Introduction
In this article we will learn how to Build Docker Image, Scan it for Vulnerability before pushing to the ACR or any other docker registries.
CI/CD Workflow
Prerequisites
Docker File for which Image needs to be created. You can import to your GitHub Account.
Get the Azure Container Registry Credential and add in the secrets or Key Vault.
ACR_SERVER
REGISTRY_USERNAME
REGISTRY_PASSWORD
Workflow Details
Sample Workflow File can be downloaded from here.
# This is a basic workflow to help you get started with Actions
name: BuildScanPushDockerImage
# Controls when the workflow will run
on:
# Triggers the workflow on push or pull request events but only for the main branch
# Allows you to run this workflow manually from the Actions tab
workflow_dispatch:
inputs:
ImageVersion:
description: 'Provide the Image Version to Build'
required: true
default: '2.0'
ImageName:
description: 'Name of the Image'
required: true
default: 'demoimage'
DockerPath:
description: 'Provide the Docker Pathj Relative to Git'
required: true
default: '/SampleDockerFile'
# A workflow run is made up of one or more jobs that can run sequentially or in parallel
jobs:
# This workflow contains a single job called "build"
BuildScanPush:
# The type of runner that the job will run on
runs-on: ubuntu-latest
# Steps represent a sequence of tasks that will be executed as part of the job
steps:
# Checks-out your repository under $GITHUB_WORKSPACE, so your job can access it
- uses: actions/checkout@v3
- uses: azure/docker-login@v1
with:
login-server: ${{ secrets.ACR_SERVER }}
username: ${{ secrets.REGISTRY_USERNAME }}
password: ${{ secrets.REGISTRY_PASSWORD }}
# Build the Docker Image
- run: |
docker build ${{ github.workspace }}/${{ github.event.inputs.DockerPath }}/ -t ${{ secrets.ACR_SERVER }}/${{ github.event.inputs.ImageName }}:${{ github.event.inputs.ImageVersion }}
# Scan the Image
- name: Run Trivy vulnerability scanner
uses: aquasecurity/trivy-action@master
continue-on-error: false
with:
image-ref: ${{ secrets.ACR_SERVER }}/${{ github.event.inputs.ImageName }}:${{ github.event.inputs.ImageVersion }}
format: 'sarif'
output: 'trivy-results.sarif'
- name: Upload Trivy scan results to GitHub Security tab
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: 'trivy-results.sarif'
# Publish the Docker Image to ACR
- run: |
docker push ${{ secrets.ACR_SERVER }}/${{ github.event.inputs.ImageName }}:${{ github.event.inputs.ImageVersion }}
How to Configure
As part of the configuration the workflow file can be download from.
2. Create Secret for the Following Values.
ACR_SERVER
REGISTRY_USERNAME
REGISTRY_PASSWORD
3. Update the Default value as per your requirement under the workflow YAML file.
ImageVersion
ImageName
DockerPath
4. Import the Docker file to your repo. As for example you can view the repo like.
Comments