search

blockboard / ThreatMapper

Identify vulnerabilities in running containers, images, hosts and repositories
Other
1 stars 2 forks source link

(Deepfence) Understand CI/CD Scanning (feature #4) #12

Open 0xisk opened 4 years ago

0xisk commented 4 years ago

We need to write full documentation for the following points:

Scan images as part of existing CI/CD Pipelines like

mina98 commented 4 years ago

@iskanderandrew @kirollosBoles For check CircleCI integration ThreatMapper/ci-cd-integrations will help us, where it contains CircleCi, Jenkins, and GitLab

mina98 commented 4 years ago

For CircleCI

In ThreatMapper/ci-cd-integrations/circleci/ conatins .circleci/ where this file for create the images for CircleCI. The requiement for awscli>=1.15.50, because that the docker images will push to Amazon Elastic Container Registry (ECR).

The environment variables "copy from ThreatMapper Variable Description
AWS_ACCESS_KEY_ID Used by the AWS CLI
AWS_SECRET_ACCESS_KEY Used by the AWS CLI
AWS_DEFAULT_REGION Used by the AWS CLI. Example value: "us-east-1" (Please make sure the specified region is supported by the Fargate launch type)
AWS_ACCOUNT_ID AWS account id. This information is required for deployment.
AWS_RESOURCE_NAME_PREFIX Prefix that some of the required AWS resources are assumed to have in their names. The value should correspond to the AWS ECR repositoy name or aws_resource_prefix variable value in terraform_setup/terraform.tfvars.
DEEPFENCE_CONSOLE_IP Deepfence management console ip address
FAIL_CVE_COUNT Fail the build if number of vulnerabilities found >= this value. Set -1 to pass regardless of vulnerabilities.
FAIL_CVE_SCORE Fail the build if cumulative CVE score is >= this value. Set -1 to pass regardless of cve score.
mina98 commented 4 years ago

For Gitlab

For creating and build for GitLab you can check this file by running it, will create the image.

To run the main file for GitLab you can run the main.go

The variable environment (copied from ThreatMapper) Variable Description
DEEPFENCE_CONSOLE_IP Deepfence management console ip address
FAIL_CVE_COUNT Fail the build if number of vulnerabilities found >= this value. Set -1 to pass regardless of vulnerabilities.
FAIL_CVE_SCORE Fail the build if cumulative CVE score is >= this value. Set -1 to pass regardless of cve score.
0xisk commented 4 years ago

@mina98 Thanks for your updates. :100: