A shareable package of CircleCI configuration to integrate with sysdig, written by sysdig
PartnerContainersSecurityUse CircleCI version 2.1 at the top of your .circleci/config.yml file.
1
version: 2.1Add the orbs stanza below your version, invoking the orb:
Use sysdig elements in your existing workflows and jobs.
Opt-in to use of uncertified orbs on your organization’s Security settings page.
Build and scan in the same pipeline
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
version: '2.1'
orbs:
sysdig: sysdig/[email protected]
jobs:
build-and-scan:
docker:
- image: cimg/base:stable
environment:
IMAGE_TO_BUILD: myrepo/myapp:tag
steps:
- checkout
- setup_remote_docker:
version: 19.03.13
- run:
command: docker build -t ${IMAGE_TO_BUILD} .
name: Build Docker image
- sysdig/inline-image-scan:
image-tag: ${IMAGE_TO_BUILD}
input-type: docker-daemon
sysdig-secure-token: SECURE_API_TOKEN
workflows: null
Advanced Example
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
version: '2.1'
orbs:
sysdig: sysdig/[email protected]
jobs:
build-and-scan-advanced:
docker:
- image: cimg/base:stable
environment:
IMAGE_TO_BUILD: myrepo/myapp:tag
steps:
- checkout
- setup_remote_docker:
version: 19.03.13
- run:
command: docker build -t ${IMAGE_TO_BUILD} .
name: Build Docker image
- sysdig/inline-image-scan:
extra-parameters: ''
ignore-failed-scan: false
image-tag: ${IMAGE_TO_BUILD}
input-type: docker-daemon
sysdig-secure-token: SECURE_API_TOKEN
sysdig-secure-url: ${SECURE_API_URL}
sysdig-skip-tls: true
workflows: null
Pull and scan image from a existing registry
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
version: '2.1'
orbs:
sysdig: sysdig/[email protected]
jobs:
scan-image-from-registry:
docker:
- image: cimg/base:stable
environment:
IMAGE_TO_PULL_AND_SCAN: myrepo/myapp:tag
steps:
- setup_remote_docker:
version: 19.03.13
- sysdig/inline-image-scan:
image-tag: ${IMAGE_TO_PULL_AND_SCAN}
input-type: pull
sysdig-secure-token: SECURE_API_TOKEN
workflows: null
Scan your docker images for vulnerabilities
| PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
|---|---|---|---|---|
extra-docker-parameters Additional parameters added to the docker command when executing the secure-inline-scan container execution. | Additional parameters added to the docker command when executing the secure-inline-scan container execution. | No | '' type: string | string |
extra-parameters Additional parameters added to the secure-inline-scan container execution. | Additional parameters added to the secure-inline-scan container execution. | No | '' type: string | string |
ignore-failed-scan Don't fail the execution of this workflow even if the scan result is FAILED. | Don't fail the execution of this workflow even if the scan result is FAILED. | No | false type: boolean | boolean |
image-tag Tag of the image to analyse. Required | Tag of the image to analyse. | Yes | - type: string | string |
input-path Path to the docker socket. It must be an absolute path. | Path to the docker socket. It must be an absolute path. | No | '' type: string | string |
input-type If specified, where should we scan the image from. Possible values:
pull Pull the image from the registry.
Default if not specified.
docker-daemon Get the image from the Docker daemon.
The docker socket must be available.
The default path is /var/run/docker.sock, but can be configured
setting up the 'input-path'.
| If specified, where should we scan the image from. Possible values:
pull Pull the image from the registry.
Default if not specified.
docker-daemon Get the image from the Docker daemon.
The docker socket must be available.
The default path is /var/run/docker.sock, but can be configured
setting up the 'input-path'.
| No | pull type: string | string |
run-as-user Run the scan container with this username or UID.
It might required if scanning from docker-daemon or cri-o to provide a user with permissions on the socket or storage.
| Run the scan container with this username or UID.
It might required if scanning from docker-daemon or cri-o to provide a user with permissions on the socket or storage.
| No | '' type: string | string |
secure-inline-scan-image Sysdig Secure Inline Scan image service | Sysdig Secure Inline Scan image service | No | quay.io/sysdig/secure-inline-scan:2 type: string | string |
sysdig-secure-token API token for Sysdig Scanning auth. | API token for Sysdig Scanning auth. | No | SYSDIG_SECURE_TOKEN type: env_var_name | env_var_name |
sysdig-secure-url Sysdig Secure URL (ex: "https://secure-sysdig.com"). | Sysdig Secure URL (ex: "https://secure-sysdig.com"). | No | https://secure.sysdig.com type: string | string |
sysdig-skip-tls Skip TLS verification when calling secure endpoints. | Skip TLS verification when calling secure endpoints. | No | false type: boolean | boolean |
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
# This code is licensed from CircleCI to the user under the MIT license.
# See here for details: https://circleci.com/developer/orbs/licensing
version: 2.1
description: |
Sysdig allows you to automate CI/CD pipeline and registry scanning without images leaving your environment. Block vulnerabilities pre-production and monitor for new CVEs at runtime for containers and hosts. Map critical vulnerabilities back to an application and dev team. To use this orb, you need to have a Sysdig Secure account and an API token.
display:
home_url: https://sysdig.com
source_url: https://github.com/sysdiglabs/circleci-orb
commands:
inline-image-scan:
description: |
Scan your docker images for vulnerabilities
parameters:
extra-docker-parameters:
default: ""
description: Additional parameters added to the docker command when executing the secure-inline-scan container execution.
type: string
extra-parameters:
default: ""
description: Additional parameters added to the secure-inline-scan container execution.
type: string
ignore-failed-scan:
default: false
description: Don't fail the execution of this workflow even if the scan result is FAILED.
type: boolean
image-tag:
description: Tag of the image to analyse.
type: string
input-path:
default: ""
description: Path to the docker socket. It must be an absolute path.
type: string
input-type:
default: pull
description: |
If specified, where should we scan the image from. Possible values:
pull Pull the image from the registry.
Default if not specified.
docker-daemon Get the image from the Docker daemon.
The docker socket must be available.
The default path is /var/run/docker.sock, but can be configured
setting up the 'input-path'.
type: string
run-as-user:
default: ""
description: |
Run the scan container with this username or UID.
It might required if scanning from docker-daemon or cri-o to provide a user with permissions on the socket or storage.
type: string
secure-inline-scan-image:
default: quay.io/sysdig/secure-inline-scan:2
description: Sysdig Secure Inline Scan image service
type: string
sysdig-secure-token:
default: SYSDIG_SECURE_TOKEN
description: API token for Sysdig Scanning auth.
type: env_var_name
sysdig-secure-url:
default: https://secure.sysdig.com
description: 'Sysdig Secure URL (ex: "https://secure-sysdig.com").'
type: string
sysdig-skip-tls:
default: false
description: Skip TLS verification when calling secure endpoints.
type: boolean
steps:
- run:
command: docker pull <<parameters.secure-inline-scan-image>>
name: Pull Secure Inline Scan image
- when:
condition:
equal:
- <<parameters.input-type>>
- pull
steps:
- run:
command: |
docker run -ti --rm -e SYSDIG_API_TOKEN=${<<parameters.sysdig-secure-token>>} <<#parameters.run-as-user>>-u <<parameters.run-as-user>><</parameters.run-as-user>> <<#parameters.extra-docker-parameters>><<parameters.extra-docker-parameters>><</parameters.extra-docker-parameters>> <<parameters.secure-inline-scan-image>> -v --sysdig-url <<parameters.sysdig-secure-url>> <<#parameters.sysdig-skip-tls>>--sysdig-skip-tls<</parameters.sysdig-skip-tls>> <<#parameters.extra-parameters>><<parameters.extra-parameters>><</parameters.extra-parameters>> <<parameters.image-tag>> <<#parameters.ignore-failed-scan>> || true <</parameters.ignore-failed-scan>>
name: 'Execute Secure Inline Scan image (mode: "<<parameters.input-type>>")'
- when:
condition:
equal:
- <<parameters.input-type>>
- docker-daemon
steps:
- run:
command: |
docker run -ti --rm -e SYSDIG_API_TOKEN=${<<parameters.sysdig-secure-token>>} <<#parameters.run-as-user>>-u <<parameters.run-as-user>><</parameters.run-as-user>> <<#parameters.input-path>>-v <<parameters.input-path>>:/var/run/docker.sock<</parameters.input-path>> <<^parameters.input-path>>-v /var/run/docker.sock:/var/run/docker.sock<</parameters.input-path>> <<#parameters.extra-docker-parameters>><<parameters.extra-docker-parameters>><</parameters.extra-docker-parameters>> <<parameters.secure-inline-scan-image>> -v --sysdig-url <<parameters.sysdig-secure-url>> <<#parameters.sysdig-skip-tls>>--sysdig-skip-tls<</parameters.sysdig-skip-tls>> <<#parameters.extra-parameters>><<parameters.extra-parameters>><</parameters.extra-parameters>> --storage-type=<<parameters.input-type>> <<parameters.image-tag>> <<#parameters.ignore-failed-scan>> || true <</parameters.ignore-failed-scan>>
name: 'Execute Secure Inline Scan image (mode: "<<parameters.input-type>>")'
examples:
build_and_inline_scan:
description: Build and scan in the same pipeline
usage:
version: "2.1"
orbs:
sysdig: sysdig/[email protected]
jobs:
build-and-scan:
docker:
- image: cimg/base:stable
environment:
IMAGE_TO_BUILD: myrepo/myapp:tag
steps:
- checkout
- setup_remote_docker:
version: 19.03.13
- run:
command: docker build -t ${IMAGE_TO_BUILD} .
name: Build Docker image
- sysdig/inline-image-scan:
image-tag: ${IMAGE_TO_BUILD}
input-type: docker-daemon
sysdig-secure-token: SECURE_API_TOKEN
workflows: null
build_and_scan_advanced:
description: Advanced Example
usage:
version: "2.1"
orbs:
sysdig: sysdig/[email protected]
jobs:
build-and-scan-advanced:
docker:
- image: cimg/base:stable
environment:
IMAGE_TO_BUILD: myrepo/myapp:tag
steps:
- checkout
- setup_remote_docker:
version: 19.03.13
- run:
command: docker build -t ${IMAGE_TO_BUILD} .
name: Build Docker image
- sysdig/inline-image-scan:
extra-parameters: ""
ignore-failed-scan: false
image-tag: ${IMAGE_TO_BUILD}
input-type: docker-daemon
sysdig-secure-token: SECURE_API_TOKEN
sysdig-secure-url: ${SECURE_API_URL}
sysdig-skip-tls: true
workflows: null
pull_and_scan_image_from_registry:
description: Pull and scan image from a existing registry
usage:
version: "2.1"
orbs:
sysdig: sysdig/[email protected]
jobs:
scan-image-from-registry:
docker:
- image: cimg/base:stable
environment:
IMAGE_TO_PULL_AND_SCAN: myrepo/myapp:tag
steps:
- setup_remote_docker:
version: 19.03.13
- sysdig/inline-image-scan:
image-tag: ${IMAGE_TO_PULL_AND_SCAN}
input-type: pull
sysdig-secure-token: SECURE_API_TOKEN
workflows: null