Getting Started With Slim’s Shield Orb for CircleCI| Slim.AI

November 8, 2023

Introduction:

Container security is an essential aspect of modern software development, and ensuring that containers are hardened against potential threats is a common challenge. Slim.AI's Shield Orb for CircleCI is designed to simplify this process, providing an automated solution for container hardening. This guide offers a step-by-step walkthrough on how to use the Shield Orb with a Node.js application, making it accessible for developers at all levels.

‍What is Slim AI’s Shield Orb:

The Slim.AI Shield Orb is a practical tool that integrates with CircleCI. It's designed to automate the process of container hardening by observing the running container, understanding its requirements, and removing unnecessary components. The result is a more secure container image, created with efficiency in mind. This guide will detail how to implement the Shield Orb, providing instructions to help you get started.

Running Slim.AI Shield Orb with Node.js app Example:

Requirements:

Node.js app with Dockerfile that builds a container
CircleCI account - https://circleci.com/vcs-authorize/
Slim.AI platform account - https://portal.slim.dev/
DockerHub account - https://hub.docker.com/

Setup Overview:

Have an existing Node.js project with dockerfile.
Set up all credentials/environment variables.
Add orb, image, and other requirements to the CircleCI config file.
Add project & environment variables to CircleCI
Push project to remote and trigger build
View in Slim platform underneath connectors

You can fork the existing slim-shield-demo project and follow along after connecting the required accounts. This section provides a detailed walkthrough of setting up a ‘Hello World’ demo using the CircleCI Shield Orb.

‍

Step 1: Set up Credentials

Begin by setting up all the necessary credentials for the project:

Dockerhub’s username and password are your dockerhub credentials. SLIM_ORG_ID & SLIM_API_TOKEN are found in the Slim platform - from profile settings, in the tokens and organizations tab.

The Connector ID is a secure link between an external container registry and the slim platform. The Source/Target Connector ID is found in the Slim platform, under the ‘My Registries’ tab, and by connecting a new Registry. You can add your docker username, docker access token - which can be found in your Docker Hub account under Account Settings > Security. Both the source and target ID can be the same, and all generated images will appear under the same directory.

‍

Step 2: Configure CircleCI YAML File

a. Orb Declaration

*Declare the Slim Shield Orb at the beginning of your config.yml file. This allows you to use the orb's commands and jobs within your configuration. The Slim Shield orb can be found at* *slimdevops/slim-shield*.

b. Parameters

Two key parameters are defined: ‘image-name’: This specifies the image that will be hardened (<docker_username>/<node-app-name>:tag) and ‘cimg-tag’ which specifies which tag to use for the foundational image provided by CircleCI.

c. Executors

*The "docker-publisher" environment is established, setting up the image name and authentication details for publishing the Docker image.*

d. Jobs

PublishLatestToHub:

*This job is responsible for building a docker image from your project and then publishing it to dockerhub.*

runNormaltest:

The runNormalTest job is designed to test a specified Docker image using Newman, a command line tool for running Postman collections. Within a docker environment, it sets up a network, runs the target image; executing the Newman tests against it. This ensures that the docker image behaves as expected when subjected to the postman tests.

runInstrumentedTest

The runInstrumentedTest job is tailored to test a Docker image that has been instrumented for enhanced monitoring. Using a Docker environment, it first establishes a network, then runs the instrumented image. Postman tests are then executed via the Newman CLI to ensure the behavior aligns with expectations.

e. Workflows

‍

Workflows - engine-execution: Orchestrates the execution of jobs in a specific sequence. It begins by publishing the latest image to Dockerhub. Next, it runs tests on the published image, followed by instrumenting the image using Slim CLI. A Cypress test is then conducted on the instrumented image. The workflow continues with hardening the image using Slim CLI, and concludes with running Cypress tests on the hardened image. This sequence ensures a streamlined and secure process for container development and monitoring, with the necessary testing.

‍

Step 3: Connect Project Repo to CircleCI

Add the project code repository to CircleCI by selecting your config.yml file, and set up the project:

‍

Input Environment Variables within CircleCI - in project settings:

‍

Step 4: Select the Project/Repo, the branch, then trigger pipeline.

‍

This triggers the workflow specified in the config file:

‍

The final step in the pipeline is Hardening & Hardened Test Suite. If the hardening has been completed successfully, the following will be shown:

‍

Once testing has been completed for the hardened container, you can view it in the Slim Portal underneath the connector you created at the beginning:

The three images: latest - the original image, latest.instrumented - the instrumented image, and latest.slimxx - the hardened image is shown underneath the Orb Harden connector which was created at the beginning of the project.

‍

Results:

The original image (as shown below) was a size of 1.1 GB, with 626 total packages, and 258 vulnerabilities.

‍

The hardened image (as shown below) is now a size of 113 MB (~90% reduction), with only 10 total packages and 13 vulnerabilities!

‍

Conclusion:

Slim.AI’s Shield Orb for CircleCI offers a seamless and user-friendly approach to container security. By integrating this tool into your CI/CD pipeline, you not only enhance the security of your containers but also streamline the entire development process. Whether you're working on a small project or managing a complex system, the Shield Orb simplifies container hardening, making it accessible and efficient.

Embarking on a New Journey

Farewell, Slim — Transitioning to a new and larger mission!

We're excited to share some big news from Slim.AI. We're taking a bold new direction, focusing all our energy on software supply chain security, now under our new name root.io. To meet this opportunity head-on, we’re building a solution focused on transparency, trust, and collaboration between software producers and consumers.

When we started Slim.AI, our goal was to help developers make secure containers. But as we dug deeper with our early adopters and key customers, we realized a bigger challenge exists within software supply chain security — namely, fostering collaboration and transparency between software producers and consumers. The positive feedback and strong demand we've seen from our early customers made it crystal clear: This is where we need to focus.

This new opportunity demands a company and brand that meet the moment. To that end, we’re momentarily stepping back into stealth mode, only to emerge with a vibrant new identity, and a groundbreaking product very soon at root.io. Over the next few months, we'll be laser-focused on working with design partners and building up the product, making sure we're right on the mark with what our customers need.
‍

Stay informed and up-to-date with our latest developments at root.io. Discover the details about the end of life for Slim services, effective March 31, 2024, by clicking here.

Embarking on a New Journey

Farewell, Slim — Transitioning to a new and larger mission!

Stay informed and up-to-date with our latest developments at root.io. Discover the details about the end of life for Slim services, effective March 31, 2024, by clicking here.