1. portshift/portshift-scanner@2.1.1

portshift/portshift-scanner@2.1.1

Partner
Sections
Build secure docker images by including Portshift's workload indetity creation and vulnerability scanner in your container development pipeline
Created: February 23, 2020Version Published: June 16, 2020Releases: 5
Org Usage:
< 25

Orb Quick Start Guide

Use CircleCI version 2.1 at the top of your .circleci/config.yml file.

1 version: 2.1

Add the orbs stanza below your version, invoking the orb:

1 2 orbs: portshift-scanner: portshift/portshift-scanner@2.1.1

Use portshift-scanner elements in your existing workflows and jobs.

Opt-in to use of uncertified orbs on your organization’s Security settings page.

Usage Examples

simple_build_and_scan

Scan a newly built docker image with Portshift vulneribilities scanner.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 version: 2.1 orbs: portshift-scanner: portshift/portshift-scanner@1.0.1 workflows: scan-image: jobs: - microscanner/scan-image: image_name: myrepo/myimage image_tag: mytag access_key: my_access_key secret_key: my_secret_key workspace: my_workspace highest_severity_allowed: MEDIUM portshift_server: portshift_server

Jobs

scan-image

Show job Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
image_name
The image to scan
Yes
-
string
image_tag
The image tag to scan
Yes
-
string
access_key
Environment variable name for reading the Access key for the Portshift service user
No
PORTSHIFT_ACCESS_KEY
env_var_name
secret_key
Environment variable name for reading the Secret key for the Portshift service user
No
PORTSHIFT_SECRET_KEY
env_var_name
workspace
path to load the docker image
No
workspace
string
portshift_server
URL of the portshift server to report to
No
console.portshift.io
string
highest_severity_allowed
The highest vulnerability severity allowed. The valid values are CRITICAL, HIGH, MEDIUM, LOW or UNKNOWN
No
CRITICAL
enum
registry_username
Environment variable name for the registry username
No
REGISTRY_USERNAME
env_var_name
registry_password
Environment variable name for the registry password
No
REGISTRY_PASSWORD
env_var_name

Commands

install

Install Portshift scanner

Show command Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
portshift_server
URL of the portshift server to report to
No
console.portshift.io
string

scan

Scans an image and sends results to Portshift managment

Show command Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
image_name
The image to scan
Yes
-
string
image_tag
The image tag to scan
Yes
-
string
access_key
Environment variable name for reading the Access key for the Portshift service user
No
PORTSHIFT_ACCESS_KEY
env_var_name
secret_key
Environment variable name for reading the Secret key for the Portshift service user
No
PORTSHIFT_SECRET_KEY
env_var_name
workspace
Name of the shared workspace
No
workspace
string
portshift_server
URL of the portshift server to report to
No
console.portshift.io
string
highest_severity_allowed
The highest vulnerability severity allowed. Valid values are CRITICAL, HIGH, MEDIUM, LOW or UNKNOWN
No
CRITICAL
enum
registry_username
Environment variable name for the registry username
No
REGISTRY_USERNAME
env_var_name
registry_password
Environment variable name for the registry password
No
REGISTRY_PASSWORD
env_var_name

Executors

default

A small Ubuntu based Docker image 'cimg/base' with common CI tools included. Highly cached on CircleCI for maximum speed.

Show executor Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
tag
The `cimg/base` Docker image version tag.
No
'2020.02'
string

Orb Source

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 # This code is licensed from CircleCI to the user under the MIT license. # See here for details: https://circleci.com/developer/orbs/licensing # This code is licensed from CircleCI to the user under the MIT license. See # https://circleci.com/orbs/registry/licensing for details. version: 2.1 description: | Build secure docker images by including Portshift's workload indetity creation and vulnerability scanner in your container development pipeline display: home_url: https://www.portshift.io/ source_url: https://github.com/Portshift/CircleCI-Portshift-ORB examples: simple_build_and_scan: description: Scan a newly built docker image with Portshift vulneribilities scanner. usage: version: 2.1 orbs: portshift-scanner: portshift/portshift-scanner@1.0.1 workflows: scan-image: jobs: - microscanner/scan-image: image_name: myrepo/myimage image_tag: mytag access_key: my_access_key secret_key: my_secret_key workspace: my_workspace highest_severity_allowed: 'MEDIUM' portshift_server: portshift_server executors: default: parameters: tag: description: The `cimg/base` Docker image version tag. type: string default: "2020.02" description: > A small Ubuntu based Docker image 'cimg/base' with common CI tools included. Highly cached on CircleCI for maximum speed. docker: - image: cimg/base:<< parameters.tag >> commands: install: description: Install Portshift scanner parameters: portshift_server: description: URL of the portshift server to report to type: string default: console.portshift.io steps: - run: name: Import scanning script command: | PORTSHIFT_SERVER=<<parameters.portshift_server>> mkdir portshift echo ${PORTSHIFT_SERVER} wget ${PORTSHIFT_SERVER}/tools/cli/portshift_deployment_cli -O portshift/portshift_cli chmod +x portshift/portshift_cli scan: description: Scans an image and sends results to Portshift managment parameters: image_name: description: The image to scan type: string image_tag: description: The image tag to scan type: string access_key: description: Environment variable name for reading the Access key for the Portshift service user type: env_var_name default: PORTSHIFT_ACCESS_KEY secret_key: description: Environment variable name for reading the Secret key for the Portshift service user type: env_var_name default: PORTSHIFT_SECRET_KEY workspace: description: Name of the shared workspace type: string default: workspace portshift_server: description: URL of the portshift server to report to type: string default: console.portshift.io highest_severity_allowed: description: The highest vulnerability severity allowed. Valid values are CRITICAL, HIGH, MEDIUM, LOW or UNKNOWN type: enum enum: [CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN] default: CRITICAL registry_username: description: Environment variable name for the registry username type: env_var_name default: REGISTRY_USERNAME registry_password: description: Environment variable name for the registry password type: env_var_name default: REGISTRY_PASSWORD steps: - attach_workspace: at: <<parameters.workspace>> - run: name: Scan for vulneribilities and upload report artifact command: | IMAGE_NAME=<<parameters.image_name>> IMAGE_TAG=<<parameters.image_tag>> ACCESS_KEY=${<<parameters.access_key>>} SECRET_KEY=${<<parameters.secret_key>>} PORTSHIFT_SERVER=<<parameters.portshift_server>> WORKSPACE=<<parameters.workspace>> HIGHEST_SEVERITY_ALLOWED=<<parameters.highest_severity_allowed>> REGISTRY_USERNAME=${<<parameters.registry_username>>} REGISTRY_PASSWORD=${<<parameters.registry_password>>} if [ -z "${ACCESS_KEY}" ]; then echo "Error: The parameter access_key is empty. Please ensure the environment variable <<parameters.access_key>> has been added." exit 1 fi if [ -z "${SECRET_KEY}" ]; then echo "Error: The parameter secret_key is empty. Please ensure the environment variable <<parameters.secret_key>> has been added." exit 1 fi if [ -n "${REGISTRY_USERNAME}" ] && [ -n "${REGISTRY_PASSWORD}" ]; then docker login ${IMAGE_NAME}:${IMAGE_TAG} -u ${REGISTRY_USERNAME} -p ${REGISTRY_PASSWORD} fi docker pull ${IMAGE_NAME}:${IMAGE_TAG} ./portshift/portshift_cli run-vulnerability-scan --url ${PORTSHIFT_SERVER} --access-key ${ACCESS_KEY} --secret-key ${SECRET_KEY} --image-name ${IMAGE_NAME} --image-tag ${IMAGE_TAG} --highest-severity-allowed ${HIGHEST_SEVERITY_ALLOWED} -v | tee /tmp/results - store_artifacts: path: /tmp/results destination: results jobs: scan-image: machine: true parameters: image_name: description: The image to scan type: string image_tag: description: The image tag to scan type: string access_key: description: Environment variable name for reading the Access key for the Portshift service user type: env_var_name default: PORTSHIFT_ACCESS_KEY secret_key: description: Environment variable name for reading the Secret key for the Portshift service user type: env_var_name default: PORTSHIFT_SECRET_KEY workspace: description: path to load the docker image type: string default: workspace portshift_server: description: URL of the portshift server to report to type: string default: console.portshift.io highest_severity_allowed: description: The highest vulnerability severity allowed. The valid values are CRITICAL, HIGH, MEDIUM, LOW or UNKNOWN type: enum enum: [CRITICAL, HIGH, MEDIUM, LOW, UNKNOWN] default: CRITICAL registry_username: description: Environment variable name for the registry username type: env_var_name default: REGISTRY_USERNAME registry_password: description: Environment variable name for the registry password type: env_var_name default: REGISTRY_PASSWORD steps: - install: portshift_server: <<parameters.portshift_server>> - scan: image_name: <<parameters.image_name>> image_tag: <<parameters.image_tag>> access_key: <<parameters.access_key>> secret_key: <<parameters.secret_key>> workspace: <<parameters.workspace>> portshift_server: <<parameters.portshift_server>> highest_severity_allowed: <<parameters.highest_severity_allowed>> registry_username: <<parameters.registry_username>> registry_password: <<parameters.registry_password>>
Developer Updates
Get tips to optimize your builds
Or join our research panel and give feedback
By submitting this form, you are agreeing to ourTerms of UseandPrivacy Policy.