Pipeline Scanning

Pipeline Scanning Workflow

nctl scan can be used within the local CLI environment; however, its true potential is unlocked when utilized within CI pipelines to scan code repositories.

The platform or security team admins are responsible for defining the policies that an organization needs to adhere to. They are stored as YAML files in Git repositories or as OCI images in the OCI registry, or also are made available as Helm charts. The DevOps user or the IT team is responsible for managing the configuration files, be it a Kubernetes manifest, or an IaC file, or any JSON spec stored in Git repositories.

User who wants to make any changes to the manifests in these repositories will create a pull request (PR). CI pipelines are configured to trigger on various actions, such as, creating a PR, merging the code to main branch, or even setup to run at regular intervals.

Setting up the CI Pipeline

NCTL works with any CI pipeline (GitHub Action, GitLab CI, Jenkins, Harness CI, etc.).

GitHub Action

A dedicated GitHub Action is availble through the GitHub marketplace. With this action, nctl scan can be used in the GitHub actions workflows to scan the configuration files present in the repository against the policies that are defined centrally. In case of a failure, the entire action can be configured to fail, meaning that the test pipeline will fail, and the users will get quick feedback for their changes. The results of the scan are available in NPM for viewing. NPM provides insights to platform administrators on overall governance of different code repositories in their organization.

Understanding the GitHub Action Workflow

To have a look at the workflow manifest file, refer to the scan-outputs.yaml file in the .github/workflows section of the nctl-shift-left Github repository.

Use the readily available nctl action.

- name: nctl-scan-installer
        uses: nirmata/action-install-nctl-scan@v0.0.2

Set the right environment secrets.

env:
  NIRMATA_TOKEN: ${{secrets.NIRMATA_TOKEN}}
  NIRMATA_URL: ${{secrets.NIRMATA_URL}}

Perform repository scan.

- name: NCTL Scan Repository
        run: nctl scan repository --policies <path|url to policy folder|repo>

View Scan Reports in NPM

By default, the results of the scan action are published to NPM. This allows administrators to govern their repositories alongside clusters and namespaces. Below is a snap shot of viewing scan reports in NPM.

Note: This is available as a private preview feature. Reach out to support@nirmata.com to enrol for this feature.