DocumentationAPI ReferenceRelease Notes

CI/CD CLI Tool (Preview)

Suggest Edits

Panoptica enables you to shift left your security by downloading a Command Line Interface (CLI) to proactively detect risks in your CI/CD pipelines. Integrating the Panoptica CI/CD CLI tool into the development workflow enables you to scan container images for potential security vulnerabilities. Panoptica CI/CD CLI tool can detect and block security issues pre-production, before they are merged into the main codebase and deployed to production environment.

Installation

In order to integrate Panoptica into your development workflow, you need to download the Panoptica CI/CD CLI tool, and generate an API Key.

To download the Panoptica CI/CD CLI tool, and configure permissions, select the tab that matches your OS and platform architecture, and run the relevant command:

curl -O https://download.panoptica.app/panoptica-cicd/1.2.0/artifacts/darwin-amd64/panoptica-cicd && chmod +x ./panoptica-cicd

curl -O https://download.panoptica.app/panoptica-cicd/1.2.0/artifacts/darwin-arm64/panoptica-cicd && chmod +x ./panoptica-cicd

curl -O https://download.panoptica.app/panoptica-cicd/1.2.0/artifacts/linux-amd64/panoptica-cicd && chmod +x ./panoptica-cicd

curl -O https://download.panoptica.app/panoptica-cicd/1.2.0/artifacts/linux-arm64/panoptica-cicd && chmod +x ./panoptica-cicd

curl -O https://download.panoptica.app/panoptica-cicd/1.2.0/artifacts/windows-amd64/panoptica-cicd && chmod +x ./panoptica-cicd

Generate API Key

In order to send scan results to the Panoptica console UI, you need an API Key. To generate the key, log into the Panoptica platform and select Settings in the navigation pane, then the API Keys tab.

Click Create Key to open a popup overlay, where you can generate the key.

πŸ“˜

Permissions required

Users must have an Owner or Ops role in Panoptica to generate API Keys.
See User Management for details on User Roles

Enter a logical Key name, and click Generate Key.

πŸ“˜

Promote API Key to Ops user

Once the API Key is created, go to the Users & Scopes tab and modify its role from Viewer to Ops. This will enable the key to send scan results to the Panoptica console UI.

See User Management for details on User Roles

Usage

Help command

Combine the --help flag with any command to see usage instructions and available flags.

./panoptica-cicd --help

CLI Version

Use the version command to view the version of the CLI tool you have installed.

./panoptica-cicd version

Global Flags

For each supported scan, the following arguments can be set and used:

FlagArgumentsDescriptionDefault
--reportnoneWhether to send a scan report to the Panoptica console UI.False - Does not send a scan report to Panoptica platform.
--report-endpointSpecifies an API endpoint to send the scan reports to.
Can be used to send scan reports to the EU backend.		https://api.us1.console.panoptica.app/api/scs/scan-reports/v1/scan-reports
Can be set using the PANOPTICA_REPORT_ENDPOINT environment variable.
--api-keyThe API Key to be used in order to send scan reports to Panoptica platform.None.
Can be set using the PANOPTICA_API_KEY environment variable.

πŸ“˜

Argument overrides environment variables

Providing a command line argument for --report endpoint or --api-key will override any settings defined as environment variables.

Image Scanning

Integrate the the Panoptica CI/CD CLI tool into your CI/CD pipeline – after the image build phase but before it is pushed to a registry – to block vulnerable images from ever reaching production.

Command

Run the panoptica-cicd command to scan container images for vulnerabilities.

./panoptica-cicd [global flags] image IMAGE_NAME:TAG [--local] [--exit-on-severity <level>]

Flags

FlagArgumentsDescriptionDefault
--localNoneWhether to pull the image from a local Docker daemonFalse. Pulls the image from the Dockerhub registry
\--exit-on-severityCritical / High / Medium / Low / InformationIf a vulnerability severity is found at or above the given severity, the scan will exit with code 1None. The scan will not exit when a severity of any level is found.

Results

You can view the results of the image scan in the CLI, or in the Panoptica console UI.

CLI output

This sample of output from the Panoptica CI/CD CLI tool displays a list of vulnerabilities found with specific details about package name, version, fixed version, CVE, and severity.

CI/CD Scan Results

If the --report flag is set to true, you will be able to view scan reports in the CI/CD Scans tab under Build and Applications in the Panoptica console UI.

Click any scan record in the table to view a detailed report of the scan results.

Integration example: GitHub Actions

The Panoptica CI/CD CLI tool can be employed with any build system. Integration is straightforward, and is no different from running the tool locally.

Sample workflow:

name: Image Scan
on:
  pull_request:
    branches:
      - main
jobs:
  panoptica-cicd-scan:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
      - name: Set up Docker Buildx
        uses: docker/setup-buildx-action@v3
      - name: Build Docker image
        uses: docker/build-push-action@v5
        with:
          context: .
          load: true
          tags: my-image:latest
      - name: Install Panoptica CICD CLI
        run: |
          curl -O https://download.panoptica.app/panoptica-cicd/1.2.0/artifacts/linux-amd64/panoptica-cicd && chmod +x ./panoptica-cicd
      - name: Run image scan
        run: |
          ./panoptica-cicd image my-image:latest --local --exit-on-severity high

🚧

Local image scanning

For local image scanning, the Docker daemon must be running, and have access to the scanned image.

Updated 1 day ago