Carbonetes Orb is now available at CircleCI and can be included in your pipeline stages.
Carbonetes Orb provides comprehensive container analysis and policy evaluation as a fully managed service. Carbonetes analyzes your container images for native code vulnerabilities, software composition analysis (SCA), license types, bill of materials, malware and secrets. Carbonetes’ powerful policy tool enables you to load standard policies or build, test and refine custom policies. It provides integrations with various container registries, CI/CD tools, as well as Slack and Jira.
Carbonetes Orb seamlessly integrates comprehensive container analysis directly into your CI/CD pipeline. Upon committing your code, the Carbonetes Orb automatically initiates a comprehensive container analysis scan. The results of that scan are compared to the applicable policy to determine whether the container should be built or not. The insight from the analysis and the policy evaluation are embedded right inside Carbonetes Orb making it easy to find and resolve issues without ever leaving CircleCI.
How it works
The plugin requires a valid Carbonetes credentials (email and password).
- Follow the instructions at the Orb Quick Start Guide to enable usage of Orbs in your project workflow.
- In the app build job, call the comprehensive/scan.
- Set up an environment variable (USERNAME), (PASSWORD), (REGISTRY_URI) on your CircleCI environment settings, which you can get from your Carbonetes account.
Carbonetes Orb Parameters
These parameters are needed for the Carbonetes Orb.
|USERNAME||The username used in Carbonetes|
|PASSWORD||The password used in Carbonetes|
|REGISTRYRUI||The registry uri that is manage from Carbonetes|
|FAILONPOLICY||The build will if fail, policy evaluation is set to true. Default `false`|
Carbonetes Orb Report
These are the results after scanning the image using Carbonetes Orb.
|Vulnerabilities||Provides a list of known vulnerabilities with a criteria of
|Software Composition||Softwares that are included from your image that might cause a
|Software||Dependencies A software dependency is an external standalone library that
may contain security issues.
|Licenses||Provides a list legal compliance found on each software of the
|Malware||Provides a list of malwares found on the scanned image.|
|Secrets||Secret data found on each software of the scanned image.|
|Policy Result||The result of the policy evaluation `PASSED` or `FAILED`.|
|Final Action||Decide if the build will `STOP` or `GO` based on the policy result.|
Why Carbonetes is better than its competitor?
Carbonetes provides a number of services that others don’t have. It also has the most comprehensive container security analysis in the market. No need to assemble bits and pieces of container-evaluation services, Carbonetes provides complete Container Application Security Testing (CAST) with best-in-class results.
If you are dealing with containers and especially concerned about the security of your application, Carbonetes is the best option to handle all your security needs – providing rich information all in one place across each analyzer.