_image>> nv_license: <<parameters.nv_license>> repository: <<parameters.image_name>> tag: <<parameters.image_tag>> - unless: condition: <<parameters.scan_local_image>> steps: - scan: registry_url: <<parameters.registry_url>> repository: <<parameters.repository>> registry_username: <<parameters.registry_username>> registry_password: <<parameters.registry_password>> tag: <<parameters.tag>> scan_layers: <<parameters.scan_layers>> md_source: <<parameters.md_source>> - report - checkpoint: high_vul_to_fail: <<parameters.high_vul_to_fail>> medium_vul_to_fail: <<parameters.medium_vul_to_fail>> - store_artifacts: path: nvreport
Developer Updates
Get tips to optimize your builds
Or join our research panel and give feedback
By submitting this form, you are agreeing to ourTerms of UseandPrivacy Policy.