Facilitating the Spread of Knowledge and Innovation in Professional Software Development

Write for InfoQ


Choose your language

InfoQ Homepage News CircleCI Adds Security Integrations to Streamline Securing CI/CD Pipelines

CircleCI Adds Security Integrations to Streamline Securing CI/CD Pipelines

CircleCI announced the addition of new sharable components, "orbs", that address common use cases for securing CI/CD pipelines. The orbs added to the repository with this release cover vulnerability scanning, secrets management, license scanning, and digital scanning. This new functionality also includes integrations with AWS and Google Cloud.

Orbs are shareable components that combine commands, executors, and jobs into a single reusable block. Previously, CircleCI released a number of orbs to assist with common Kubernetes workflows.

This release has added orbs to cover three main security practices that CircleCI recommends you address within your CI/CD pipelines. These three areas are:

  1. Secure pipeline configuration
  2. Code and Git history analysis
  3. Security policy enforcement

To help ensure the pipeline configuration is secure, CircleCI allows for storing pipeline secrets in a number of locations. As Alexey Klochay, product manager at CircleCI, explains:

On CircleCI, you have the option to use encrypted-at-rest environment variables, or to use the contexts feature. Contexts are used to provide access to environment variables across projects. Their use can also be restricted to specific security group members as defined by the organization’s administrator. Another option is to use a third-party solution to dynamically fetch secrets from their secure storage for your jobs.

To assist in the third-party solution approach, orbs have been added to allow for integrating with the AWS Parameter Store, CryptoMove, and Fortanix. To assist with signing and certifying of container images within Google Cloud, an integration with GCP Binary Authorization has been added.

To validate that your Git repositories are free of sensitive information, Klochay recommends using either Trufflehog or GitLeaks. Both tools scan your repositories for traces of secrets that may have previously been committed.

CircleCI has released a number of orbs related to vulnerability discovery. These additions help to cover off both Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) techniques. SAST tools look through the application’s code base and analyze both the code and dependencies for vulnerabilities. DAST techniques will perform similar scans but on an active instance of your application or container. This allows for catching dependencies that may only load at runtime. CircleCI has included a number of vulnerability scanning orbs in this release including, NeuVector, Snyk, WhiteSource, and Probely.

To address vulnerabilities and compliance gaps that are more business specific, CircleCI has included orbs that can assist with security policy enforcement. This allows for codifying business practices that should be assessed on each build. Aqua Security, NowSecure, and Twistlock are a few of the new orb additions that can allow for policy enforcement.

Tad Whitaker, security engineer with CircleCI, shared that:

Inserting these DevSecOps orbs into developers’ CI/CD pipelines ensures security in place upstream for more protection downstream. Putting security testing in CI makes it automatic which allows it to become second nature to the user.

This belief is echoed by the 2019 State of DevOps Report which found that "integrating security deeply into the software delivery lifecycle makes teams more than twice as confident of their security posture."

Michael Stahnke, VP platform for CircleCI, expanded on this in a conversation with InfoQ where he shared that when collaboration and integration is higher, security is better. However, Stahnke elaborated that with security, it is easier to invest time and money and not get the same outcome as you might with addressing other non-functional requirements. Stahnke shared that helping organization out of this position is one of the goals of this suite of new security-focused orbs.

CircleCI has provided documentation on both how to use and publish orbs. The current listing of orbs can be viewed in the Orb Registry. Orbs are currently available within both the free and paid tiers of the cloud offering. For more information about the new partners and orbs added to the registry, please review the official announcement on the CircleCI blog.

Rate this Article