Use CircleCI version 2.1 at the top of your .circleci/config.yml file.
1
version: 2.1
Add the orbs
stanza below your version, invoking the orb:
1
2
orbs:
neuvector-orb: neuvector/neuvector-orb@1.0.2
Use neuvector-orb
elements in your existing workflows and jobs.
Opt-in to use of uncertified orbs on your organization’s Security settings page.
Scan a image
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
version: 2.1
orbs:
neuvector: neuvector/neuvector-orb@1.0.2
jobs:
build_image:
docker:
- image: docker:stable-git
steps:
- setup_remote_docker
- checkout
- run:
name: build container
command: |
docker pull alpine:3.2
- run:
name: Save Docker image
command: |
rm -rf /tmp/neuvector/
mkdir /tmp/neuvector/ -p
docker save -o /tmp/neuvector/alpine-3.2.tar alpine:3.2
- persist_to_workspace:
root: /tmp/neuvector/
paths:
- ./
workflows:
scan-image:
jobs:
- neuvector/scan-image:
context: myContext
registry_url: https://registry.hub.docker.com
repository: library/alpine
tag: 3.12.0
scan_layers: false
high_vul_to_fail: 0
medium_vul_to_fail: 3
scan-private-registry:
jobs:
- neuvector/scan-image:
context: myContext
registry_url: 127.100.12.157:5000
registry_username: ${registry_username}
registry_password: ${registry_password}
repository: ci_demo_image
tag: v1.2
scan_layers: false
high_vul_to_fail: 10
medium_vul_to_fail: 30
scan-local-image:
jobs:
- build_image
- neuvector/scan-image:
requires:
- build_image
context: myContext
scan_local_image: true
image_name: alpine
image_tag: '3.2'
path: /tmp/neuvector/
image_tar_file: /tmp/neuvector/alpine-3.2.tar
scan_layers: false
high_vul_to_fail: 0
medium_vul_to_fail: 3
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
scan_local_image | To scan the image on the same host | No | false | boolean |
image_tar_file | Tar file exported from docker running container | Yes | - | string |
path | The absolute path to store the tar file | Yes | - | string |
image_name | Name of the image to be scanned | Yes | - | string |
image_tag | Tag of the image to be scanned | Yes | - | string |
nv_registry_url | Registry URL to pull NeuVector Scanner Image | No | ${nv_registry_url} | string |
nv_registry_username | Login user to pull NeuVector Scanner Image | No | ${nv_registry_username} | string |
nv_registry_password | Login password pull NeuVector Scanner Image | No | ${nv_registry_password} | string |
nv_scanner_image | The Neuvector Scanner image | No | neuvector/scanner:latest | string |
nv_license | The Neuvector license | No | $nv_license | string |
controller_ip | The IP address of the Controller or Allinone host or service external ip | No | $controller_ip | string |
controller_port | The port for REST API | No | $controller_port | string |
controller_username | Username for a NeuVector admin | No | $controller_username | string |
controller_password | Password for a NeuVector admin | No | $controller_password | string |
registry_url | The registry URL full path | No | '' | string |
registry_username | The registry Username | No | '' | string |
registry_password | The registry password | No | '' | string |
repository | The repository to scan | No | '' | string |
tag | Tag of the repository to scan | No | '' | string |
scan_layers | Scan layer | No | false | boolean |
high_vul_to_fail | Minimum number of high vulnerabilities to fail the build | No | 0 | integer |
medium_vul_to_fail | Minimum number of medium vulnerabilities to fail the build | No | 0 | integer |
md_source | Metadata source name | No | CircleCI | string |
Load image
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
image_tar_file | The tar archive file that stores the to-be-scan image | Yes | - | string |
path | The absolute path to store the tar archive file | Yes | - | string |
run NeuVector Scanner
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
registry | The registry to pull NeuVector Scanner | Yes | - | string |
username | The registry's login user | Yes | - | string |
password | The registry's login password | Yes | - | string |
scanner_image | Neuvector Scanner image | Yes | - | string |
nv_license | License for NeuVector Scanner | Yes | - | string |
repository | The repository to scan | Yes | - | string |
tag | Tag of the repository to scan | Yes | - | string |
Scan image
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
controller_ip | The IP address of NeuVector Scanner | No | $controller_ip | string |
controller_port | The port to access NeuVector Scanner | No | $controller_port | string |
controller_username | Username to sign in NeuVector Scanner | No | $controller_username | string |
controller_password | Password to sign in NeuVector Scanner | No | $controller_password | string |
registry_url | The registry URL full path | No | '' | string |
registry_username | The registry Username | No | '' | string |
registry_password | The registry password | No | '' | string |
repository | The repository to scan | Yes | - | string |
tag | Tag of the repository to scan | Yes | - | string |
scan_layers | Scan layer | No | false | boolean |
md_source | Source name | No | '' | string |
Pass or fail based on criteria
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
high_vul_to_fail | Minimum number of high vulnerabilities to fail the build | No | 0 | integer |
medium_vul_to_fail | Minimum number of medium vulnerabilities to fail the build | No | 0 | integer |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
# This code is licensed from CircleCI to the user under the MIT license.
# See here for details: https://circleci.com/developer/orbs/licensing
version: 2.1
description: |
This orb is for NeuVector vulnerability scanning.
display:
home_url: https://neuvector.com/
source_url: https://github.com/neuvector/circleci-orb/
examples:
image-scan:
description: Scan a image
usage:
version: 2.1
orbs:
neuvector: neuvector/neuvector-orb@1.0.2
jobs:
build_image:
docker:
- image: docker:stable-git
steps:
- setup_remote_docker
- checkout
- run:
name: build container
command: |
docker pull alpine:3.2
- run:
name: Save Docker image
command: |
rm -rf /tmp/neuvector/
mkdir /tmp/neuvector/ -p
docker save -o /tmp/neuvector/alpine-3.2.tar alpine:3.2
- persist_to_workspace:
root: /tmp/neuvector/
paths:
- ./
workflows:
scan-image:
jobs:
- neuvector/scan-image:
context: myContext
registry_url: https://registry.hub.docker.com
repository: library/alpine
tag: "3.12.0"
scan_layers: false
high_vul_to_fail: 0
medium_vul_to_fail: 3
scan-private-registry:
jobs:
- neuvector/scan-image:
context: myContext
registry_url: 127.100.12.157:5000
registry_username: ${registry_username}
registry_password: ${registry_password}
repository: ci_demo_image
tag: "v1.2"
scan_layers: false
high_vul_to_fail: 10
medium_vul_to_fail: 30
scan-local-image:
jobs:
- build_image
- neuvector/scan-image:
requires:
- build_image
context: myContext
scan_local_image: true
image_name: alpine
image_tag: "3.2"
path: "/tmp/neuvector/"
image_tar_file: /tmp/neuvector/alpine-3.2.tar
scan_layers: false
high_vul_to_fail: 0
medium_vul_to_fail: 3
executors:
default:
machine: true
commands:
load_image:
description: Load image
parameters:
image_tar_file:
description: The tar archive file that stores the to-be-scan image
type: string
path:
description: The absolute path to store the tar archive file
type: string
steps:
- run:
name: Load the to-be-scan image from the attached tar archive file
command: |
docker load -i <<parameters.path>><<parameters.image_tar_file>>
scan_on_dynamic:
description: run NeuVector Scanner
parameters:
registry:
description: The registry to pull NeuVector Scanner
type: string
username:
description: The registry's login user
type: string
password:
description: The registry's login password
type: string
scanner_image:
description: Neuvector Scanner image
type: string
nv_license:
description: License for NeuVector Scanner
type: string
repository:
description: The repository to scan
type: string
tag:
description: Tag of the repository to scan
type: string
steps:
- run:
name: Start up Neuvector Scanner
command: |
echo "<<parameters.password>>" | docker login --username "<<parameters.username>>" <<parameters.registry>> --password-stdin
docker run --name neuvector.scanner --rm -e SCANNER_REPOSITORY=<<parameters.repository>> -e SCANNER_TAG=<<parameters.tag>> -e SCANNER_LICENSE=<<parameters.nv_license>> -v /var/run/docker.sock:/var/run/docker.sock -v /var/neuvector:/var/neuvector '<<parameters.scanner_image>>'
mkdir nvreport
cp /var/neuvector/scan_result.json ./nvreport/scan_repository.json
scan:
description: Scan image
parameters:
controller_ip:
description: The IP address of NeuVector Scanner
type: string
default: $controller_ip
controller_port:
description: The port to access NeuVector Scanner
type: string
default: $controller_port
controller_username:
description: Username to sign in NeuVector Scanner
type: string
default: $controller_username
controller_password:
description: Password to sign in NeuVector Scanner
type: string
default: $controller_password
registry_url:
description: The registry URL full path
type: string
default: ''
registry_username:
description: The registry Username
type: string
default: ''
registry_password:
description: The registry password
type: string
default: ''
repository:
description: The repository to scan
type: string
tag:
description: Tag of the repository to scan
type: string
scan_layers:
description: Scan layer
type: boolean
default: false
md_source:
description: Source name
type: string
default: ''
steps:
- run:
name: Scan Image
command: |
mkdir nvtemp
mkdir nvreport
curl --silent --write-out "HTTPSTATUS:%{http_code}" -k -H "Content-Type: application/json" -d '{"password": {"username": "'<<parameters.controller_username>>'", "password": "'<<parameters.controller_password>>'"}}' "https://<<parameters.controller_ip>>:<<parameters.controller_port>>/v1/auth" > ./nvtemp/tokenResponse
HTTP_STATUS=$(cat ./nvtemp/tokenResponse | tr -d '\n' | sed -e 's/.*HTTPSTATUS://')
if [ "$HTTP_STATUS" == "200" ]; then
cat ./nvtemp/tokenResponse | sed -e 's/HTTPSTATUS\:.*//g' > ./nvtemp/token.json
elif [ "$HTTP_STATUS" == "401" -o "$HTTP_STATUS" == "404" -o "$HTTP_STATUS" == "405" ]; then
echo Invalid credential of NeuVector controller.
exit 1
else
echo Failed to get token. Http status code: $HTTP_STATUS.
exit 1
fi
curl --silent --write-out "HTTPSTATUS:%{http_code}" -k -H "Content-Type: application/json" -H "X-Auth-Token: `cat ./nvtemp/token.json | jq -r '.token.token'`" "https://<<parameters.controller_ip>>:<<parameters.controller_port>>/v1/scan/scanner" > ./nvtemp/scannerResponse
_status_=$(cat ./nvtemp/scannerResponse | sed -e 's/HTTPSTATUS\:.*//g' | jq .scanners[])
_counter_="0"
while [ -z "$_status_" -a "$_counter_" != "20" ]; do
_counter_=$((( _counter_ + 1 )))
sleep 5
curl --silent --write-out "HTTPSTATUS:%{http_code}" -k -H "Content-Type: application/json" -H "X-Auth-Token: `cat ./nvtemp/token.json | jq -r '.token.token'`" "https://<<parameters.controller_ip>>:<<parameters.controller_port>>/v1/scan/scanner" > ./nvtemp/scannerResponse
_status_=$(cat ./nvtemp/scannerResponse | sed -e 's/HTTPSTATUS\:.*//g' | jq .scanners[])
done
if [ "$_counter_" = "20" ]; then
echo Neuvector Scanner is not available.
exit 1
fi
curl --silent --write-out "HTTPSTATUS:%{http_code}" -k -H "Content-Type: application/json" -H "X-Auth-Token: `cat ./nvtemp/token.json | jq -r '.token.token'`" -d '{"request": { "metadata":{"source": "'<<parameters.md_source>>'", "user": "${CIRCLE_PROJECT_USERNAME}", "job": "${CIRCLE_PROJECT_REPONAME} ", "workspace": "${CIRCLE_WORKING_DIRECTORY}"}, "registry": "'<<parameters.registry_url>>'", "username": "'<<parameters.registry_username>>'", "password": "'<<parameters.registry_password>>'", "repository": "'<<parameters.repository>>'", "tag": "'<<parameters.tag>>'", "scan_layers": <<parameters.scan_layers>>}}' "https://<<parameters.controller_ip>>:<<parameters.controller_port>>/v1/scan/repository" > ./nvtemp/scanResponse
HTTP_STATUS=$(cat ./nvtemp/scanResponse | tr -d '\n' | sed -e 's/.*HTTPSTATUS://')
while [ "$HTTP_STATUS" == "304" ]; do
curl --silent --write-out "HTTPSTATUS:%{http_code}" -k -H "Content-Type: application/json" -H "X-Auth-Token: `cat ./nvtemp/token.json | jq -r '.token.token'`" -d '{"request": { "metadata":{"source": "'<<parameters.md_source>>'", "user": "${CIRCLE_PROJECT_USERNAME}", "job": "${CIRCLE_PROJECT_REPONAME} ", "workspace": "${CIRCLE_WORKING_DIRECTORY}"}, "registry": "'<<parameters.registry_url>>'", "username": "'<<parameters.registry_username>>'", "password": "'<<parameters.registry_password>>'", "repository": "'<<parameters.repository>>'", "tag": "'<<parameters.tag>>'", "scan_layers": <<parameters.scan_layers>>}}' "https://<<parameters.controller_ip>>:<<parameters.controller_port>>/v1/scan/repository" > ./nvtemp/scanResponse
HTTP_STATUS=$(cat ./nvtemp/scanResponse | tr -d '\n' | sed -e 's/.*HTTPSTATUS://')
done
if [ "$HTTP_STATUS" == "200" ]; then
cat ./nvtemp/scanResponse | sed -e 's/HTTPSTATUS\:.*//g' > ./nvreport/scan_repository.json
echo Scan successfully.
else
echo Scan failed. Http status code: $HTTP_STATUS.
exit 1
fi
curl -k -X "DELETE" -H "Content-Type: application/json" -H "X-Auth-Token: `cat ./nvtemp/token.json | jq -r '.token.token'`" "https://<<parameters.controller_ip>>:<<parameters.controller_port>>/v1/auth"
report:
description: Print the report
steps:
- run:
name: Short report
command: |
VUL_NUM=$(cat ./nvreport/scan_repository.json | jq '.report.vulnerabilities | length')
if [ "$VUL_NUM" -eq 0 ]; then
echo No vulnerabilities found.
else
echo Total number of vulnerabilities: $VUL_NUM, grouped by package name with vulnerability name.
jq '[.report.vulnerabilities | group_by(.package_name) | .[] | {package_name: .[0].package_name, vuln_name: [.[].name]}]' ./nvreport/scan_repository.json
fi
- run:
name: Full report
command: |
echo Full report in json.
cat ./nvreport/scan_repository.json | jq .
checkpoint:
description: Pass or fail based on criteria
parameters:
high_vul_to_fail:
description: Minimum number of high vulnerabilities to fail the build
type: integer
default: 0
medium_vul_to_fail:
description: Minimum number of medium vulnerabilities to fail the build
type: integer
default: 0
steps:
- run:
name: Check criteria
command: |
FOUND_HIGH=$(cat ./nvreport/scan_repository.json | jq '.report.vulnerabilities[] | select(.severity == "High") | .severity' | wc -l)
FOUND_MEDIUM=$(cat ./nvreport/scan_repository.json | jq '.report.vulnerabilities[] | select(.severity == "Medium") | .severity' | wc -l)
echo Criteria high_vul_to_fail: <<parameters.high_vul_to_fail>>, medium_vul_to_fail: <<parameters.medium_vul_to_fail>>.
echo Found high vulnerabilities: $FOUND_HIGH, found medium vulnerabilities: $FOUND_MEDIUM.
if [ <<parameters.high_vul_to_fail>> -ne 0 -a "$FOUND_HIGH" -ge <<parameters.high_vul_to_fail>> ]; then
echo Fail due to high vulnerabilities found meets the criteria.
exit 1
elif [ <<parameters.medium_vul_to_fail>> -ne 0 -a "$FOUND_MEDIUM" -ge <<parameters.medium_vul_to_fail>> ]; then
echo Fail due to medium vulnerabilities found meets the criteria.
exit 1
else
echo Pass the criteria check.
fi
jobs:
scan-image:
executor: default
parameters:
scan_local_image:
description: To scan the image on the same host
type: boolean
default: false
image_tar_file:
description: Tar file exported from docker running container
type: string
path:
description: The absolute path to store the tar file
type: string
image_name:
description: Name of the image to be scanned
type: string
image_tag:
description: Tag of the image to be scanned
type: string
nv_registry_url:
description: Registry URL to pull NeuVector Scanner Image
type: string
default: ${nv_registry_url}
nv_registry_username:
description: Login user to pull NeuVector Scanner Image
type: string
default: ${nv_registry_username}
nv_registry_password:
description: Login password pull NeuVector Scanner Image
type: string
default: ${nv_registry_password}
nv_scanner_image:
description: The Neuvector Scanner image
type: string
default: "neuvector/scanner:latest"
nv_license:
description: The Neuvector license
type: string
default: $nv_license
controller_ip:
description: The IP address of the Controller or Allinone host or service external ip
type: string
default: $controller_ip
controller_port:
description: The port for REST API
type: string
default: $controller_port
controller_username:
description: Username for a NeuVector admin
type: string
default: $controller_username
controller_password:
description: Password for a NeuVector admin
type: string
default: $controller_password
registry_url:
description: The registry URL full path
type: string
default: ''
registry_username:
description: The registry Username
type: string
default: ''
registry_password:
description: The registry password
type: string
default: ''
repository:
description: The repository to scan
type: string
default: ''
tag:
description: Tag of the repository to scan
type: string
default: ''
scan_layers:
description: Scan layer
type: boolean
default: false
high_vul_to_fail:
description: Minimum number of high vulnerabilities to fail the build
type: integer
default: 0
medium_vul_to_fail:
description: Minimum number of medium vulnerabilities to fail the build
type: integer
default: 0
md_source:
description: Metadata source name
type: string
default: "CircleCI"
steps:
- when:
condition: <<parameters.scan_local_image>>
steps:
- attach_workspace:
at: <<parameters.path>>
- load_image:
image_tar_file: <<parameters.image_tar_file>>
path: <<parameters.path>>
- scan_on_dynamic:
registry: <<parameters.nv_registry_url>>
username: <<parameters.nv_registry_username>>
password: <<parameters.nv_registry_password>>
scanner_image: <<parameters.nv_scanner_image>>
nv_license: <<parameters.nv_license>>
repository: <<parameters.image_name>>
tag: <<parameters.image_tag>>
- unless:
condition: <<parameters.scan_local_image>>
steps:
- scan:
registry_url: <<parameters.registry_url>>
repository: <<parameters.repository>>
registry_username: <<parameters.registry_username>>
registry_password: <<parameters.registry_password>>
tag: <<parameters.tag>>
scan_layers: <<parameters.scan_layers>>
md_source: <<parameters.md_source>>
- report
- checkpoint:
high_vul_to_fail: <<parameters.high_vul_to_fail>>
medium_vul_to_fail: <<parameters.medium_vul_to_fail>>
- store_artifacts:
path: nvreport