CI/CD Scan Policy

The CI/CD Scan Policy controls what the Panoptica CI/CD plugins in your pipelines do. These plugins scan builds in the pipeline, within the framework of your CI/CD tools, and indicate what vulnerabilities are found in the builds (for example in dependent libraries or packages).

Add a CI Scan Policy

The CI Scan Policy controls the actions of Panoptica CI plugins when images are scanned. The Plugin scans the image for vulnerabilities and also checks the Dockerfile for configuration issues.

  1. In the Panoptica console, navigate to the Policies page.
  2. Select the CI/CD SCAN tab.
  3. Click New CI Scan.
655
  1. Enter a name and description for the policy.
  2. Select these vulnerability levels, and the action to be taken if vulnerabilities exceeding them are found in the image in the CI pipeline.
    • Maximum Permissible Vulnerability - the maximum vulnerability for the image, ranging from Critical to Low and Unknown. The action (Enforcement Option) can be either Block (fail the build), or Detect (the build continues, but an event is recorded in the Audit log).
    • Docker Scan Severity - the severity level for configuration issues in the Dockerfile, one of from Fatal, Info, or Warning. The action can be Block or Detect.
  3. Click FINISH.

Add a CD Scan Policy

The CD scan checks builds for issues with permissions, secrets, and pod security context.

  1. In the Panoptica console, navigate to the Policies page.
  2. Select the CI/CD SCAN tab.
  3. Click New Deployment Scan.
515
  1. Enter a name and description for the policy.
  2. Select the CD Deployers from which build images will be selected.
  3. Select these vulnerability levels, and the action to be taken if vulnerabilities exceeding them are found in the image:
    - Permission Vulnerability level - the vulnerability level due to high risk roles that will be created by the chart on deployment
    - Security Context Vulnerability - these are misconfigurations in pod security context
    - Secret Vulnerability - this is it the vulnerability level related to secrets in the image
    For each, select the action to be taken if vulnerabilities are found that exceed the selected level: either fail the build (Block) or allow it continue, but record an audit event (Detect).
    - API Security Policy - select an API Policy to be applied to the image.

πŸ“˜

Note

Only a single CI and CD Scan policy (one of each) can be created, which will apply to all pipelines.