How to scan for vulnerabilities with Codefresh pipelines
Codefresh can integrate with any security scanning platform that scans source code or Docker images for vulnerabilities.
The integration can happen via a freestyle step as long as the scanning solution offers any of :
- A Docker image with the scanner
- A CLI (that can be packaged in a Docker image)
- An API
Since all security solutions offer an API, Codefresh can essentially use any scanning solution via that interface.
Existing security integrations
Codefresh already offers Docker images for the following security platforms:
You can find more integrations as they are being added in the plugin directory.
Security scanning strategies
Because you can insert a scanning step anywhere in your pipeline, you have great flexibility on when a security scan is happening. Common strategies are.
- Scanning the source code before being packaged in a Container
- Scanning a container before it is being stored to a registry
- Scanning a container before being deployed to production
- A Combination of the above.
Here is an example pipeline that scans a Docker image with [Aqua]https://www.aquasec.com/ after being pushed to the internal Codefresh registry but before being promoted to the external Azure Registry.
This is the full pipeline definition:
The security scanning step is inserted after building the Docker image but before promoting the image to the Azure Docker registry.
Viewing Security reports
The easiest way to view security reports is to visit the portal/dashboard of the security platform that you are using
It is also possible however to attach Analysis Reports on Codefresh builds by using the test reporting feature.
Here we attach the Clair Scan report to the build that created.
You can then click on the Test Report button and view the full report:
Security scan results are also a perfect candidate for adding extra metadata to your Docker images.
You can add any metadata such as the number of issues for each category or even the URL the full report. This allows you easily correlate docker images in Codefresh and security results of your scanning platform.