Setting Up Container Scanning in GitHub CI/CD Pipeline¶
In this guide, we demonstrate how to incorporate AccuKnox's container scanning capabilities into a GitHub Actions workflow. The process ensures that vulnerabilities in Docker images are identified and remediated before deployment, significantly improving the security posture of your CI/CD pipeline.
Scenario Before Integration¶
-
Context: The Docker image was built using an outdated base image (
node:15-slim) with known vulnerabilities, introducing security risks into the deployment pipeline. -
Issues:
-
Vulnerabilities in the base image were not detected.
-
The image was pushed to the registry without any security validation.
-
Steps for Integrating AccuKnox¶
Step 1: Generate AccuKnox Token¶
Log in to AccuKnox Navigate to Settings and select Tokens to create an AccuKnox token for forwarding scan results to SaaS. For details on generating tokens, refer to How to Create Tokens.
Step 2: Configure GitHub Secrets¶
Store the following values as GitHub repository secrets:
-
ACCUKNOX_TOKEN: AccuKnox API token. -
ACCUKNOX_LABEL: Custom label for associating scan results. -
ACCUKNOX_ENDPOINT: (Optional) AccuKnox API URL (default:cspm.demo.accuknox.com).
Step 3: Set Up GitHub Actions Workflow¶
Create a workflow YAML file in your repository .github/workflows/accuknox-scan.yml:
name: AccuKnox Container Scan Workflow
on:
push:
branches:
- main
pull_request:
branches:
- main
jobs:
accuknox-cicd:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v4
- name: Run AccuKnox CSPM Scan
uses: accuknox/container-scan-action@v1.0.1
with:
soft_fail: false
accuknox_endpoint: ${{ secrets.ACCUKNOX_ENDPOINT }}
accuknox_label: ${{ secrets.ACCUKNOX_LABEL }}
accuknox_token: ${{ secrets.ACCUKNOX_TOKEN }}
image: "your-image-name"
tag: "latest"
severity: "LOW, MEDIUM, HIGH, CRITICAL, UNKNOWN"
Inputs for AccuKnox Container Scan Action¶
| Input Name | Description | Optional/Required | Default Value |
|---|---|---|---|
| accuknox_token | The token for authenticating with the CSPM panel. | Required | None |
| accuknox_label | The label created in AccuKnox SaaS. | Required | None |
| accuknox_endpoint | The URL of the CSPM panel to push the scan results to. | Required | cspm.demo.accuknox.com |
| image | Name of the container image to scan to. | Required | None |
| tag | Version tag for the container image | Optional | None |
| severity | Severity levels to block pipeline (LOW, MEDIUM, HIGH, etc) | Optional | None |
| soft_fail | Fail the pipeline if secrets are found. | Optional | false |
Scenario After Integration¶
-
Workflow Enhancements:
-
The pipeline scans Docker images during the build process.
-
Critical vulnerabilities halt the pipeline, ensuring only secure images are deployed.
-
-
Outcome:
-
Vulnerabilities are identified and remediated before the image reaches production.
-
Secure images are pushed to the registry with confidence.
-
Viewing Results in AccuKnox SaaS¶
Step 1: After the workflow completes, navigate to the AccuKnox SaaS dashboard.
Step 2: Go to Issues > Findings and select Container Image Findings to see identified vulnerabilities.
Step 3: Click on a vulnerability to view more details.
Step 4: Fix the Vulnerability
Follow the instructions in the Solutions tab to fix the vulnerability
Step 5: Create a Ticket for Fixing the Vulnerability
Create a ticket in your issue-tracking system to address the identified vulnerability.
Step 6: Review Updated Results
-
After fixing the vulnerability, rerun the Github pipeline.
-
Navigate to the AccuKnox SaaS dashboard and verify that the vulnerability has been resolved.
Conclusion¶
By integrating AccuKnox into your GitHub CI/CD pipeline, container images are scanned and validated for security vulnerabilities. The integration prevents insecure images from being deployed and ensures a secure development lifecycle.