Case Studies

Blog Post

Integrating Sysdig Secure with Atlassian Bamboo CI/CD

In this blog post we are going to cover how to perform Docker image scanning on Atlassian’s Bamboo CI/CD platform using Sysdig Secure. Container images with security vulnerabilities or not compliant with the security policies that you define within Sysdig Secure will be stopped, breaking the build pipeline before being pushed to your Docker registry.

What is the Atlassian Bamboo CI/CD platform?

Atlassian Bamboo is a continuous integration and delivery server integrated with Atlassian software development and collaboration platform. Some of the features that distinguish Bamboo from similar CI/CD tools are its native integration with other Atlassian products (like Jira project management and issue tracker), improved support for Git workflows (branching and merging) and flexible scalability of worker nodes using ephemeral Amazon EC2 virtual machines.

Bamboo organizes the build pipeline with a hierarchy of Projects, Plans, Stages, Jobs and Tasks.

A project is a “namespace” containing different plans. The plan is composed of multiple stages that will be executed sequentially. Each stage is in turn composed of several jobs that can run in parallel, these jobs are the basic unit of work scheduled in the worker nodes. Finally, each job is composed of a series of tasks that will be executed sequentially in the scheduled worker node.

Bamboo Sysdig Secure overview

To summarize:

  • The plan is the high level sequence of actions (stages) that you want to execute.
  • The job is the basic schedulable unit of work that gets assigned to a worker. N jobs get executed in N workers and thus, can be parallelized.
  • A job itself is a sequence of tasks, like executing a script or running a Docker container.

Container security in your CI/CD pipeline: shift left your security and fail fast

Like most things in IT, the earlier you detect container security issues, the easier they are to fix without any further consequences.

Embedding container security in your build pipeline is a best practice for several reasons:

  • The vulnerabilities will never reach your production clusters, or even worse, a client environment.
  • You can adopt a secure-by-default approach when you know any image available in your Docker container registry has already passed all the security policies you have defined for your organization, as opposed to manually check compliance after-the-fact.
  • The original container builder will be (almost) instantly informed, when the developer still has all the context. The issue will be substantially easier to fix this way than if found by any other person months later…

Sysdig Secure offers a full featured container image scanning service, among many other container security features like run-time threat detection, forensics, compliance and auditing. Let’s see how we can make Sysdig Secure image scanning service work together with Atlassian Bamboo.

Bamboo CI/CD pipeline image scanning with Sysdig Secure

Following a practical example we are going to demonstrate how to integrate these two platforms with a very straightforward process.

We will start by creating a new Project containing a Plan, which basically means naming them, writing the corresponding description, configuring access credentials for users, etc:

Bamboo Sysdig Secure create project

Next, we will create an environment for the plan.

First, we need to configure the repository that is going to contain the Dockerfile together with other build variables and artifacts:

Bamboo Sysdig Secure repositories

You might configure other environment variables you need from the Variables tab.

Bamboo Sysdig Secure variables

From the Global Bamboo settings (top-right gear icon, linked repositories) you can configure any credentials you require to access your source repository, like GitHub and your container image registry, DockerHub for example.

Next, we will configure this plan to trigger automatically whenever there is a change in the repository:

Bamboo Sysdig Secure trigger

Configuring the CI/CD pipeline

We are now ready to create a Stage containing the different tasks:

Bamboo Sysdig Secure stage

  • Source code checkout: cloning the supporting repository that contains the Dockerfile and other build variables.
  • Retrieve build variables: We use a simple shell script to populate a properties.txt file with key-value pairs. Extracting, for example, the container name and version that we want to build. As you can see in the example below, we extract some basic information from the Dockerfile we have cloned in the first step.

Bamboo Sysdig Secure script

  • Inject Bamboo variables: Using the properties file, we transform the key-value pairs into build context variables that we can use later in the pipeline.
  • Build the Docker image: At this step we are ready to start the build. We will select Build a Docker image in Command, and we will configure a staging image registry where we can upload the image.

Bamboo Sysdig Secure build image

  • Upload the candidate image: This will push the resulting image to the staging registry, so the container image scanner can retrieve it and analyze it.
  • Scan image with Sysdig Secure: Finally, we are going to trigger the image scan. Bamboo allows you to run a container as a task, so we have bundled all the Sysdig Secure client software in a container. You just need to pass the name of the image to scan and your Sysdig Secure API credentials as environment variables.

The variables we are using in this case are:

IMAGE_TO_SCAN="sysdigregistrydemo/${bamboo.git.name}:${bamboo.git.version}" SYSDIG_SECURE_TOKEN=${bamboo.SYSDIG_SECURE_TOKEN}

Two of the variables were extracted by our simple shell script, the secure token is an environment variable in this case.

Bamboo Sysdig Secure scan

If the scanning finds any vulnerabilities in the image (including custom policies that you may have defined, like specific checks on the Dockerfile, for example not running the process as root, or whitelist/blacklist certains packages or libraries like not installing SSH), the whole plan will fail and the last step will never get executed.

  • Upload the approved image: If the last step is completed successfully, we can upload the Docker image to the production Docker registry and make it available for our organization and production infrastructure and clusters.

Let’s trigger a build uploading to our configured source code repository the following Dockerfile:

FROM debian:stretch
LABEL version="0.2"
LABEL name="user-audit"
RUN apt-get update
RUN apt-get install -y apt-transport-https curl gnupg2 cron nano openssh-server
RUN curl -s https://packages.cloud.google.com/apt/doc/apt-key.gpg | apt-key add -
RUN touch /etc/apt/sources.list.d/kubernetes.list
RUN echo "deb http://apt.kubernetes.io/ kubernetes-xenial main" | tee -a /etc/apt/sources.list.d/kubernetes.list
RUN apt-get update
RUN apt-get install -y kubectl
EXPOSE 22
RUN crontab -l | { cat; echo "05 11 * * * /root/wp-deploy.sh"; } | crontab -
RUN crontab -l | { cat; echo "06 11 * * 1,4 /root/nginx-crashloop.sh"; } | crontab -
COPY Dockerfile /
ENTRYPOINT ["sshd","-D"]

Uh-oh! It seems that Sysdig Secure container image scanner found something wrong:

Bamboo Sysdig Secure scan fails

Within Sysdig Secure you can see the full report including the policy evaluation and why it failed:

Bambo Sysdig Secure report

Seems that our image is exposing port 22. Also contains a vulnerable version of the libidn11 library. Now we know what happened, why the build failed and how to fix it.

Conclusions

Integrating your security policy early in your CI/CD pipeline will prevent known software vulnerabilities to be deployed in production and you will enforce best security practices within your build pipeline, before those containers ever run in production.

Thanks to the native Docker compatibility in Atlassian Bamboo and the Sysdig Secure container image scanning API, making them both work together is a breeze. Find any software vulnerabilities, check for container security best practices, Dockerfile contents, whitelist or blacklist specific packages or 3rd party libraries installed manually like Java JAR/WAR files, or package managers like npm, pip or gem, even for software licenses with Sysdig Secure. Fail fast, inform the container author right away to address it quickly and create a secure-by-default container security policy.

Share This

Stay up to date

Sign up to recieve our newest.

Related Posts

Docker scanning for Jenkins CI/CD security with the Sysdig Secure plugin.

7 Docker security vulnerabilities and threats

Now Available: IBM Cloud Monitoring with Sysdig.