Introducing Slim's Scanner Orb for CircleCI

Security is never an afterthought; however, it can be relatively painless in development iterations with automated processes. Slim.AI has published a CircleCI Orb, slimdevops/slim-scanner, that leverages the Slim platform to perform container security analysis every time you build a new container on CircleCI.

CircleCI Orbs are shareable packages of code, commands, and configuration elements to run with build and deployment cycles. Slim.AI has built an Orb for your Node.js backend projects, to scan for vulnerabilities and collect container reports for easy analysis with Slim platform tools.

What is CircleCI?

CircleCI is an established Continuous Integration, Continuous Deployment (shortened to CI/CD) platform that gives developers an informed look at every branch, build, and environment of a project. CircleCI Orbs are elements easily integrated into an app’s build, automated to run every time.

The Benefits of using Orbs

Orbs simplify your configuration by providing parameterizable configuration elements– add an Orb to your build steps in a few lines! By authoring an Orb, Slim.AI allows for a configuration element to be defined once and utilized across multiple projects. In this case, Slim.AI’s Orb defines a vulnerability scan and container report to be utilized in any OCI-compliant container.

What is Slim.AI’s Orb?

Running the SlimDevOps Orb with app builds will add a container profile to a collection on the Slim platform with every previous scan and report. Three artifacts are generated when this Orb runs:

• The results (readme.html) is a HTML file with vulnerability and profile results, and it links to the Slim platform for easy reference.
• The vulnerability report (Vuln.json) is an aggregated json file, from two scans, using open source scanners (Grype and Trivy). It is the same report that is generated in the Slim SaaS.
• The container profile (XRay.json) is a JSON report with details about the Docker container composition– its base image, layers, size, and additional metadata.

Over time, these references can be analyzed with Slim’s tools to further secure the container and keep track of new containers built.

Using Slim.AI’s Orb in a project requires initial setup before generating reports and storing container image collections. It is added to your project’s CI/CD configuration; and runs on project build, talking to the Slim SaaS platform to run scans and save reports. Once initiated, as explained below, then with minimal effort you can enjoy peace of mind with security monitoring on every build.

Running the Slim.AI Orb with Node.js app

In this scenario, a developer has a Node.js project and Dockerfile that builds a container of the app. Slim.AI’s Orb is used to build and publish the Node.js app to Docker Hub. The Orb scans the docker image and provides a container profile (xray.json), vulnerability report (vuln.json), and results (readme.html) in the CircleCI Artifacts section which saves the container image to the developer’s Slim platform Collection for easy reference later on.

Prerequisites to complete this example

• Node.js app with Dockerfile that builds a container
  • Orb Demo github - https://github.com/slimdevops/orb-demo
• CircleCI account - https://circleci.com/vcs-authorize/
  • Getting Started guide - https://circleci.com/docs/getting-started/
• Slim.AI platform account - https://portal.slim.dev/
• DockerHub account - https://hub.docker.com/

Setup Overview

1. Have existing Node.js project
2. Build and Run Docker in project
3. Add environment variables to project
4. Add Orb to CircleCI config
5. Add project to CircleCI
6. Push project to remote and trigger build
7. View Artifacts in CircleCI pipeline
8. View Collection in Slim platform

Fork the existing orb-demo project and follow along after connecting existing accounts

https://github.com/slimdevops/orb-demo

Step 1: Build Docker image

docker build -t <docker_username>/<node-app-name> .

To run container, use:

docker run <docker_username>/<node-app-name>

Step 2: Set up the Orb

In your project’s root, add the following environment variables to your .env.

DOCKERHUB_PASSWORD=Your Docker Hub access token
DOCKERHUB_USERNAME=Your Docker Hub username
FAV_COLLECTION_ID=Favorites Collection ID from Slim platform
ORG_ID=Organization ID from Slim platform
SAAS_KEY=Slim platform Access Token

Docker Hub Password and Username

These credentials are used as CircleCI parameters to publish app images. The username is what you selected when signing up for Docker Hub. The password is generated from your account’s access tokens. You can use your access token to login from Docker CLI by running docker login -u your_username when you will be prompted for your password, your personal access token.

To create a new Docker Access Token, go to your Account Settings > Security > New Access Token. For more information, see Docker's security settings (login required).

Create your access token and add the secret value to your app’s .env file.

Favorite Collection ID, Organization ID, and SaaS Key

These variables can be found on the Slim Platform.

The Favorite Collection ID is found in the Collections tab. Every user starts with a Favorites collection, and can add new collections. These are used to store container images that are used regularly for development and stay organized for easier referencing. The FAV_COLLECTION_ID is available in the URL of the collection, and starts with the rkcol singnifier. Find a list of your collections using the Slim CLI with the command slim collections ls.

Find your collections here: https://portal.slim.dev/collections

The Organization ID is found in Personal Information, under the Organization tab, and the ID starts with rko. Every user has a personal Organization ID when first joining the platform. Default is named ‘Org’ and users can add new ones. Orgs have distinct Collections and Connectors, and you can invite new members to any org.

The SaaS ID is a confidential, personal access token found under Personal Information > Tokens and can be created by adding a new token.

Here, we've created one for the CircleCI Orb. Tokens provide API access to your Slim account, and should be treated securely and rotated frequently.

Step 3: Configure the CircleCI YAML file

The circleci/config.yml file is where the orb is “imported” and the jobs and steps are defined. Find an example file at https://github.com/slimdevops/orb-demo/blob/main/.circleci/config.yml

Add Orb by going to CircleCI’s Orb registry for a quickstart guide, including adding a specific Orb into the file .circleci/config.yml.

Within the config file, there are parameters, executors, jobs, and steps that execute the scripts and commands that run the scans to create reports and container profiles that get added to the Slim platform collections.

The Orb is configured with its slug which contains the authoring organization’s identifying namespace and orb name. This is followed by an @ symbol and a semantic versioning string, signifying which version is being used. You can find the Slim Scanner orb at slimdevops/slim-scanner.

Within the config file, there are parameters, executors, jobs, and steps that execute the scripts and commands that run the scans to create reports and container profiles that get added to the Slim platform collections.

Parameters, Executors, Jobs, and Steps

Parameters define the image to be scanned, connector used to get the image, and tag which can be used for cimg/base.

Executors are used to run one or more jobs in the CircleCI workflow. It can be a script or command, and contains resources, like docker image tag and user credentials.

Jobs are the tasks executed in a workflow, publishLatestToHub uses Docker capabilities to build and push an image to a Docker repo, and scan which runs the suite of Slim.AI vulnerability and profiles scans, and adds these artifacts to a collection for easy access.

The steps within the CircleCI scan are used to check for vulnerabilities and create a report to be viewed and stored throughout the project’s life.

The final section of the config.yml is workflows, defining the engine-execution jobs, publishing the image and scanning the project.

Step 4: Connect project repo to CircleCI

Once your app configuration is setup, add the project code repository to CircleCI by selecting your config.yml file.

Push project to remote to trigger build, and navigate to CircleCI Pipeline Now that setup is complete, build your project to view your artifacts.

The vulnerability scan and xray report can be founded under the project’s steps.

In the current demo version (config.yml), the final step in the Pipeline is called “scan”. The results are stored under the Artifacts tab where you are able to view the readme.html file which provides a link to your Slim platform, where reports and scans are stored for further analysis.

View container images and scan reports in the Slim platform under “Collections”. Vulnerability reports and the X-Ray profile scan are also stored as JSON files for later reference.

Conclusion

Slim.AI’s Orb is great for automating security, providing snapshots of risks and container details to generate security analytics as your app scales. Security is in the forefront of DevOps, and Orbs are one way of using minimal effort to maintain a collection of telemetry, especially as projects scale over time.

This example uses Docker Hub’s public repo. If interested in private repositories or other cloud platforms, get in touch with the Slim.AI team, especially if your project involves handling private credentials.