Skip to main content
Version: 5.3

CircleCI

Scan for Vulnerabilities in the CircleCI Build Pipeline

The NeuVector CircleCI ORB triggers a vulnerability scan on an image in the CircleCI pipeline. The ORB is available in the CircleCI catalog and is also documented on the NeuVector GitHub page.

Deploy the NeuVector Allinone or Controller container if you haven't already done so on a host reachable by the CircleCI ORB. Make a note of the IP address of the host where the Allinone or Controller is running.

The ORB supports two use cases:

  1. Triggering the scan to be performed outside the CirclCI infrastructure. The ORB contacts the NeuVector scanner, which then pulls the image from a registry to be scanned. Make sure the ORB has network connectivity to the host where the NeuVector Controller/Allinone is running.
  2. Dynamically launching a NeuVector controller and scanner on a temporary vm running on the CircleCI platform. After launching and auto-configuring, the scan be done on image in the build, and after completion the NeuVector deployment is stopped and removed. For this use case, please see the documentation on the CircleCI ORB for NeuVector.

In addition, make sure there is a NeuVector scanner container deployed and configured to connect to the Allinone or Controller. In 4.0 and later, the neuvector/scanner container must be deployed separate from the allinone or controller.

Create a Context in Your CircleCI App

context

Configure Settings

Configure the Environment Variables for Connecting to and Authenticating

settings

Add the NeuVector orb to Your Build config.yaml

version: 2.1
orbs:
neuvector: neuvector/neuvector-orb@1.0.0
workflows:
scan-image:
jobs:
- neuvector/scan-image:
context: myContext
registry_url: https://registry.hub.docker.com
repository: alpine
tag: "3.4"
scan_layers: false
high_vul_to_fail: 0
medium_vul_to_fail: 3

The registry_url is the location to find the image to be scanned. Configure the repository name, tag, and if a layered scan should be performed. Add criteria for the build task to fail based on number of high or medium vulnerabilities detected.

Review the Results

The build task will pass or fail based on the criteria set. In either case you can review the full scan report. fail