Continuous Integration
XKF provides a number of base templates for CI and CD, in this part we will walk you through the CI pipeline. The core feature of the CI pipeline is that it generates a artifactory containing the application container.
The CI triggers the CD that will grab the container artifact and push it to a central container registry, Azure uses ACR and AWS uses ECR.
When following these docs we assume that you already have imported the azure-devops-templates to your project.
There are a number of extra addons that you can enable on your build stage that we will cover below.
Hadolint
Hadolint is a linter for container files and gives you suggestions on how to follow best practices.
This check is enabled by default and you can disable it by adding:
dockerLint:
enabled: false
ignoreRuleViolations: false
You can add a config file for hadolint where you can ignore specific errors.
Trivy
Trivy is a container image scanner in a cli tool used to scan for CVE:s in both your code and base image.
To scan the image:
trivy <image-name>
After we have built the image we scan it and send you a report.
If you want to ignore specific Trivy errors you can create a .trivyignore file. For example it can look like this:
CVE-2020-29652
If you want to disable Trivy you can do so by appending the following to your CI file.
imageScan
enable: true
ignoreRuleViolations: true
Horusec
A CLI tool to scan your application code for security issues that is disabled by default.
To enable Horusec in your CI pipeline
Before enabling Horusec in your CI pipeline you should configure what issues your CI pipeline should catch:
horusec generate
This will generate a file called horusec-config.json, in this file you can configure everything Horusec should scan and report.
You can find more Horusec config flags here.
Key config values:
- horusecCliSeveritiesToIgnore: What severities do you want to show?
- horusecCliFilesOrPathsToIgnore: What paths do you want to ignore?
To save time it is easy to run Horusec locally:
horusec start -p .