Container Scan

To show how incorporating AccuKnox into a CI/CD pipeline with Gitlab can improve security, let's look at a detailed example involving a Docker image that initially had known vulnerabilities. By running AccuKnox scanning in the pipeline, we can find and fix these vulnerabilities before deploying the image. The following narrative illustrates this process by comparing the situations before and after adding AccuKnox, as seen in the Gitlab jobs log.

Scenario Before Integrating AccuKnox

Context

The Docker image was built from a Dockerfile using an outdated base image (node:15-slim), which contained known security vulnerabilities. Using this old base image unintentionally introduced many security weaknesses to the Docker image.

Dockerfile Example:

FROM node:15-slim

Issues

  • The outdated base image had several known vulnerabilities.

  • The Docker image was being pushed to the registry without any security validation.

Steps for Integrating AccuKnox

Step 1: Log in to AccuKnox Navigate to Settings and select Tokens to create an AccuKnox token for forwarding scan results to SaaS. For details on generating tokens, refer to How to Create Tokens.

Step 2: Configure GitLab CI/CD Variables. For details on configuring variables, refer to How to Create CI/CD Variables in GitLab.

  1. ACCUKNOX_TOKEN: AccuKnox API token for authorization.

  2. ACCUKNOX_TENANT: Your AccuKnox tenant ID.

  3. ACCUKNOX_ENDPOINT: The AccuKnox API URL (e.g., cspm.demo.accuknox.com).

  4. ACCUKNOX_LABEL: The label for your scan.

Step 3: Set Up GitLab CI/CD Pipeline

Create a new pipeline in your GitLab project with the following YAML configuration:

include:
  - component: $CI_SERVER_FQDN/accu-knox/scan/container-scan@1.0
    inputs:
      STAGE: test
      TAG: "v1"
      DOCKERFILE_CONTEXT: Dockerfile
      REPOSITORY_NAME: gitlab-ci-testing
      INPUT_SOFT_FAIL: false
      ACCUKNOX_TOKEN: ${ACCUKNOX_TOKEN}
      ACCUKNOX_TENANT: ${ACCUKNOX_TENANT}
      ACCUKNOX_ENDPOINT: ${ACCUKNOX_ENDPOINT}
      ACCUKNOX_LABEL: ${ACCUKNOX_LABEL}

Scenario After Integrating AccuKnox

Enhancing the GitLab Workflow: We then added a step to our GitLab workflow to run the AccuKnox vulnerability scan on the newly built Docker image.

Outcome

  • AccuKnox scanned the Docker image for vulnerabilities, and if critical issues were detected, the pipeline halted the deployment, preventing the image from being pushed to the registry.

  • If no critical vulnerabilities were found, the image was approved and successfully pushed.

alt

View Results in AccuKnox SaaS

Step 1: Once the scan is complete, the user can go into the AccuKnox SaaS and navigate to Issues → RegistryScan where they can find their repository name and select it to see the associated findings

alt

Step 2: After clicking on the image name, the user will be able to see the metadata for the image that was built during the workflow execution.

alt

Step 3: In the Vulnerabilities section, the user can see the image-specific vulnerabilities in a list manner that contains relevant information. These findings will also be available in the Issues → Vulnerabilities section where the user can manage these findings with others.

alt

Step 4: The Resources section contains information about packages and modules that were used to build the code base into a container image.

alt

Step 5: The user can see the scan history of every scan that happened while triggering the workflow.

alt

Conclusion

By integrating AccuKnox into the GitLab CI/CD pipeline, the security of Docker images is significantly improved. Vulnerabilities are detected early, preventing insecure images from being deployed to production. The workflow allows teams to automatically remediate issues and ensure only secure images make it to the registry.