Skip to main content

Scan in CircleCI Projects

Integrate Mondoo security with your CircleCI projects to scan Kubernetes manifests, Terraform configuration files, and Docker images for common misconfigurations and CVEs.

Configure CircleCI security

To set up a CircleCI integration with Mondoo:

  • Create Mondoo credentials

  • Store those credentials in CircleCI

Create credentials in Mondoo

To fetch policies and send scan results to Mondoo Platform, first configure a Mondoo service account for use in your CI/CD pipeline:

  1. In the Mondoo Console side navigation bar, under INTEGRATIONS, select Add New Integration.

  2. Under CI/CD, select CircleCI.

  3. Copy the value in the Copy the Mondoo Platform credentials box to use it as a variable in your pipeline.

  4. Select the START SCANNING button.

The credential is a base64-encrypted code that contains all the information needed to send the results of the scan to Mondoo. You can decrypt and check the content easily using this command:

echo <Credentials> | base64 -d

Securely store credentials in CircleCI

Configure your CircleCI project to store the credentials for cnspec:

  1. On your CircleCI project dashboard, select the Project Settings button.

    CircleCI project dashboard

  2. In the left navigation, select Environment Variables.

  3. Select the Add Environment Variable button.

  4. Name the variable and then, in the Value box, paste the credentials you copied in the steps above.

    Mondoo credentials in a CircleCI environment variable

  5. Select the Add Environment Variable button.

Example configuration

This example lets you build Docker images as part of your CI/CD pipeline. You can use cnspec to verify the Docker image before you push it to the registry. This configuration runs a docker build and a cnspec scan:

version: 2
- image: centos:7
- setup_remote_docker
- checkout
# use a primary image that already has Docker (recommended)
# or install it during a build like we do here
- run:
name: Install Docker client
command: |
set -x
curl -L -o /tmp/docker-$VER.tgz$VER.tgz
tar -xz -C /tmp -f /tmp/docker-$VER.tgz
mv /tmp/docker/* /usr/bin
- run:
name: Install cnspec
command: |
bash -c "$(curl -sSL"
./cnspec version
# - run: docker login -u $DOCKER_USER -p $DOCKER_PASS
- run: docker build -t yourorg/docker-image:0.1.$CIRCLE_BUILD_NUM .
# be sure to change the score-threshold value to control the minimum accepted asset score before CI jobs fail
- run: ./cnspec scan docker yourorg/docker-image:0.1.$CIRCLE_BUILD_NUM --score-threshold 90
# - run: docker push docker yourorg/docker-image:0.1.$CIRCLE_BUILD_NUM

You can view the results directly in the CircleCI job or in the Mondoo CI/CD view.

Run a mondoo scan in CircleCI