Why Scan Pipelines?

Scanning CI/CD pipelines i.e. Git repositories for misconfigurations is crucial for ensuring the security and reliability of your software projects. With the widespread use of Infrastructure as Code (IaC), Dockerfiles, and Kubernetes configurations, even minor errors in these files can lead to significant vulnerabilities and operational headaches. By integrating scanning into your CI pipelines, you can catch these issues early on, reducing the risk of breaches and downtime while improving overall code quality.

Introducing Nirmata’s Pipeline Repository Scanning

With Nirmata’s newly added capability to scan Git repositories for misconfigurations, users can set up this check for any Git repository and CI pipeline. The reports generated by these scans are published to the Nirmata Policy Manager (NPM) for in-depth analysis of repositories and for visualizing the overall security posture of repositories in your organization. Now you can view both cluster reports and git repository reports all in one place under a single dashboard!

Overview

Platform teams or security admins’ policies are stored in Git repositories. DevOps users set up pipelines using various tools like Jenkins or GitHub Actions. These pipelines integrate Nirmata’s CLI (nctl) to scan repositories against the centrally defined policies. Results are published to NPM so that administrators can monitor compliance.

Learn more about the Pipeline Scanning Workflow here.

Onboarding Repositories to NPM

Follow the wizard to guide you through the steps.

1. Provide the Git URL and optionally add any labels for the repository
2. Select the Compliance Standards that you want to scan against. You can use our curated policies or point to your custom policies
3. Execute the commands to onboard and publish a report to NPM

Setting up the CI Pipeline

NCTL is a command-line utility by Nirmata that can scan misconfigurations in CI pipelines. It can be integrated with any CI pipeline. A ready-to-use GitHub action is also available in the GitHub marketplace. Other CI tooling can easily incorporate `nctl` as one of the stages in their respective jobs. 

Following is an example of using `nctl` in GitHub Action.

env: # set the right environment secrets (optional)
 NIRMATA_TOKEN: ${{secrets.NIRMATA_TOKEN}}
 NIRMATA_URL: ${{secrets.NIRMATA_URL}}


steps:
- name: nctl-scan-installer # installs nctl
  uses: nirmata/action-install-nctl-scan@v0.0.5

- name: scan repository
  run: nctl scan repository -p <policy-path|policy-url>

Refer to the official documentation for the integrations with Jenkins, GitLab, and other CI tools. The pipelines are triggered based on various conditions, such as committing to a branch, creating a pull request, merging to the main, or periodic runs.

Viewing the Scan Report in NPM

Onboarding repositories is just as simple as running the CLI in the pipeline! You can also onboard local repositories by running the CLI on your local machine. Ensure you can access the published report on the platform or contact your admin. After pipeline execution, the results are published to the Nirmata Policy Manager (NPM). Login to NPM and go to the Repositories tab under Policy Reports.

This gives a complete view of the types of files scanned, violations in different repositories, their severity, possible remediation suggestions for the developers, and much more. Click on the repository name for a more detailed view of the findings.

Sharing Scan Reports

You can provide report access to your teammates by adding them as owners or the entire team as repository owners. Setting up a periodic schedule and getting reports over email is also possible.

Conclusion

To wrap up, protecting your Git repositories from misconfigurations is crucial for keeping your software safe. With Nirmata’s CLI in your CI pipelines, you can easily find and fix issues and comply with your rules. Ready to strengthen your setup? Contact Nirmata for a demo and sign up for the free trial to see the difference. Keep your code secure and your team confident!