Use CircleCI version 2.1 at the top of your .circleci/config.yml file.
1
version: 2.1
Add the orbs
stanza below your version, invoking the orb:
1
2
orbs:
portshift-scanner: portshift/portshift-scanner@2.1.1
Use portshift-scanner
elements in your existing workflows and jobs.
Opt-in to use of uncertified orbs on your organization’s Security settings page.
Scan a newly built docker image with Portshift vulneribilities scanner.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
version: 2.1
orbs:
portshift-scanner: portshift/portshift-scanner@1.0.1
workflows:
scan-image:
jobs:
- microscanner/scan-image:
image_name: myrepo/myimage
image_tag: mytag
access_key: my_access_key
secret_key: my_secret_key
workspace: my_workspace
highest_severity_allowed: MEDIUM
portshift_server: portshift_server
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
image_name | The image to scan | Yes | - | string |
image_tag | The image tag to scan | Yes | - | string |
access_key | Environment variable name for reading the Access key for the Portshift service user | No | PORTSHIFT_ACCESS_KEY | env_var_name |
secret_key | Environment variable name for reading the Secret key for the Portshift service user | No | PORTSHIFT_SECRET_KEY | env_var_name |
workspace | path to load the docker image | No | workspace | string |
portshift_server | URL of the portshift server to report to | No | console.portshift.io | string |
highest_severity_allowed | The highest vulnerability severity allowed. The valid values are CRITICAL, HIGH, MEDIUM, LOW or UNKNOWN | No | CRITICAL | enum |
registry_username | Environment variable name for the registry username | No | REGISTRY_USERNAME | env_var_name |
registry_password | Environment variable name for the registry password | No | REGISTRY_PASSWORD | env_var_name |
Install Portshift scanner
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
portshift_server | URL of the portshift server to report to | No | console.portshift.io | string |
Scans an image and sends results to Portshift managment
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
image_name | The image to scan | Yes | - | string |
image_tag | The image tag to scan | Yes | - | string |
access_key | Environment variable name for reading the Access key for the Portshift service user | No | PORTSHIFT_ACCESS_KEY | env_var_name |
secret_key | Environment variable name for reading the Secret key for the Portshift service user | No | PORTSHIFT_SECRET_KEY | env_var_name |
workspace | Name of the shared workspace | No | workspace | string |
portshift_server | URL of the portshift server to report to | No | console.portshift.io | string |
highest_severity_allowed | The highest vulnerability severity allowed. Valid values are CRITICAL, HIGH, MEDIUM, LOW or UNKNOWN | No | CRITICAL | enum |
registry_username | Environment variable name for the registry username | No | REGISTRY_USERNAME | env_var_name |
registry_password | Environment variable name for the registry password | No | REGISTRY_PASSWORD | env_var_name |
A small Ubuntu based Docker image 'cimg/base' with common CI tools included. Highly cached on CircleCI for maximum speed.
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
tag | The `cimg/base` Docker image version tag. | No | '2020.02' | string |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
# This code is licensed from CircleCI to the user under the MIT license.
# See here for details: https://circleci.com/developer/orbs/licensing
# This code is licensed from CircleCI to the user under the MIT license. See
# https://circleci.com/orbs/registry/licensing for details.
version: 2.1
description: |
Build secure docker images by including Portshift's workload indetity creation and vulnerability scanner in your container development pipeline
display:
home_url: https://www.portshift.io/
source_url: https://github.com/Portshift/CircleCI-Portshift-ORB
examples:
simple_build_and_scan:
description: Scan a newly built docker image with Portshift vulneribilities scanner.
usage:
version: 2.1
orbs:
portshift-scanner: portshift/portshift-scanner@1.0.1
workflows:
scan-image:
jobs:
- microscanner/scan-image:
image_name: myrepo/myimage
image_tag: mytag
access_key: my_access_key
secret_key: my_secret_key
workspace: my_workspace
highest_severity_allowed: 'MEDIUM'
portshift_server: portshift_server
executors:
default:
parameters:
tag:
description: The `cimg/base` Docker image version tag.
type: string
default: "2020.02"
description: >
A small Ubuntu based Docker image 'cimg/base' with common CI tools included. Highly cached on CircleCI for maximum speed.
docker:
- image: cimg/base:<< parameters.tag >>
commands:
install:
description: Install Portshift scanner
parameters:
portshift_server:
description: URL of the portshift server to report to
type: string
default: console.portshift.io
steps:
- run:
name: Import scanning script
command: |
PORTSHIFT_SERVER=<<parameters.portshift_server>>
mkdir portshift
echo ${PORTSHIFT_SERVER}
wget ${PORTSHIFT_SERVER}/tools/cli/portshift_deployment_cli -O portshift/portshift_cli
chmod +x portshift/portshift_cli
scan:
description: Scans an image and sends results to Portshift managment
parameters:
image_name:
description: The image to scan
type: string
image_tag:
description: The image tag to scan
type: string
access_key:
description: Environment variable name for reading the Access key for the Portshift service user
type: env_var_name
default: PORTSHIFT_ACCESS_KEY
secret_key:
description: Environment variable name for reading the Secret key for the Portshift service user
type: env_var_name
default: PORTSHIFT_SECRET_KEY
workspace:
description: Name of the shared workspace
type: string
default: workspace
portshift_server:
description: URL of the portshift server to report to
type: string
default: console.portshift.io
highest_severity_allowed:
description: The highest vulnerability severity allowed. Valid values are CRITICAL, HIGH, MEDIUM, LOW or UNKNOWN
type: enum
enum: [CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN]
default: CRITICAL
registry_username:
description: Environment variable name for the registry username
type: env_var_name
default: REGISTRY_USERNAME
registry_password:
description: Environment variable name for the registry password
type: env_var_name
default: REGISTRY_PASSWORD
steps:
- attach_workspace:
at: <<parameters.workspace>>
- run:
name: Scan for vulneribilities and upload report artifact
command: |
IMAGE_NAME=<<parameters.image_name>>
IMAGE_TAG=<<parameters.image_tag>>
ACCESS_KEY=${<<parameters.access_key>>}
SECRET_KEY=${<<parameters.secret_key>>}
PORTSHIFT_SERVER=<<parameters.portshift_server>>
WORKSPACE=<<parameters.workspace>>
HIGHEST_SEVERITY_ALLOWED=<<parameters.highest_severity_allowed>>
REGISTRY_USERNAME=${<<parameters.registry_username>>}
REGISTRY_PASSWORD=${<<parameters.registry_password>>}
if [ -z "${ACCESS_KEY}" ]; then
echo "Error: The parameter access_key is empty. Please ensure the environment variable <<parameters.access_key>> has been added."
exit 1
fi
if [ -z "${SECRET_KEY}" ]; then
echo "Error: The parameter secret_key is empty. Please ensure the environment variable <<parameters.secret_key>> has been added."
exit 1
fi
if [ -n "${REGISTRY_USERNAME}" ] && [ -n "${REGISTRY_PASSWORD}" ]; then
docker login ${IMAGE_NAME}:${IMAGE_TAG} -u ${REGISTRY_USERNAME} -p ${REGISTRY_PASSWORD}
fi
docker pull ${IMAGE_NAME}:${IMAGE_TAG}
./portshift/portshift_cli run-vulnerability-scan --url ${PORTSHIFT_SERVER} --access-key ${ACCESS_KEY} --secret-key ${SECRET_KEY} --image-name ${IMAGE_NAME} --image-tag ${IMAGE_TAG} --highest-severity-allowed ${HIGHEST_SEVERITY_ALLOWED} -v | tee /tmp/results
- store_artifacts:
path: /tmp/results
destination: results
jobs:
scan-image:
machine: true
parameters:
image_name:
description: The image to scan
type: string
image_tag:
description: The image tag to scan
type: string
access_key:
description: Environment variable name for reading the Access key for the Portshift service user
type: env_var_name
default: PORTSHIFT_ACCESS_KEY
secret_key:
description: Environment variable name for reading the Secret key for the Portshift service user
type: env_var_name
default: PORTSHIFT_SECRET_KEY
workspace:
description: path to load the docker image
type: string
default: workspace
portshift_server:
description: URL of the portshift server to report to
type: string
default: console.portshift.io
highest_severity_allowed:
description: The highest vulnerability severity allowed. The valid values are CRITICAL, HIGH, MEDIUM, LOW or UNKNOWN
type: enum
enum: [CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN]
default: CRITICAL
registry_username:
description: Environment variable name for the registry username
type: env_var_name
default: REGISTRY_USERNAME
registry_password:
description: Environment variable name for the registry password
type: env_var_name
default: REGISTRY_PASSWORD
steps:
- install:
portshift_server: <<parameters.portshift_server>>
- scan:
image_name: <<parameters.image_name>>
image_tag: <<parameters.image_tag>>
access_key: <<parameters.access_key>>
secret_key: <<parameters.secret_key>>
workspace: <<parameters.workspace>>
portshift_server: <<parameters.portshift_server>>
highest_severity_allowed: <<parameters.highest_severity_allowed>>
registry_username: <<parameters.registry_username>>
registry_password: <<parameters.registry_password>>