Twistlock

3 minute readExtensibilityDeveloper productivity

Twistlock is the cloud native cybersecurity platform for modern applications. From precise, actionable vulnerability management to automatically-deployed runtime protection and firewalls, Twistlock protects applications across the development lifecycle and into production. Purpose-built for containers, serverless, and other leading technologies — Twistlock gives developers the speed they want, and CISOs the controls they need.

Plugin Version 1.0.1.2020102201 Revised on April 12, 2019

Supported versions

The following Twistlock versions are supported:

  • 18.11 Update 3 (18.11.128)

Document convention

All required parameters in all procedures (including Configuration Procedure) are marked in bold italics.

Plugin configurations

Plugin configurations are sets of parameters that apply across some or all of the plugin procedures. They reduce repetition of common values, create predefined parameter sets for end users, and securely store credentials where needed. Each configuration is given a unique name that is entered in designated parameters on procedures that use them.

Creating plugin configurations

To create plugin configurations in ElectricFlow, do these steps:

  1. Go to Administration Plugins to open the Plugin Manager.

  2. Find the EC-Twistlock row.

  3. Click Configure to open the EC-Twistlock Configurations page.

  4. Click Create Configuration.

  5. To enable CloudBees CD server to communicate with the API, enter the following information:

    The EC-Twistlock Configurations page now shows the new configuration.

Editing plugin configurations

To edit plugin configurations in ElectricFlow, do these steps:

  1. Go to Administration Plugins to open the Plugin Manager.

  2. Find the EC-Twistlock row.

  3. Click Configure to open the Configurations page. Find the configuration that you want to edit.

  4. Click Edit. Edit the parameters in the configuration.

  5. Click OK to save the modified configuration.

Plugin procedures

RunImageScan

This procedure scans an image by invoking the Twistlock CLI with various options specified by the user.

ParameterDescription

Configuration Name

The name of the configuration that contains the information to connect to the twistlock server. (Required)

Image:

Specify the Image to scan by specifying the exact name of the image. For example ubuntu:latest. If the scan is run on Linux environment you could use a suffix pattern to scan more than one image. For example ubuntu* would scan all images whose names begin with ubuntu.

Only fail builds when a vendor fix is available:

If checked the scan will fail only if the image scanned has a fix from the Vendor.

Vulnerability Threshold:

Fail a scan whose severity vulnerabilities exceed this threshold.

Compliance Threshold:

Fail a scan whose compliance vulnerabilities exceed this threshold.

Grace period (in days):

Grace period (in days).

Docker address:

Docker socket address (e.g., unix:///var/run/docker.sock, http://hostname:port).(Required)

CA certificate:

Full path to Docker Certificate Authority (CA) certificate (PEM format). Required only if you are using TLS for your security protocol. Leave as blank if using unix socket.

Client certificate:

Full path to Docker client certificate signed by the CA (PEM format). Required only if you are using TLS for your security protocol. Leave as blank if using unix socket.

Client key:

Full path to Docker client key (PEM format). Required only if you are using TLS for your security protocol. Leave as blank if using unix socket.

Output Parameter (Electric Flow 8.3+)Description

twistlockImageScanReportUrl

Twistlock Image Scan Text Report URL (Relative to commander base path)

twistlockImageScanResultJson

Twistlock Image Scan JSON formatted Report URL (Relative to commander base path)

VulerabilityCountLow

Low Severity Vulnerability Counts

VulerabilityCountMedium

Medium Severity Vulnerability Counts

VulerabilityCountHigh

High Severity Vulnerability Counts

VulerabilityCountCritical

Critical Severity Vulnerability Counts

VulerabilityCountTotal

Total Vulnerability Counts

ComplianceCountLow

Low Severity Compliance Counts

ComplianceCountMedium

Medium Severity Compliance Counts

ComplianceCountHigh

High Severity Compliance Counts

ComplianceCountCritical

Critical Severity Compliance Counts

ComplianceCountTotal

Total Compliance Counts

CreateTwistlockPolicyReport

This procedure generates a Twistlock Policy report containing both Vulnerability as well as Compliance Policies applied to a specific image.

ParameterDescription

Configuration Name

The name of the configuration that contains the information to connect to the twistlock server. (Required)

Image:

Specify the Image for which you want the policy report to be created by specifying the exact name of the image. For example ubuntu:latest. Or you could use a suffix pattern to create a policy report for more than one image as well. For example ubuntu* would create a policy report for all images whose names begin with ubuntu.

Result Property:

Property to store results. By default, /myJob/TwistlockPolicyReport. Please refer to Result Format documentation.

Result Format:

Format to store results, JSON or property sheet. Retrieved issues will be saved under this property. Please refer to Result Format documentation.

Create Summary Link?

If checked, a report will be generated and attached to the job/pipeline summary. This is Checked by default.

Known issues

As part of our testing we have found that for windows environments, Twistlock CLI passwords containing a double quote do not get escaped, thus causing the runScan to fail under these circumstances.

Release notes

EC-Twistlock 1.0.0

  • Initial version.