DocumentationAPI Reference

Use the Panoptica CLI and Helm plugin

Suggest Edits

This topic describes how Panoptica CI/CD plugins can be used in CI/CD pipelines.

Benefits

Cisco Panoptica plugins, when used with the Cisco Panoptica server, provide visibility about workloads upstream in the CI/CD stage. They push the workloads to the Panoptica server (where they are given a Panoptica ID). You can then manage them on the Panoptica server with the full capabilities of Panoptica (visualization, runtime policy enforcement, and more).

You can also scan the image for vulnerabilities in the CI stage, to identify issues before the image is deployed in a production environment. You can create runtime policies which will detect or prevent the deployment of workloads with images containing specific vulnerabilities.

Use cases

Use the CLI for these use-cases:

  • build & deploy locally for developer testing
  • merge branches to master

Configure Clusters on Panoptica

You can use the Cisco Panoptica CLI in your CI/CD pipelines with Kubernetes clusters that have been defined on Panoptica.
Follow the steps here to add a cluster.
In the options settings, select:

626

CI Pipelines

Download and use the Cisco Panoptica CLI module.

Download & Deploy the Panoptica CLI

Download the CLI from the Integrations section on the CI/CD page (see Panoptica CLI), and then follow the onscreen instructions to deploy it.

Alternatively, download the CLI to your host with this command:

wget -T 30 -c https://appsecurity.cisco.com/tools/cli/securecn_deployment_cli

Use the CLI

Use this command in the CI pipeline, in place of the docker push command:

./securecn_deployment_cli run-docker --command "docker push $CI_REGISTRY_IMAGE:$CI_COMMIT_REF_SLUG-$CI_PIPELINE_ID" --access-key $DOCKER_PLUGIN_ACCESS_KEY --secret-key $DOCKER_PLUGIN_SECRET_KEY

the Cisco SACN_deployment_cli registers the image with Panoptica, and generates a Panoptica ID. With this, the workload can be identified by Panoptica when it is deployed on the cluster.

Scan images

The CLI can scan images in addition to pushing them to Panoptica. Add the flag --scan to the command above.

CD Pipelines

Use the Helm plugin in generic environments in the CD stage.

Use case

Use the Helm plugin when deploying the latest code image to the cluster.

Download & Deploy the Helm plugin

Follow the steps here to download the Helm plugin from the Panoptica UI, then follow the onscreen instructions to deploy it.

Use the Helm Plugin

Use this command in the CD pipeline:

helm securecn --access-key ${SCN_HELM_ACCESS_KEY} --controller-secret-key ${SCN_HELM_CONTROLLER_SECRET_KEY} --secret-key ${SCN_HELM_MGMT_SECRET_KEY} --command "install ${NAME} ${CHART_PATH} --namespace=${NAMESPACE}"

Scan Helm chart

You can configure the Helm plugin to scan the Helm chart for security issues and misconfigurations.

Add --run-security-check --max-risk <NO RISK|MEDIUM|HIGH> to the command above, to do this. Set the desired risk level. The results are sent to Panoptica, and can be viewed in the CI/CD view.

Updated 8 months ago