Twistlock is a security scanner for containers. It can scan docker containers for vulnerabilities and compliance violations.

The Swingletree Twistlock Plugin offers following functionalities:

• Attaches Twistlock findings to GitHub Pull Requests by evaluating the Twistlock scan report.

Processed data is persisted to ElasticSearch (if enabled in Scotty) and can be processed to reports using Kibana or Grafana.

A Gate webhook is published when the Twistlock Plugin is enabled. It accepts a Twistlock scan report (generated by the twistlock cli) in JSON format as a payload and needs some additional query parameters to link the report to a GitHub repository:

gate:
  plugins:
    - id: twistlock
      base: # enter base url of plugin-twistlock

Gate publishes an endpoint which is connected to the plugin. You will need to attach information about the target repository using the provided methods of Gate (for example HTTP Headers or query parameters):

POST /report/twistlock?org=[GitHub Organization]&repo=[Repository name]&sha=[Commit SHA]&branch=[branch]

If you configured Gate to protect the endpoints using a token it will check the request for it.

The plugin will process the report and send a report analysis to Scotty using the context security/twistlock.

Repository-specific behaviour can be configured by placing a .swingletree.yaml in the repository root directory. Swingletree reads from the master branch file only.

Swingletree fails per default on any Twistlock findings, if no .swingletree.yaml is available in the repository.

# Example repository configuration
plugin:
  twistlock:
    # vulnerabilities equal or above this cvss score require developer action
    thresholdCvss: 8
    # compliance issues equal or above this severity require developer action
    thresholdCompliance: high

    # define false-positives to exclude them
    whitelist:
      CVE-1230: not applicable
      CVE-3332: also not applicable
    # CVE-Key: exclusion note
    # Compliance-id: exclusion note