Skip to main content

Integrating Mondoo with CI/CD Platforms

Mondoo integrates with major CI/CD platforms to shift security out of production and into the development and testing phases of the software development life cycle (SDLC). This shift prevents insecure changes from making it to test environments and keeps security findings from holding up production deployments.

With Mondoo security scanning in CI/CD systems, you can:

  • Scan system images such as AMIs (using Mondoo's Packer integration, for example)
  • Scan application container images (with Docker, for example)
  • Scan Kubernetes manifests
  • Scan infrastructure as code configuration files (such as Terraform configurations)

Supported platforms​

Mondoo supports the following platforms in the CI/CD view:

  • Azure Pipelines
  • CircleCI
  • GitHub Actions
  • GitLab CI/CD
  • Jenkins
  • Mondoo Kubernetes Admissions Controller scans

General CI/CD setup​

No matter if you want to scan Kubernetes manifests, container images, or deployed VMs, the setup follows a basic pattern:

  1. Install Mondoo Client package or use the Mondoo Docker image.

  2. Copy in client credentials securely stored in your CI system.

  3. Run Mondoo to scan systems or repository files.

Sample CI setup​

In this CI setup example, we'll download Mondoo Client using credentials passed into the CI job as an environment variable. Then we'll scan with Mondoo to validate the security of a Docker image built earlier in a CI pipeline:

Mondoo Image Scan CI Job
echo Download Mondoo
echo $MONDOO_CLIENT_ACCOUNT > mondoo.json
curl -sSL | bash
./mondoo scan docker imageid --config mondoo.json

For more information on generating client credentials for use in CI/CD pipelines, read Using a credentials file.

For more information on installing Mondoo Client with install script or system package managers, read Installing Mondoo Client.

Exit code handling​

Exit codes allow CI systems to properly raise failure conditions to users. Mondoo has several methods of controlling how and when a scan causes a CI system to fail a job.

Pass on successful scan​

By default, mondoo scan returns these exit codes:

  • 0 indicates a successful scan with no critical policy failures
  • 1 indicates that the scan found critical policy failures

Instead of blocking the pipeline, you may want to always pass the build if the scan was successful. This can be achieved by passing --score-threshold 0 to mondoo scan.

Command Line
mondoo scan docker a3592cc01fdf --score-threshold 0

Store Mondoo credentials​

Mondoo Client uses a private key to encrypt all communication with the Mondoo API. Since CI/CD systems do not allow persistent configuration on build nodes, the configuration must be passed into the CI/CD job. All CI/CD environments have a way to store environment variables. Some provide extra capabilities to store secrets, which we recommend. Set the MONDOO_CLIENT_ACCOUNT environment variable with the content of the agent credentials file:

The JSON configuration file includes the agent's private key and certificate. The PEM format requires proper newlines, and some CI/CD systems interpret the newlines, which causes failures reading the credentials. To prevent this the credentials data should be encoded using base64 encoding. Credentials generated during the CI integrations in the Mondoo console are automatically encoded to avoid errors.