In this blog post, we are going to cover how to perform container image scanning for CircleCI using Sysdig Secure. Image scanning allows DevOps teams to detect and resolve issues, like known vulnerabilities and incorrect configurations, directly in their CI/CD pipelines. Using Sysdig Secure, you can enforce image policies to block vulnerabilities before they reach production environments and fix them faster while the developer still has the context. Image scanning can detect problems like:
- No USER command specified which will cause the container to run as root.
- Use “latest” tagged base images that reduce the tracking of the built images.
- Unsafe Dockerfile instructions.
- Vulnerabilities in the base image OS.
- Vulnerabilities in the libraries your language is using (Python pip, Java JARs, Ruby gems, Javascript npm, etc)
- Compliance violations for the NIST 800-190 or PCI standards.
Vulnerability scanning in CircleCI
CircleCI is a Continuous Integration and Continuous Delivery platform that allows teams to rapidly build quality projects by automating the build, test and delivery process. You can integrate other steps in this pipeline, like scanning the image before sending it to the container registry using Sysdig’s inline scanning.CircleCI setup for image scanning with Sysdig Secure
In this example, you will create an OCI image with Docker, and CircleCI will trigger the scanning before sending the image to the container registry, preventing non-compliant images from reaching production.Prerequisites for security scanning on CircleCI
To reproduce the following example, you will need the following:- A CircleCI CI/CD pipeline and an account.
- A git repository for your pipeline with your application.
- A Sysdig Secure DevOps Platform account.
- A container repository (in this example we will use DockerHub).
Configuring the CircleCI project
A CircleCi project links together your code repository, the CI/CD pipeline, and some extra configuration. In CircleCI you first set your repository information, then you set up a project for a given repository. If you logged into CircleCI using your GitHub account, you github repositories will already appear in the repositories list. You can then use the “Set Up Project” button to start working on your pipeline

CircleCI pipeline definition
We’re ready to define the pipeline we want to execute. You can edit it in CircleCI or create a file in your code repository in the folder .circleci/config.yml:version: 2 jobs: build: machine: true environment: IMAGE_NAME: "sysdiglabs/dummy-vuln-app:latest" SCAN_IMAGE_NAME: "sysdiglabs/secure-inline-scan:latest" steps: # checkout the source code - checkout # login - run: | docker login --username "$DOCKER_USER" --password "$DOCKER_PASS" # build the application image - run: docker build -t "$IMAGE_NAME" . # scan the image - run: docker run --rm -v /var/run/docker.sock:/var/run/docker.sock $SCAN_IMAGE_NAME -s https://secure.sysdig.com -k "$SYSDIG_SECURE_TOKEN" "$IMAGE_NAME" # deploy the image - run: docker push "$IMAGE_NAME"
Build stage
The image will be built using Docker, and the Dockerfile in the root of the repository, with the previously environment variable defined as “IMAGE_NAME”:docker build -t "$IMAGE_NAME" .
Scanning stage
The vulnerability scanning will happen after the image has been built, and only if the build has been successful. The scanner is running inside a container as well to make it easy to scan anywhere:docker run --rm \ -v /var/run/docker.sock:/var/run/docker.sock \ $SCAN_IMAGE_NAME \ analyze \ -s https://secure.sysdig.com \ -k "$SYSDIG_SECURE_TOKEN" \ "$IMAGE_NAME"
Configuring access credentials
Before starting the pipeline, we will define some environment variables (the container registry credentials and the Sysdig Secure API token) that will be referenced in the pipeline. Since these are credentials, we don’t want to save them in the code of the pipeline itself, and we want to avoid having them in the logs of the pipeline execution.
Pipeline execution for Image Scanning
The security scanning is completely done in the same runner the image was built, before it’s pushed to the registry and the results are sent to Sysdig Secure backend. Here, you can see the results of the image scanning:


Publishing stage
If the scanning in CircleCI is successful, the pipeline will continue it’s execution and the image will be published to the image repository:docker push "$IMAGE_NAME"