Prevasio CI/CD Container Security
This topic describes how to set up and use AlgoSec’s Prevasio CI/CD Container Security.
AlgoSec Prevasio CI/CD Container Security solution provides an extensible security plug-in for dev team code repositories that perform an automated scan for Docker containers pipelines. AlgoSec Prevasio builds, simulates runtime, and scans the image statically and dynamically for security risks. This is integrated into the user's GitHub repository CI process.
The action is available only to registered Prevasio users. For the official trial, click here.
The Docker container scan runs each time a Pull Request (in GitHub) is created. The summary of the scan appears in the comments of the Pull Request. For example, one critical risk was found in the code in GitHub:
To see a full report of the scan results, click the link to the full scan report.
Note: You can see a list of your open Pull Requests in Prevasio. The Pull Requests lists provides a structured view of the scan details for each open pull request, to help quickly assess and manage your security findings. See Work with the Prevasio CI/CD Container Security action.
Note: The built-in threat management rules form the basis of the security mechanism used by CI pipeline in GitHub and are described in Threat Management.
Integrations
The Prevasio CI/CD Container Security integrates with the following:
Code repositories | GitHub |
CI/CD systems | GitHub Workflow |
Containerization | Docker |
Set up the Prevasio CI/CD Container Security
For admin and advanced users
Important: Your protected branch rules won't be enforced on your private repository until you move to a GitHub Team or Enterprise organization account.
Do the following:
-
If you don’t have a GitHub account, create one now.
-
Log in to Prevasio as user admin. Make sure to write down the tenant ID you are using for later on in this procedure.
-
Add a new API Access Key. See Manage API access keys.
-
Click on the vertical ellipsis ( ) to the right of the newly created access key.
-
On the options pop-up menu that is displayed, click View. Save the Client ID and Client Secret for later in this procedure.
-
Log in to GitHub.
-
In your GitHub Repository. You can create the workflow in 2 ways:
-
Use the Action provided on the GitHub marketplace:
-
Create a new main.yml workflow in the following path:
<Repo Name>/.github/workflows/main.yml
-
Copy the Example Usage code provided in the GitHub marketplace and paste to main.yml.
-
(optional) Edit the yaml file, if required, as follows:
-
General Parameters:
Parameter Description Default Type WORKING_DIR Specify the GitHub repository's folder that contains the Dockerfile . (root folder) string DOCKERFILE_NAME Specify the Dockerfile name Dockerfile string MIN_LEVEL_TO_BLOCK_PR Specify the minimum risk severity level to block the PR if at least one risk of this level is found -1 (never block) int -
Edit the branch name, if you want to change the name of the target branch.
-
-
-
Generate the action in Prevasio:
-
Log-in into the Prevasio management console.
-
In Prevasio, from the left panel select Integrations> CI/CD Container Security.
-
(Optional) Edit the fields. (Default values are selected if the fields are not changed):
Description Default Specify the GitHub repository's folder that contains the Dockerfile . (root folder) Specify the Dockerfile name Dockerfile Specify the name of the branch Main Specify the minimum risk severity level to block the PR if at least one risk of this level is found -1 (never block) - Click Download GitHub Action.
-
Copy and paste the downloaded Action to:
<Repo Name>/.github/workflows/GitHub_Action.yml
-
-
-
In GitHub Settings, select Secrets > Actions. GitHub Action Secrets appears.
-
In GitHub Action Secrets, add the following Repository Secrets.
ALGOSEC_TENANT_ID AlgoSec Tenant ID ALGOSEC_CLIENT_ID AlgoSec Client ID ALGOSEC_CLIENT_SECRET AlgoSec Client Secret -
Define the action as a required check:
-
Go to your repository Actions tab
-
On the left of the screen, choose the workflow that runs the Prevasio CI/CD Container Security job.
-
Click Run workflow dropdown. The dropdown expands.
-
Click the Run workflow button. The workflow runs. Don’t worry if the action fails.
-
Create a new branch protection rule to define the action as a required check by following these steps:
-
Go to your GitHub repository Settings tab
-
Click on Branches on the left sidebar.
-
Click Add rule / Add branch protection rule.
-
Specify the target branch the action runs on.
-
Enable Require status checks to pass before merging.
-
Add AlgoSec Prevasio CI/CD Container Security as a required check.
-
Click Create the rule.
-
-
Work with the Prevasio CI/CD Container Security action
For code developers
Once the Prevasio CI/CD Container Security action is set up, it’s ready for use.
The following instructions explain how to use Prevasio CI/CD Container Security in your CI/CD workflow.
Do the following:
-
In your dev environment, upload changes to your developer branch in GitHub.
-
Click the Pull request tab.
-
Click New pull request.
-
Set to compare your working branch to your main (protected) branch. Click Create pull request.
-
Click View pull request. The Prevasio CI/CD Container Security check runs and the summary of scan results is displayed in the comments section of the Pull Request.
-
To view the full report, in the comments section, click Full report. The full report opens in a new browser tab.
â Next steps: