Twistlock is a security scanner for containers. It can scan docker containers for vulnerabilities and compliance violations.
The Swingletree Twistlock Plugin offers following functionalities:
- Attaches Twistlock findings to GitHub Pull Requests by evaluating the Twistlock scan report.
Processed data is persisted to ElasticSearch (if enabled in Scotty) and can be processed to reports using Kibana or Grafana.
A Gate webhook is published when the Twistlock Plugin is enabled. It accepts a Twistlock scan report (generated by the twistlock cli) in JSON format as a payload and needs some additional query parameters to link the report to a GitHub repository:
gate:
plugins:
- id: twistlock
base: # enter base url of plugin-twistlock
Gate publishes an endpoint which is connected to the plugin. You will need to attach information about the target repository using the provided methods of Gate (for example HTTP Headers or query parameters):
POST /report/twistlock?org=[GitHub Organization]&repo=[Repository name]&sha=[Commit SHA]&branch=[branch]
If you configured Gate to protect the endpoints using a token it will check the request for it.
The plugin will process the report and send a report analysis to Scotty using the context security/twistlock
.
Repository-specific behaviour can be configured by placing a .swingletree.yaml
in the repository root directory. Swingletree reads from the master branch file only.
Swingletree fails per default on any Twistlock findings, if no .swingletree.yaml
is available in the repository.
# Example repository configuration
plugin:
twistlock:
# vulnerabilities equal or above this cvss score require developer action
thresholdCvss: 8
# compliance issues equal or above this severity require developer action
thresholdCompliance: high
# define false-positives to exclude them
whitelist:
CVE-1230: not applicable
CVE-3332: also not applicable
# CVE-Key: exclusion note
# Compliance-id: exclusion note
Property | Description | Default |
---|---|---|
thresholdCvss |
Vulnerabilities higher or equal to this CVSS score are targeted | 0 |
thresholdCompliance |
Compliance issues higher or equal to this Twistlock severity are targeted | low |