With the introduction of Google Cloud Container Builder, the build process for containers on the Google Cloud Platform (GCP) just got significantly easier. Rather than maintain an entirely separate build infrastructure, teams can now build containers for deployment in any environment directly from Google Cloud. A newly introduced feature of the Google Cloud Container Builder workflow are Custom Build Steps, which are simply containers that run and contribute to the build process itself.
Twistlock allows users of Google Cloud Container Builder to easily integrate Twistlock’s vulnerability scanning features at build time by using a Custom Build Step. By scanning images at build – you can ensure that only compliant images free of vulnerabilities make it to your production. Below, we’ll walk you through using a custom build step to invoke Twistlock’s command line scanner – and how to scan your images for vulnerabilities during build.
Getting Started
There are two steps to the process:
- Creating a Custom Build step that runs Twistlock’s scanner and and pushes it to your GCP registry.
- Adding a step to your cloud build YAML file that will call the Twistlock scanner and return results.
Before you get started – make sure you have:
- A Google Cloud Platform Account and access to build and deploy images.
- An active Twistlock License. Don’t have one? Get started with Twistlock for free today.
Setting up the Twistlock Custom Build Step
- Open a Google Cloud shell.
- Download and extract the latest version of Twistlock.
- Create a new directory
cb-twistlock
and copytwistlock-scanner
to this directory. - Download the
scan_helper.sh
script from the Twistlock support site and copy it to yourcb-twistlock
directory. - Create a new file my_scan.sh and add the following text (replacing default values with your values and removing the {}):
Scan_helper.sh –c https://{console host} –u {username} -p {password} -I {image}
- Create a new file
Dockerfile.twistlock
and add the following text to itFROM ubuntu RUN apt-get update -y && apt-get install -y \ openssl \ curl \ jq COPY ./my_scan.sh /my_scan.sh COPY ./twistlock-scanner /twistlock-scanner COPY ./scan_helper.sh /scan_helper.sh ENTRYPOINT ["/bin/bash", "/my_scanner.sh"]
- Create a new file named
cloudbuild-twistlock.yaml
and add the following text to it:'- name: 'gcr.io/cloud-builders/docker' args: [ 'build', '-t', 'gcr.io/$PROJECT_ID/twistlock-build-helper', '-f=Dockerfile.twistlock', '.' ] images: ['gcr.io/$PROJECT_ID/twistlock-build-helper']
- Build the twistlock scanner image by running the following command:
gcloud container builds submit --config cloudbuild-twistlock.yaml
Add the Twistlock Custom Build Step
In this example, we’ll build and scan Ubuntu:latest
.
- Create a new directory called
cb-test
- Create a new file called
cloudbuild-testimg.yaml
and add the following text to it:steps: - name: 'gcr.io/cloud-builders/docker' args: [ 'build', '-t', 'gcr.io/$PROJECT_ID/cb-demo-img', '-f=Dockerfile.ubuntu', '.' ] - name: 'gcr.io/$PROJECT_ID/twistlock-build-helper' args: ['bash', '/my_scan.sh'] images: ['gcr.io/$PROJECT_ID/cb-demo-img']
- Create a new file called Dockerfile.ubuntu and add the following text to it:
FROM ubuntu:latest
- Build your image and have it scanned by Twistlock by running the following command:
gcloud container builds submit --config cloudbuild-testimg.yaml
Once Twistlock’s scanned the images during build, you’ll be able to see Twistlock’s results, along with the rest of your build information in the build history view, which you can reach by navigating to Container Engine > Build History. Below is an example of a build showing the number of vulnerabilities detected by Twistlock during the scan process.
Since Container Builder is a composable ecosystem and it’s so simple to integrate Twistlock’s vulnerability scanning features at build time with a Custom Build Step, we see a lot opportunity for organizations to securely package their software into containers as part of an automated workflow.
Ready to consider Twistlock container security? Request a live demo of Twistlock here.
- Categories:
- Application Security
- Vulnerability Management
Follow us on Twitter
Follow us on Twitter for real time updates on the cloud native ecosystem, Twistlock product, and cloud native security threats.
@twistlocklabs
@twistlockteam
-
How to Lock Down the Kernel to Secure the Container Host
Read the Blog -
One Chapter Ends, Another Begins
Read the Blog -
The Greatest Security Risks Lurking in Your CI/CD Pipeline
Read the Blog -
Cloud Platform Radar: Powerful Cloud Asset Identification
Read the Blog -
Securing Serverless Functions: Visibility with Serverless Radar
Read the Blog