Getting Started With Slim’s Shield Orb for CircleCI

Rahul Rao
← Slim Blog


Container security is an essential aspect of modern software development, and ensuring that containers are hardened against potential threats is a common challenge. Slim.AI's Shield Orb for CircleCI is designed to simplify this process, providing an automated solution for container hardening. This guide offers a step-by-step walkthrough on how to use the Shield Orb with a Node.js application, making it accessible for developers at all levels.

What is Slim AI’s Shield Orb:

The Slim.AI Shield Orb is a practical tool that integrates with CircleCI. It's designed to automate the process of container hardening by observing the running container, understanding its requirements, and removing unnecessary components. The result is a more secure container image, created with efficiency in mind. This guide will detail how to implement the Shield Orb, providing instructions to help you get started.

Running Slim.AI Shield Orb with Node.js app Example:

  • Node.js app with Dockerfile that builds a container
  • CircleCI account -
  • Slim.AI platform account -
  • DockerHub account -
Setup Overview:
  1. Have an existing Node.js project with dockerfile.
  2. Set up all credentials/environment variables.
  3. Add orb, image, and other requirements to the CircleCI config file.
  4. Add project & environment variables to CircleCI
  5. Push project to remote and trigger build
  6. View in Slim platform underneath connectors

You can fork the existing slim-shield-demo project and follow along after connecting the required accounts. This section provides a detailed walkthrough of setting up a ‘Hello World’ demo using the CircleCI Shield Orb.

Step 1: Set up Credentials

Begin by setting up all the necessary credentials for the project:

Dockerhub’s username and password are your dockerhub credentials. SLIM_ORG_ID & SLIM_API_TOKEN are found in the Slim platform - from profile settings, in the tokens and organizations tab. 

The Connector ID is a secure link between an external container registry and the slim platform. The Source/Target Connector ID is found in the Slim platform, under the ‘My Registries’ tab, and by connecting a new Registry. You can add your docker username, docker access token - which can be found in your Docker Hub account under Account Settings > Security. Both the source and target ID can be the same, and all generated images will appear under the same directory. 

Step 2: Configure CircleCI YAML File

a. Orb Declaration

Declare the Slim Shield Orb at the beginning of your config.yml file. This allows you to use the orb's commands and jobs within your configuration. The Slim Shield orb can be found at slimdevops/slim-shield

b. Parameters

Two key parameters are defined: ‘image-name’: This specifies the image that will be hardened (<docker_username>/<node-app-name>:tag) and ‘cimg-tag’ which specifies which tag to use for the foundational image provided by CircleCI. 

c. Executors

The "docker-publisher" environment is established, setting up the image name and authentication details for publishing the Docker image.

d. Jobs

  1. PublishLatestToHub:
This job is responsible for building a docker image from your project and then publishing it to dockerhub.  
  1. runNormaltest:
The runNormalTest job is designed to test a specified Docker image using Newman, a command line tool for running Postman collections. Within a docker environment, it sets up a network, runs the target image; executing the Newman tests against it. This ensures that the docker image behaves as expected when subjected to the postman tests.  
  1. runInstrumentedTest
The runInstrumentedTest job is tailored to test a Docker image that has been instrumented for enhanced monitoring. Using a Docker environment, it first establishes a network, then runs the instrumented image. Postman tests are then executed via the Newman CLI to ensure the behavior aligns with expectations. 

e. Workflows

Workflows - engine-execution: Orchestrates the execution of jobs in a specific sequence. It begins by publishing the latest image to Dockerhub. Next, it runs tests on the published image, followed by instrumenting the image using Slim CLI. A Cypress test is then conducted on the instrumented image. The workflow continues with hardening the image using Slim CLI, and concludes with running Cypress tests on the hardened image. This sequence ensures a streamlined and secure process for container development and monitoring, with the necessary testing. 

Step 3: Connect Project Repo to CircleCI

Add the project code repository to CircleCI by selecting your config.yml file, and set up the project:

Input Environment Variables within CircleCI - in project settings:

Step 4: Select the Project/Repo, the branch, then trigger pipeline.

This triggers the workflow specified in the config file:

The final step in the pipeline is Hardening & Hardened Test Suite. If the hardening has been completed successfully, the following will be shown:

Once testing has been completed for the hardened container, you can view it in the Slim Portal underneath the connector you created at the beginning: 
The three images: latest - the original image, latest.instrumented - the instrumented image, and latest.slimxx - the hardened image is shown underneath the Orb Harden connector which was created at the beginning of the project. 


The original image (as shown below) was a size of 1.1 GB, with 626 total packages, and 258 vulnerabilities.  

The hardened image (as shown below) is now a size of 113 MB (~90% reduction), with only 10 total packages and 13 vulnerabilities!


Slim.AI’s Shield Orb for CircleCI offers a seamless and user-friendly approach to container security. By integrating this tool into your CI/CD pipeline, you not only enhance the security of your containers but also streamline the entire development process. Whether you're working on a small project or managing a complex system, the Shield Orb simplifies container hardening, making it accessible and efficient.

Make security collaboration easier today

Join the waitlist to try out Slim's shared workspace for communicating and coordinating vulnerability fixes with your software vendors.
Responsive HubSpot Form

Join our Beta

Take the complexity and frustration out of coordinating vulnerability fixes with your vendors.

  • Communicate directly in the platform to assign owners, due dates and negotiate fixes
  • Get a view into the status of each vulnerability
  • Receive notifications the moment vulnerabilities are fixed

Additionally, our Beta users get access to:

  • Multiple vulnerability scanners
  • SBOM generation
  • Reachability analysis
  • Enhanced container intelligence software
  • Dedicated Support

Join our Beta

Take the frustration out of vulnerability fixes with software vendors directly on our platform.

  • Assign owners, set due dates, track vulnerability statuses, and get instant fix notifications.
  • Beta users gain access to multiple scanners, SBOM generation, reachability analysis, enhanced container intelligence, and dedicated support.