Security is never an afterthought; however, it can be relatively painless in development iterations with automated processes. Slim.AI has published a CircleCI Orb, slimdevops/slim-scanner, that leverages the Slim platform to perform container security analysis every time you build a new container on CircleCI.
CircleCI Orbs are shareable packages of code, commands, and configuration elements to run with build and deployment cycles. Slim.AI has built an Orb for your Node.js backend projects, to scan for vulnerabilities and collect container reports for easy analysis with Slim platform tools.
What is CircleCI?
CircleCI is an established Continuous Integration, Continuous Deployment (shortened to CI/CD) platform that gives developers an informed look at every branch, build, and environment of a project. CircleCI Orbs are elements easily integrated into an app’s build, automated to run every time.
The Benefits of using Orbs
Orbs simplify your configuration by providing parameterizable configuration elements– add an Orb to your build steps in a few lines! By authoring an Orb, Slim.AI allows for a configuration element to be defined once and utilized across multiple projects. In this case, Slim.AI’s Orb defines a vulnerability scan and container report to be utilized in any OCI-compliant container.
What is Slim.AI’s Orb?
Running the SlimDevOps Orb with app builds will add a container profile to the Slim platform for every scan and report. Three artifacts are generated when this Orb runs:
Over time, these references can be analyzed with Slim’s tools to further secure the container and keep track of new containers built.
Using Slim.AI’s Orb in a project requires initial setup before generating reports and storing container images. It integrates with your project’s CI/CD configuration and communicates with the Slim SaaS platform during the project build to execute scans and store reports. Once initiated, as explained below, then with minimal effort you can enjoy peace of mind with security monitoring on every build.
In this scenario, a developer has a Node.js project and Dockerfile that builds a container of the app. Slim.AI’s Orb is used to build and publish the Node.js app to Docker Hub. The Orb scans the docker image and provides a container profile (xray.json), vulnerability report (vuln.json), and results (readme.html) in the CircleCI Artifacts section which saves the container image to the developer’s Slim platform Dashboard for easy reference later on.
Setup Overview
Fork the existing orb-demo project and follow along after connecting existing accounts
https://github.com/slimdevops/orb-demo
docker build -t <docker_username>/<node-app-name> .
To run container, use:
docker run <docker_username>/<node-app-name>
Start by configuring the following credentials for your project - which will subsequently be added to CircleCI.
DOCKERHUB_PASSWORD=Your Docker Hub access token
DOCKERHUB_USERNAME=Your Docker Hub username
SLIM_ORG_ID=Organization ID from Slim platform
SLIM_API_TOKEN=Slim platform Access Token
CONNECTOR_ID=Secure link between external container registry & Slim platform
Docker Hub Password and Username
These credentials are used as CircleCI parameters to publish app images. The username is what you selected when signing up for Docker Hub. The password is generated from your account’s access tokens. You can use your access token to login from Docker CLI by running docker login -u your_username when you will be prompted for your password, your personal access token.
To create a new Docker Access Token, go to your Account Settings > Security > New Access Token. For more information, see Docker's security settings (login required).
Create your access token and get the secret value.
Connector ID, Organization ID, and SaaS Key
The Connector ID is found in the Slim platform, after connecting a registry, under the ‘My Registries’ tab, and by connecting a new Registry. You can add your docker username, and docker access token - which can be found in your Docker Hub account under Account Settings > Security.
If the connector is intended to enable access to an Organization’s images, you can populate the field Organization Account ID with the name of the organization which is found here: Dockerhub Account Settings > Organizations.
The Organization ID is found in Personal Information, under the Organization tab, and the ID starts with rko. Every user has a personal Organization ID when first joining the platform. Default is named ‘Org’ and users can add new ones. Orgs have distinct Connectors, and you can invite new members to any org.
The SaaS ID is a confidential, personal access token found under Personal Information > Tokens and can be created by adding a new token.
The circleci/config.yml file is where the orb is “imported” and the jobs and steps are defined. Find an example file at https://github.com/slimdevops/orb-demo/blob/main/.circleci/config.yml
Add Orb by going to CircleCI’s Orb registry for a quickstart guide, including adding a specific Orb into the file .circleci/config.yml.
Within the config file, there are parameters, executors, jobs, and steps that execute the scripts and commands that run the scans to create reports and container profiles that get added to the Slim platform.
The Orb is configured with its slug which contains the authoring organization’s identifying namespace and orb name. This is followed by an @ symbol and a semantic versioning string, signifying which version is being used. You can find the Slim Scanner orb at slimdevops/slim-scanner.
Within the config file, there are parameters, executors, jobs, and steps that execute the scripts and commands that run the scans to create reports and container profiles that get added to the Slim platform.
Parameters, Executors, Jobs, and Steps
Parameters define the image to be scanned, connector used to get the image, and tag which can be used for cimg/base.
Executors are used to run one or more jobs in the CircleCI workflow. It can be a script or command, and contains resources, like docker image tag and user credentials.
Jobs are the tasks executed in a workflow, publishLatestToHub uses Docker capabilities to build and push an image to a Docker repo, and scan which runs the suite of Slim.AI vulnerability and profiles scans, and adds these artifacts to the platformfor easy access.
The steps within the CircleCI scan are used to check for vulnerabilities and create a report to be viewed and stored throughout the project’s life.
The final section of theconfig.yml is workflows, defining the engine-execution jobs, publishing the image and scanning the project.
Once your app configuration is set up, add the project code repository to CircleCI by selecting your config.yml file.
After setting up the project, navigate to project settings within CircleCI and add all the credentials that you previously set up in the ‘Environment Variables’ tab.
Push project to remote to trigger build, and navigate to CircleCI Pipeline. Now that setup is complete, build your project to view your artifacts.
In the current demo version (config.yml), the final step in the Pipeline is called “Slim Container Scanning”. Once all the steps are completed, the results are stored under the Artifacts tab where you are able to view the readme.html file - shown below - which provides a link to your Slim platform, where reports and scans are stored for further analysis.
View container images and scan reports in the Slim platform. Vulnerability reports and the X-Ray profile scan are also stored as JSON files for later reference.
Slim.AI’s Orb is great for automating security, providing snapshots of risks and container details to generate security analytics as your app scales. Security is at the forefront of DevOps, and Orbs are one way of using minimal effort to maintain a collection of telemetry, especially as projects scale over time.
