Skip to main content

CircleCI

Integrate Mondoo security with your CircleCI projects to scan Kubernetes manifests, Terraform configuration files, and Docker images for common misconfigurations and CVEs.

Setup

Create credentials in Mondoo

To fetch policies and send scan results to Mondoo Platform, first configure a Mondoo service account for use in your CI/CD pipeline:

  1. In the Mondoo console, go to Settings -> Service Accounts and select Add Account. Service Accounts Page

  2. Check Base64-encoded, select Generate New Credentials, and copy the generated credentials. Generate Credentials

Securely store credentials in CircleCI

Configure your Circle CI project to store the credentials for Mondoo Client in the MONDOO_CLIENT_ACCOUNT environmental variable:

  1. Select Sidebar -> Apps -> CircleCI and generate new credentials.

  2. Create a new MONDOO_CLIENT_ACCOUNT variable and paste the content of the agent credentials:

Paste the configuration in Circle CI environment variables

Example configuration

This example allows you to build Docker images as part of your CI/CD pipeline. You can use Mondoo to verify the Docker image before you push it to the registry. This configuration runs a docker build and a mondoo scan:

.circleci/config.yml
version: 2
jobs:
build:
docker:
- image: centos:7
steps:
- setup_remote_docker
- checkout
# use a primary image that already has Docker (recommended)
# or install it during a build like we do here
- run:
name: Install Docker client
command: |
set -x
VER="18.09.3"
curl -L -o /tmp/docker-$VER.tgz https://download.docker.com/linux/static/stable/x86_64/docker-$VER.tgz
tar -xz -C /tmp -f /tmp/docker-$VER.tgz
mv /tmp/docker/* /usr/bin
- run:
name: Install Mondoo Client
command: |
echo $MONDOO_CLIENT_ACCOUNT > mondoo.json
curl -sSL https://mondoo.com/download.sh | bash
./mondoo version
# - run: docker login -u $DOCKER_USER -p $DOCKER_PASS
- run: docker build -t yourorg/docker-image:0.1.$CIRCLE_BUILD_NUM .
- run: ./mondoo scan docker yourorg/docker-image:0.1.$CIRCLE_BUILD_NUM --config mondoo.json
# - run: docker push docker yourorg/docker-image:0.1.$CIRCLE_BUILD_NUM

You can view the results directly in the CircleCI job or in the Mondoo CI/CD view.

Run a mondoo scan in Circle CI