Introducing a Security Feedback Loop to your CI Pipelines
0 likes308 views
The document discusses the integration of security feedback loops into CI pipelines using Codefresh and Twistlock, highlighting their importance in vulnerability management and code quality. It outlines Steelcase's implementation of security scanning in its processes and the benefits of automation for enhanced security during development. Additionally, the document provides a demo of the Twistlock and Codefresh integration, showcasing how it streamlines security scans and compliance checks in the CI/CD workflow.
![Twistlock / Codefresh Integration
➢ Docker image containing Twistlock CLI, Codefresh CLI and
Python scripting to tie the two together.
➢ Runs locally and on Codefresh (Docker Swarm or K8S)
➢ Adds Docker image metadata (Annotations)
• Compliance and Vulnerability counts for each level
[ critical, high, medium, low ]
• Security Scan results Pass/Fail
• Twistlock Report URL
➢ Determine Build Success or Failure based on exit code of the
Twistlock scan and pass that back to Version Control System
https://github.com/SC-TechDev/docker-twistcli](https://image.slidesharecdn.com/introducingasecurityfeedbacklooptoyourcipipelines-180328183859/85/Introducing-a-Security-Feedback-Loop-to-your-CI-Pipelines-18-320.jpg)
Introducing a Security Feedback Loop to your CI Pipelines
- 1. Introducing a Security Feedback Loop to your CI Pipelines Matthew Barker ⎸Twistlock Dustin Van Buskirk ⎸Codefresh Varun Tagore Korrapati ⎸Steelcase
- 2. Matthew Barker Senior Solutions Architect
- 3. Dustin Van Buskirk Senior Solutions Architect
- 4. Varun Tagore Korrapati DevOps Engineer
- 5. How to Implement Security Scanning with Codefresh and Twistlock ➢How Twistlock Improves Security ➢Why Steelcase uses Security Scanning in their CI Pipelines ➢How Codefresh Automation Works ➢DEMO! Twistlock CLI / Docker image scanning as part of your Codefresh pipelines.
- 6. ● Steelcase is a 106 year old furniture company. ● Steelcase also offers a various services like Workplace Advisor. ● Thousands of IOT devices deployed. ● Fortune 500 Customers. Privacy is critical!
- 9. Security scanning is a critical part of vulnerability management: Reduce cost compared to fixing flaws in production Eliminate high or critical vulnerabilities as soon as possible Improved code quality helps avoid costly breaches 1 2 3
- 10. Advantage of scanning with Twistlock Accuracy: Fewer false positives and negatives Control: Set thresholds based on vulnerability or compliance status Fix status: Put remediation information in developers’ fingertips
- 11. What thresholds can I set with Twistlock? Alert or block specific package based on specific vulnerability level Example 1: Block all High vulnerabilities in XXXX library Alert or block specific builds based on compliance issues Example 2: Alert on builds that have Medium or higher compliance issues Incorporate status of fixes for added control Example 3: Block all builds Medium or higher that have a known fix
- 12. Where does Twistlock integrate with Codefresh?
- 13. Adopting Kubernetes by cobbling together lots of tools and scripts is costly and time consuming ● Build servers ● Staging servers ● Build automation ● Webhooks ● Docker registry ● Kubectl ● Helm ● CI Tests ● Integration Tests ● UI Tests ● Performance Tests ● Security Scans ● Deployment tools ● Secrets management ● Configuration testing ● Traceability Dashboards Why Codefresh?
- 14. Codefresh is a DevOps Platform Built for Kubernetes Kubernetes CI/CD Pipelines Self-Service Test Environments Docker & Helm Registry Release Management
- 15. Steelcase Use Cases Before/Why? • how much security is enough security? • No security implementation in code and docker container configuration? • Hard to control what security standards and practices are followed when there are multiple developer teams working on different applications. • Get unified security standards for all the microservices. • ?Secure application from within. Why Automate: • Catch up with Security ask! • Doesn't satisfy the laws of DevOps speed. • Scan the images before they go to production or even master. • Fast and Secure development with continued feedback. • In microservice model, faster onboarding of a secure microservice with no compromise in security standards. • Less security patch releases to production.
- 16. Now • Automated security scan in protected branches. • Logical conditions to run it in other specific branches. • All new microservices have to have security steps configured in CI build. Next • Fail the CI build if the results cross threshold. • Block the merge or PR to protected branch when results crosses thresholds for security and compliance.
- 17. DEMO
- 18. Twistlock / Codefresh Integration ➢ Docker image containing Twistlock CLI, Codefresh CLI and Python scripting to tie the two together. ➢ Runs locally and on Codefresh (Docker Swarm or K8S) ➢ Adds Docker image metadata (Annotations) • Compliance and Vulnerability counts for each level [ critical, high, medium, low ] • Security Scan results Pass/Fail • Twistlock Report URL ➢ Determine Build Success or Failure based on exit code of the Twistlock scan and pass that back to Version Control System https://github.com/SC-TechDev/docker-twistcli
- 19. CHECK OUT OUR BLOG POST: codefresh.io/blog Talk to Twistlock Sign up for a Free Trial! @ Twistlock.com Get a Codefresh Demo Schedule 1:1 @ Codefresh.io