AWS Code Pipeline - Container Scan¶

This document contains the process of integrating AccuKnox Container Scanning with AWS CodePipeline. By incorporating AccuKnox scanning into the pipeline, we can identify and resolve these vulnerabilities before deploying the image.

Prerequisites¶

Before beginning the integration, ensure you have the following:

AWS CodePipeline access - Administrative access to create and modify pipelines.
- 📖 Reference: Getting Started with AWS CodePipeline
- 📖 Reference: Create a Pipeline in AWS CodePipeline
AWS CodeBuild access - Make sure that you have added the codestar-connections:UseConnection IAM permission to your service role policy.
- 📖 Reference: Getting Started with AWS CodeBuild
AccuKnox UI access - Access to the AccuKnox platform.
AWS IAM Configuration - Proper service role permissions configured.
- 📖 Reference: Add permissions to your CodeBuild service role policy
AccuKnox API credentials, including:
- Tenant ID
- Authentication Token
- Endpoint URL
- Labels
Repository Configuration:
- Full clone enabled - Ensure AWS CodePipeline is configured to pass metadata that allows CodeBuild actions to perform a full Git clone.
  - 📖 Reference: Enable Full Clone in AWS CodeBuild

Configuration Steps¶

Step 1: Configure AWS CodePipeline Environment Variables¶

Add the following environment variables to your CodeBuild project or pipeline configuration:

📖 Reference: Set Environment Variables in CodeBuild Project

Name	Description	Required	Example Value
`ACCUKNOX_ENDPOINT`	The URL of the CSPM panel to push the scan results to.	Yes	`cspm.demo.accuknox.com`
`ACCUKNOX_TOKEN`	Token for authenticating with the AccuKnox CSPM panel. Refer to How to Create Tokens.	Yes	`your_api_token_here`
`ACCUKNOX_LABEL`	Token for authenticating with the AccuKnox CSPM panel. Refer to How to Create Tokens.	Yes	`test123`
`ACCUKNOX_TENANT`	AccuKnox tenant id.	Yes	`167`

Step 2: Configure AWS CodeBuild Specification (buildspec.yml)¶

Create or update your buildspec.yml file in your repository root with the following configuration:

version: 0.2

env:
  variables:
    SOFT_FAIL: "true"
    IMAGE: "gitlab"
    IMAGE_TAG: "test"
    IMAGE_TAR: "image.tar"

phases:
  pre_build:
    commands:
      - echo "Installing AccuKnox ASPM scanner..."
      - pip install [https://github.com/accuknox/aspm-scanner-cli/releases/download/v0.12.1/accuknox_aspm_scanner-0.12.1-py3-none-any.whl](https://github.com/accuknox/aspm-scanner-cli/releases/download/v0.12.1/accuknox_aspm_scanner-0.12.1-py3-none-any.whl) --break-system-packages
  build:
    commands:
      - |
        echo "Running AccuKnox container scan"
        docker build -t $IMAGE:$IMAGE_TAG -f Dockerfile .
        docker save -o $IMAGE_TAR $IMAGE:$IMAGE_TAG
        docker load -i $IMAGE_TAR
        if [ "$SOFT_FAIL" = "true" ]; then
          SOFT_FAIL_ARG="--softfail"
        fi
        CMD="image $IMAGE_NAME"
        [ -n "$IMAGE_TAG" ] && CMD="image $IMAGE:$IMAGE_TAG"
        [ -n "$SEVERITY" ] && CMD="$CMD --severity $SEVERITY"
        echo accuknox-aspm-scanner scan $SOFT_FAIL_ARG container --command "$CMD" --container-mode
        accuknox-aspm-scanner scan $SOFT_FAIL_ARG container --command "$CMD" --container-mode

artifacts:
  files:
    - '**/*'
    - $IMAGE_TAR