With the introduction of Google Cloud Container Builder, the build process for containers on the Google Cloud Platform (GCP) just got significantly easier. Rather than maintain an entirely separate build infrastructure, teams can now build containers for deployment in any environment directly from Google Cloud.    A newly introduced feature of the Google Cloud Container Builder workflow are Custom Build Steps, which are simply containers that run and contribute to the build process itself. 

Twistlock allows users of Google Cloud Container Builder to easily integrate Twistlock’s vulnerability scanning features at build time by using a Custom Build Step. By scanning images at build – you can ensure that only compliant images free of vulnerabilities make it to your production. Below, we’ll walk you through using a custom build step to invoke Twistlock’s command line scanner – and how to scan your images for vulnerabilities during build.

Getting Started

There are two steps to the process:

  1. Creating a Custom Build step that runs Twistlock’s scanner and and pushes it to your GCP registry.
  2. Adding a step to your cloud build YAML file that will call the Twistlock scanner and return results.

Before you get started – make sure you have:

Setting up the Twistlock Custom Build Step

  1. Open a Google Cloud shell.
  2. Download and extract the latest version of Twistlock.
  3. Create a new directory cb-twistlock and copy twistlock-scanner to this directory.
  4. Download the scan_helper.sh script from the Twistlock support site and copy it to your cb-twistlock directory.
  5. Create a new file my_scan.sh and add the following text (replacing default values with your values and removing the {}):
    Scan_helper.sh –c https://{console host} –u {username} -p {password} -I {image}
  6. Create a new file Dockerfile.twistlock and add the following text to it
    FROM ubuntu
    RUN apt-get update -y && apt-get install -y \
    openssl \
    curl \
    jq
    COPY ./my_scan.sh /my_scan.sh
    COPY ./twistlock-scanner /twistlock-scanner
    COPY ./scan_helper.sh /scan_helper.sh
    ENTRYPOINT ["/bin/bash", "/my_scanner.sh"]
    
  7. Create a new file named cloudbuild-twistlock.yaml and add the following text to it:
    '- name: 'gcr.io/cloud-builders/docker'
    args: [ 'build', '-t', 'gcr.io/$PROJECT_ID/twistlock-build-helper', '-f=Dockerfile.twistlock', '.' ]
    images: ['gcr.io/$PROJECT_ID/twistlock-build-helper']
    
  8. Build the twistlock scanner image by running the following command:
    gcloud container builds submit --config cloudbuild-twistlock.yaml

Add the Twistlock Custom Build Step

In this example, we’ll build and scan Ubuntu:latest.

  1. Create a new directory called cb-test
  2. Create a new file called cloudbuild-testimg.yaml and add the following text to it:
    steps:
    - name: 'gcr.io/cloud-builders/docker'
    args: [ 'build', '-t', 'gcr.io/$PROJECT_ID/cb-demo-img', '-f=Dockerfile.ubuntu', '.' ]
    - name: 'gcr.io/$PROJECT_ID/twistlock-build-helper'
    args: ['bash', '/my_scan.sh']
    images: ['gcr.io/$PROJECT_ID/cb-demo-img']
  3. Create a new file called Dockerfile.ubuntu and add the following text to it:
    FROM ubuntu:latest
  4. Build your image and have it scanned by Twistlock by running the following command:
    gcloud container builds submit --config cloudbuild-testimg.yaml

Once Twistlock’s scanned the images during build, you’ll be able to see Twistlock’s results, along with the rest of your build information in the build history view, which you can reach by navigating to Container Engine > Build History. Below is an example of a build showing the number of vulnerabilities detected by Twistlock during the scan process.

Since Container Builder is a composable ecosystem and it’s so simple to integrate Twistlock’s vulnerability scanning features at build time with a Custom Build Step, we see a lot opportunity for organizations to securely package their software into containers as part of an automated workflow.

Ready to consider Twistlock container security? Request a live demo of Twistlock here.

 

← Back to All Posts Next Post →