Introducing Slim's Scanner Orb for CircleCI

Heather Thacker
← Slim Blog

Security is never an afterthought; however, it can be relatively painless in development iterations with automated processes. Slim.AI has published a CircleCI Orb, slimdevops/slim-scanner, that leverages the Slim platform to perform container security analysis every time you build a new container on CircleCI.

CircleCI Orbs are shareable packages of code, commands, and configuration elements to run with build and deployment cycles. Slim.AI has built an Orb for your Node.js backend projects, to scan for vulnerabilities and collect container reports for easy analysis with Slim platform tools.

What is CircleCI?

CircleCI is an established Continuous Integration, Continuous Deployment (shortened to CI/CD) platform that gives developers an informed look at every branch, build, and environment of a project. CircleCI Orbs are elements easily integrated into an app’s build, automated to run every time.

The Benefits of using Orbs

Orbs simplify your configuration by providing parameterizable configuration elements– add an Orb to your build steps in a few lines! By authoring an Orb, Slim.AI allows for a configuration element to be defined once and utilized across multiple projects. In this case, Slim.AI’s Orb defines a vulnerability scan and container report to be utilized in any OCI-compliant container.

What is Slim.AI’s Orb?

Running the SlimDevOps Orb with app builds will add a container profile to the Slim platform for every scan and report. Three artifacts are generated when this Orb runs:

  • The results (readme.html) is a HTML file with vulnerability and profile results, and it links to the Slim platform for easy reference.
  • The vulnerability report (Vuln.json) is an aggregated json file, from two scans, using open source scanners (Grype and Trivy). It is the same report that is generated in the Slim SaaS.
  • The container profile (XRay.json) is a JSON report with details about the Docker container composition– its base image, layers, size, and additional metadata.

Over time, these references can be analyzed with Slim’s tools to further secure the container and keep track of new containers built.

Using Slim.AI’s Orb in a project requires initial setup before generating reports and storing container images. It integrates with your project’s CI/CD configuration and communicates with the Slim SaaS platform during the project build to execute scans and store reports. Once initiated, as explained below, then with minimal effort you can enjoy peace of mind with security monitoring on every build.

Running the Slim.AI Orb with Node.js app

In this scenario, a developer has a Node.js project and Dockerfile that builds a container of the app. Slim.AI’s Orb is used to build and publish the Node.js app to Docker Hub. The Orb scans the docker image and provides a container profile (xray.json), vulnerability report (vuln.json), and results (readme.html) in the CircleCI Artifacts section which saves the container image to the developer’s Slim platform Dashboard for easy reference later on.

Prerequisites to complete this example

Setup Overview

  1. Have existing Node.js project
  2. Build and Run Docker in project
  3. Add environment variables to project
  4. Add Orb to CircleCI config
  5. Add project to CircleCI
  6. Push project to remote and trigger build
  7. View Artifacts in CircleCI pipeline
  8. View in Slim platform

Fork the existing orb-demo project and follow along after connecting existing accounts

Step 1: Build Docker image

docker build -t <docker_username>/<node-app-name> .

To run container, use:

docker run <docker_username>/<node-app-name>

Step 2: Set up the Orb

Start by configuring the following credentials for your project - which will subsequently be added to CircleCI. 

DOCKERHUB_PASSWORD=Your Docker Hub access token

DOCKERHUB_USERNAME=Your Docker Hub username

SLIM_ORG_ID=Organization ID from Slim platform

SLIM_API_TOKEN=Slim platform Access Token

CONNECTOR_ID=Secure link between external container registry & Slim platform

Docker Hub Password and Username

These credentials are used as CircleCI parameters to publish app images. The username is what you selected when signing up for Docker Hub. The password is generated from your account’s access tokens. You can use your access token to login from Docker CLI by running docker login -u your_username when you will be prompted for your password, your personal access token.

To create a new Docker Access Token, go to your Account Settings > Security > New Access Token. For more information, see Docker's security settings (login required).

Create your access token and get the secret value.

Connector ID, Organization ID, and SaaS Key

The Connector ID is found in the Slim platform, after connecting a registry, under the ‘My Registries’ tab, and by connecting a new Registry. You can add your docker username, and docker access token - which can be found in your Docker Hub account under Account Settings > Security.

If the connector is intended to enable access to an Organization’s images, you can populate the field Organization Account ID with the name of the organization which is found here: Dockerhub Account Settings > Organizations.

The Organization ID is found in Personal Information, under the Organization tab, and the ID starts with rko. Every user has a personal Organization ID when first joining the platform. Default is named ‘Org’ and users can add new ones. Orgs have distinct Connectors, and you can invite new members to any org.

The SaaS ID is a confidential, personal access token found under Personal Information > Tokens and can be created by adding a new token.

Step 3: Configure the CircleCI YAML file

The circleci/config.yml file is where the orb is “imported” and the jobs and steps are defined. Find an example file at

Add Orb by going to CircleCI’s Orb registry for a quickstart guide, including adding a specific Orb into the file .circleci/config.yml.

Within the config file, there are parameters, executors, jobs, and steps that execute the scripts and commands that run the scans to create reports and container profiles that get added to the Slim platform.

The Orb is configured with its slug which contains the authoring organization’s identifying namespace and orb name. This is followed by an @ symbol and a semantic versioning string, signifying which version is being used. You can find the Slim Scanner orb at slimdevops/slim-scanner.

Within the config file, there are parameters, executors, jobs, and steps that execute the scripts and commands that run the scans to create reports and container profiles that get added to the Slim platform.

Parameters, Executors, Jobs, and Steps

Parameters define the image to be scanned, connector used to get the image, and tag which can be used for cimg/base.

Executors are used to run one or more jobs in the CircleCI workflow. It can be a script or command, and contains resources, like docker image tag and user credentials.

Jobs are the tasks executed in a workflow, publishLatestToHub uses Docker capabilities to build and push an image to a Docker repo, and scan which runs the suite of Slim.AI vulnerability and profiles scans, and adds these artifacts to the platformfor easy access.

The steps within the CircleCI scan are used to check for vulnerabilities and create a report to be viewed and stored throughout the project’s life.

The final section of theconfig.yml is workflows, defining the engine-execution jobs, publishing the image and scanning the project.

Step 4: Connect project repo to CircleCI

Once your app configuration is set up, add the project code repository to CircleCI by selecting your config.yml file.

After setting up the project, navigate to project settings within CircleCI and add all the credentials that you previously set up in the ‘Environment Variables’ tab. 

Push project to remote to trigger build, and navigate to CircleCI Pipeline. Now that setup is complete, build your project to view your artifacts.

In the current demo version (config.yml), the final step in the Pipeline is called “Slim Container Scanning”. Once all the steps are completed, the results are stored under the Artifacts tab where you are able to view the readme.html file - shown below - which provides a link to your Slim platform, where reports and scans are stored for further analysis.

View container images and scan reports in the Slim platform. Vulnerability reports and the X-Ray profile scan are also stored as JSON files for later reference.


Slim.AI’s Orb is great for automating security, providing snapshots of risks and container details to generate security analytics as your app scales. Security is at the forefront of DevOps, and Orbs are one way of using minimal effort to maintain a collection of telemetry, especially as projects scale over time.

This example uses Dockerhub’s public repo. If interested in private repositories or other cloud platforms, get in touch with the Slim.AI team, especially if your project involves handling private credentials.

Make security collaboration easier today

Join the waitlist to try out Slim's shared workspace for communicating and coordinating vulnerability fixes with your software vendors.
Responsive HubSpot Form

Join our Beta

Take the complexity and frustration out of coordinating vulnerability fixes with your vendors.

  • Communicate directly in the platform to assign owners, due dates and negotiate fixes
  • Get a view into the status of each vulnerability
  • Receive notifications the moment vulnerabilities are fixed

Additionally, our Beta users get access to:

  • Multiple vulnerability scanners
  • SBOM generation
  • Reachability analysis
  • Enhanced container intelligence software
  • Dedicated Support

Join our Beta

Take the frustration out of vulnerability fixes with software vendors directly on our platform.

  • Assign owners, set due dates, track vulnerability statuses, and get instant fix notifications.
  • Beta users gain access to multiple scanners, SBOM generation, reachability analysis, enhanced container intelligence, and dedicated support.