Continuous Integration
XKF provides a number of base templates for CI and CD, in this part we will walk you through the CI pipeline. The core feature of the CI pipeline is that it generates a artifactory containing the application container.
The CI triggers the CD that will grab the container artifact and push it to a central container registry, Azure uses ACR and AWS uses ECR.
When following these docs we assume that you already have imported the azure-devops-templates to your project.
There are a number of extra addons that you can enable on your build stage that we will cover below.
Hadolint​
Hadolint is a linter for container files and gives you suggestions on how to follow best practices.
This check is enabled by default and you can disable it by adding:
dockerLint:
enabled: false
ignoreRuleViolations: false
You can add a config file for hadolint where you can ignore specific errors.
Trivy​
Trivy is a container image scanner in a cli tool used to scan for CVE:s in both your code and base image.
To scan the image:
trivy <image-name>
After we have built the image we scan it and send you a report.
If you want to ignore specific Trivy errors you can create a .trivyignore file. For example it can look like this:
CVE-2020-29652
If you want to disable Trivy you can do so by appending the following to your CI file.
imageScan
enable: true
ignoreRuleViolations: true
Horusec​
A CLI tool to scan your application code for security issues that is disabled by default.
To enable Horusec in your CI pipeline​
Before enabling Horusec in your CI pipeline you should configure what issues your CI pipeline should catch:
horusec generate
This will generate a file called horusec-config.json, in this file you can configure everything Horusec should scan and report.
You can find more Horusec config flags here.
Key config values:
- horusecCliSeveritiesToIgnore: What severities do you want to show?
- horusecCliFilesOrPathsToIgnore: What paths do you want to ignore?
To save time it is easy to run Horusec locally:
horusec start -p .