Skip to content

Integrating into a CI/CD Pipeline#

By incorporating container image scanning and application dependency library scanning processes into your CI/CD pipeline, you can enable early detection of vulnerabilities and eliminate high-risk vulnerabilities before release.

Integrating Container Image Scanning into CI/CD#

This section explains how to scan container images and upload the results to FutureVuls within a CI/CD pipeline using GitHub Actions and AWS CodePipeline.

The following environment variables need to be defined:

Variable Description Required
VULS_SAAS_GROUPID The ID of the group to which the scan results will be uploaded. Please store this as an encrypted secret.
VULS_SAAS_TOKEN A FutureVuls token with scanning permissions. Please store this as an encrypted secret.
DOCKERFILE_PATH The path to the Dockerfile used to build the image.
TARGET_IMAGE The image to be scanned.
Specify in the format <image_name>:<tag>.
VULS_SAAS_UUID The Server UUID in FutureVuls that uniquely identifies the target image.
For new registrations, specify a value generated by a command like uuidgen.
If you specify the server UUID of an already registered image, it will be treated as an update to that image.
  • To update the configuration information of an image already managed on FutureVuls, specify the target image's UUID as VULS_SAAS_UUID.

image-uuid

Environment Variable Configuration

It is recommended to set the following environment variables using encrypted secrets.

  • VULS_SAAS_GROUPID
  • VULS_SAAS_TOKEN

If these values are exposed, anyone could upload arbitrary scan results to the specified group in FutureVuls.

Integrating Container Image Scanning into a CI/CD Pipeline Using GitHub Actions#

This is an example of a GitHub Actions workflow that uses the Trivy integration script to perform a scan within a CI/CD pipeline.

name: FutureVuls Docker Image Scan
on:
  push
defaults:
  run:
      shell: bash
jobs:
  docker-test:
    name: FutureVuls Docker Image Scan
    env:
      VULS_SAAS_GROUPID: ${{ secrets.VULS_SAAS_GROUPID }}
      VULS_SAAS_TOKEN: ${{ secrets.VULS_SAAS_TOKEN }}
      DOCKERFILE_PATH: "docker/anything/Dockerfile"
      TARGET_IMAGE: "imageName:tag"
      VULS_SAAS_UUID: "xxxxxxxx"
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v4
    - name: cached scan db
      uses: actions/cache@v3
      with:
        path: vulndb/
        key: trivy-vulndb
    - name: scan and upload
      env: 
      run: |
        docker build . -f ${env.DOCKERFILE_PATH} -t ${env.TARGET_IMAGE}
        curl -s https://installer.vuls.biz/vuls-trivy-light.sh | \
        VULS_SAAS_GROUPID="${env.VULS_SAAS_GROUPID}" \
        VULS_SAAS_TOKEN="${env.VULS_SAAS_TOKEN}" \
        TARGET_IMAGE="${env.TARGET_IMAGE}" \
        VULS_SAAS_UUID="${env.VULS_SAAS_UUID}" \
        bash -s inst

Integrating Vulnerability Scanning into a CI/CD Pipeline Using AWS CodePipeline#

This is an example of a buildspec.yml file that uses the Trivy integration script to perform a scan within a CI/CD pipeline.

version: 0.2

#env:
#  variables:
    #VULS_SAAS_GROUPID: "define in secret manager"
    #VULS_SAAS_TOKEN: "define in secret manager"
    #DOCKERFILE_PATH: "./Dockerfile"
    #TARGET_IMAGE: "target_image:tag"
    #VULS_SAAS_UUID: "xxxx-FutureVuls-Server-UUID-xxxxxxxx"
phases:
  install:
    runtime-versions:
      python: latest
  build:
    commands:
      - 'docker build -t $TARGET_IMAGE .'
  post_build:
    commands:
      - 'curl -s https://installer.vuls.biz/vuls-trivy-light.sh | VULS_SAAS_GROUPID="$VULS_SAAS_GROUPID" VULS_SAAS_TOKEN=$VULS_SAAS_TOKEN TARGET_IMAGE=$TARGET_IMAGE VULS_SAAS_UUID=$VULS_SAAS_UUID bash -s inst'
      - "echo scan results Sent to Fvuls on `date`"

Integrating Application Library Scanning into CI/CD#

This section explains how to scan application dependency libraries and upload the results to FutureVuls within a CI/CD pipeline using GitHub Actions and AWS CodePipeline.

Scanning for Library Vulnerabilities on git push#

Upload the results of an application library scan to FutureVuls upon a git push. This section provides an example using GitHub Actions. The sample GitHub Actions YAML file is as follows.

Environment Variables Used in the Example#

Variable Description Required
VULS_SAAS_GROUPID The ID of the group to which the scan results will be uploaded.
VULS_SAAS_TOKEN A token with scanning permissions.
TARGET_LIBRARY The path of the directory to be scanned.
To scan the entire repository, you can leave this as ${{ github.workspace }}.
VULS_SAAS_UUID The UUID for management in FutureVuls.
For new registrations, specify a value generated by a command like uuidgen.
ACTIONS_RUNTIME_TOKEN The GitHub token for authentication.
Required if you encounter a RATELIMIT error.

To update the configuration information of a library already managed on FutureVuls, specify the target library's UUID as VULS_SAAS_UUID.

lib-uuid

Environment Variable Configuration

It is recommended to set the following environment variables using encrypted secrets.

  • VULS_SAAS_GROUPID
  • VULS_SAAS_TOKEN

If these values are exposed, anyone could upload arbitrary scan results to the specified group in FutureVuls.

The scan is performed using the scanning script file.

name: FutureVuls library Scan 
on: 
  push: 
defaults: 
  run: 
      shell: bash 
jobs: 
  docker-test: 
    name: FutureVuls library Scan 
    env: 
      VULS_SAAS_GROUPID: ${{ secrets.VULS_SAAS_GROUPID }}
      VULS_SAAS_TOKEN: ${{ secrets.VULS_SAAS_TOKEN }}
      TARGET_LIBRARY: "${{ github.workspace }}" 
      VULS_SAAS_UUID: "xxxx" 
      ACTIONS_RUNTIME_TOKEN: ${{ secrets.GITHUB_TOKEN }} 
    runs-on: ubuntu-latest 
    steps: 
    - uses: actions/checkout@v4 
    - name: cached scan db 
      uses: actions/cache@v3 
      with: 
        path: vulndb/ 
        key: trivy-vulndb 
    - name: scan and upload 
      run: 
        curl -s https://installer.vuls.biz/vuls-trivy-light.sh | bash -s inst

How to Automatically Update a Lockfile on Push with GitHub Actions#

This section explains how to use futurevuls/fvuls-lockfile-uploader to check if a lockfile has been updated on git push and, if so, update the lockfile registered in FutureVuls via the REST API.

In the example below, the workflow runs only when a push is made to the release branch and either ./go.sum or ./web/yarn.lock has been modified.

The following environment variables in the sample should be set as Encrypted Secrets.

Environment Variable Name How to Confirm
FVULS_SERVER_UUID Check from the Server List.
FVULS_TOKEN Check from Group Settings > FutureVuls API.
on:
  push:
    ## https://docs.github.com/en/actions/learn-github-actions/workflow-syntax-for-github-actions#onpushpull_requestpaths
    paths:
      - 'go.sum'
      - 'web/yarn.lock'
    branches:
      - release

name: Check lockfiles
jobs:
  build:
    env:
      FVULS_SERVER_UUID: ${{ secrets.FVULS_SERVER_UUID }}
      FVULS_TOKEN: ${{ secrets.FVULS_TOKEN }}
    name: Upload lockfile
    runs-on: ubuntu-20.04
    steps:
      - uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Upload go.sum
        uses: futurevuls/fvuls-lockfile-uploader@v1
        with:
          repoName: ${{ github.repository }}
          path: './go.sum'
      - name: Upload web/yarn.lock
        uses: futurevuls/fvuls-lockfile-uploader@v1
        with:
          repoName: ${{ github.repository }}
          path: './web/yarn.lock'