Introduction:

Container security is an essential aspect of modern software development, and ensuring that containers are hardened against potential threats is a common challenge. Slim.AI's Shield Orb for CircleCI is designed to simplify this process, providing an automated solution for container hardening. This guide offers a step-by-step walkthrough on how to use the Shield Orb with a Node.js application, making it accessible for developers at all levels.

‍What is Slim AI’s Shield Orb:

The Slim.AI Shield Orb is a practical tool that integrates with CircleCI. It's designed to automate the process of container hardening by observing the running container, understanding its requirements, and removing unnecessary components. The result is a more secure container image, created with efficiency in mind. This guide will detail how to implement the Shield Orb, providing instructions to help you get started.

Running Slim.AI Shield Orb with Node.js app Example:

Requirements:

• Node.js app with Dockerfile that builds a container
• CircleCI account - https://circleci.com/vcs-authorize/
• Slim.AI platform account - https://portal.slim.dev/
• DockerHub account - https://hub.docker.com/

Setup Overview:

1. Have an existing Node.js project with dockerfile.
2. Set up all credentials/environment variables.
3. Add orb, image, and other requirements to the CircleCI config file.
4. Add project & environment variables to CircleCI
5. Push project to remote and trigger build
6. View in Slim platform underneath connectors

You can fork the existing slim-shield-demo project and follow along after connecting the required accounts. This section provides a detailed walkthrough of setting up a ‘Hello World’ demo using the CircleCI Shield Orb.

‍

Step 1: Set up Credentials

Begin by setting up all the necessary credentials for the project:

Dockerhub’s username and password are your dockerhub credentials. SLIM_ORG_ID & SLIM_API_TOKEN are found in the Slim platform - from profile settings, in the tokens and organizations tab. 

The Connector ID is a secure link between an external container registry and the slim platform. The Source/Target Connector ID is found in the Slim platform, under the ‘My Registries’ tab, and by connecting a new Registry. You can add your docker username, docker access token - which can be found in your Docker Hub account under Account Settings > Security. Both the source and target ID can be the same, and all generated images will appear under the same directory. 

‍

Step 2: Configure CircleCI YAML File

a. Orb Declaration

b. Parameters

c. Executors

d. Jobs

1. PublishLatestToHub:

2. runNormaltest:

3. runInstrumentedTest

e. Workflows

‍

Workflows - engine-execution: Orchestrates the execution of jobs in a specific sequence. It begins by publishing the latest image to Dockerhub. Next, it runs tests on the published image, followed by instrumenting the image using Slim CLI. A Cypress test is then conducted on the instrumented image. The workflow continues with hardening the image using Slim CLI, and concludes with running Cypress tests on the hardened image. This sequence ensures a streamlined and secure process for container development and monitoring, with the necessary testing. 

‍

Step 3: Connect Project Repo to CircleCI

Add the project code repository to CircleCI by selecting your config.yml file, and set up the project:

‍

Input Environment Variables within CircleCI - in project settings:

‍

Step 4: Select the Project/Repo, the branch, then trigger pipeline.

‍

This triggers the workflow specified in the config file:

‍

The final step in the pipeline is Hardening & Hardened Test Suite. If the hardening has been completed successfully, the following will be shown:

‍

Once testing has been completed for the hardened container, you can view it in the Slim Portal underneath the connector you created at the beginning: 

‍

‍

Results:

The original image (as shown below) was a size of 1.1 GB, with 626 total packages, and 258 vulnerabilities.  

‍

The hardened image (as shown below) is now a size of 113 MB (~90% reduction), with only 10 total packages and 13 vulnerabilities!

‍

Conclusion:

Slim.AI’s Shield Orb for CircleCI offers a seamless and user-friendly approach to container security. By integrating this tool into your CI/CD pipeline, you not only enhance the security of your containers but also streamline the entire development process. Whether you're working on a small project or managing a complex system, the Shield Orb simplifies container hardening, making it accessible and efficient.