LetsDevOps: Build Docker Image, Scan and Push to ACR, CI/CD using GitHub

Introduction

In this article we will learn how to Build Docker Image, Scan it for Vulnerability before pushing to the ACR or any other docker registries.


CI/CD Workflow




Prerequisites

  1. Docker File for which Image needs to be created. You can import to your GitHub Account.

  2. Get the Azure Container Registry Credential and add in the secrets or Key Vault.

  • ACR_SERVER

  • REGISTRY_USERNAME

  • REGISTRY_PASSWORD



Workflow Details


Sample Workflow File can be downloaded from here.


https://github.com/sumitraj0103/Letsdevops/blob/main/.github/workflows/BuildScanPushDockerImage.yml


# This is a basic workflow to help you get started with Actions

name: BuildScanPushDockerImage

# Controls when the workflow will run
on:
  # Triggers the workflow on push or pull request events but only for the main branch

  # Allows you to run this workflow manually from the Actions tab
  workflow_dispatch:
    inputs:
      ImageVersion:
        description: 'Provide the Image Version to Build'
        required: true
        default: '2.0'
      ImageName:
        description: 'Name of the Image'
        required: true
        default: 'demoimage'
      DockerPath:
        description: 'Provide the Docker Pathj Relative to Git'
        required: true
        default: '/SampleDockerFile'

# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
  # This workflow contains a single job called "build"
  BuildScanPush:
    # The type of runner that the job will run on
    runs-on: ubuntu-latest

    # Steps represent a sequence of tasks that will be executed as part of the job
    steps:
      # Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
      - uses: actions/checkout@v3
      - uses: azure/docker-login@v1
        with:
          login-server: ${{ secrets.ACR_SERVER }}
          username: ${{ secrets.REGISTRY_USERNAME }}
          password: ${{ secrets.REGISTRY_PASSWORD }}
      # Build the Docker Image
      - run: |
          docker build ${{ github.workspace }}/${{ github.event.inputs.DockerPath }}/ -t ${{ secrets.ACR_SERVER }}/${{ github.event.inputs.ImageName }}:${{ github.event.inputs.ImageVersion }}
     
     # Scan the Image
      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@master
        continue-on-error: false
        with:
         image-ref: ${{ secrets.ACR_SERVER }}/${{ github.event.inputs.ImageName }}:${{ github.event.inputs.ImageVersion }}
         format: 'sarif'
         output: 'trivy-results.sarif'
         
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v2
        with:
         sarif_file: 'trivy-results.sarif'
         
      # Publish the Docker Image to ACR
      - run: |
          docker push ${{ secrets.ACR_SERVER }}/${{ github.event.inputs.ImageName }}:${{ github.event.inputs.ImageVersion }}

How to Configure

  1. As part of the configuration the workflow file can be download from.

https://github.com/sumitraj0103/Letsdevops/blob/main/.github/workflows/BuildScanPushDockerImage.yml

2. Create Secret for the Following Values.

  • ACR_SERVER

  • REGISTRY_USERNAME

  • REGISTRY_PASSWORD



3. Update the Default value as per your requirement under the workflow YAML file.

  • ImageVersion

  • ImageName

  • DockerPath

4. Import the Docker file to your repo. As for example you can view the repo like.

Demo