CircleCI Configuration

2 min read Security Testing & Tools

CircleCI Configuration

CircleCI offers cloud-native CI/CD with orb support for security tools:

# .circleci/config.yml
version: 2.1

orbs:
  docker: circleci/[email protected]
  snyk: snyk/[email protected]
  
executors:
  scanner:
    docker:
      - image: cimg/base:stable
    resource_class: medium

jobs:
  build-and-scan:
    executor: scanner
    steps:
      - checkout
      
      - setup_remote_docker:
          docker_layer_caching: true
          
      - run:
          name: Build Docker image
          command: |
            docker build -t myapp:${CIRCLE_SHA1} .
            docker save myapp:${CIRCLE_SHA1} -o image.tar
            
      - persist_to_workspace:
          root: .
          paths:
            - image.tar
            
  trivy-scan:
    executor: scanner
    steps:
      - checkout
      - attach_workspace:
          at: .
          
      - setup_remote_docker
      
      - run:
          name: Install Trivy
          command: |
            curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /tmp/bin
            echo 'export PATH=/tmp/bin:$PATH' >> $BASH_ENV
            
      - run:
          name: Load and scan image
          command: |
            docker load -i image.tar
            
            # Run scan with multiple output formats
            trivy image --format table myapp:${CIRCLE_SHA1}
            trivy image --format json -o trivy-report.json myapp:${CIRCLE_SHA1}
            
            # Check severity thresholds
            CRITICAL=$(cat trivy-report.json | jq '[.Results[]?.Vulnerabilities[]? | select(.Severity=="CRITICAL")] | length')
            
            if [ "$CRITICAL" -gt "0" ]; then
              echo "Found $CRITICAL critical vulnerabilities"
              exit 1
            fi
            
      - store_artifacts:
          path: trivy-report.json
          destination: security-reports
          
  snyk-scan:
    executor: scanner
    steps:
      - checkout
      - attach_workspace:
          at: .
          
      - setup_remote_docker
      
      - snyk/scan:
          docker-image-name: myapp:${CIRCLE_SHA1}
          severity-threshold: high
          fail-on-issues: true
          monitor-on-build: true
          project: ${CIRCLE_PROJECT_REPONAME}/${CIRCLE_BRANCH}
          
  deploy:
    executor: scanner
    steps:
      - checkout
      - attach_workspace:
          at: .
          
      - setup_remote_docker
      
      - run:
          name: Push to registry
          command: |
            docker load -i image.tar
            echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin
            
            docker tag myapp:${CIRCLE_SHA1} ${DOCKER_REGISTRY}/myapp:${CIRCLE_SHA1}
            docker tag myapp:${CIRCLE_SHA1} ${DOCKER_REGISTRY}/myapp:latest
            
            docker push ${DOCKER_REGISTRY}/myapp:${CIRCLE_SHA1}
            docker push ${DOCKER_REGISTRY}/myapp:latest

workflows:
  secure-pipeline:
    jobs:
      - build-and-scan
      
      - trivy-scan:
          requires:
            - build-and-scan
            
      - snyk-scan:
          requires:
            - build-and-scan
          context:
            - snyk-security
            
      - hold:
          type: approval
          requires:
            - trivy-scan
            - snyk-scan
            
      - deploy:
          requires:
            - hold
          filters:
            branches:
              only:
                - main
                - production