Skip to content

arindam0310018/04-Apr-2022-DevOps__Scan-Images-In-ACR-Using-Trivy

Repository files navigation

DEVOPS + ACR + TRIVY

Greetings my fellow Technology Advocates and Specialists.

In this Session, I will demonstrate how to Scan Docker Images in AZURE CONTAINER REGISTRY with AQUASEC TRIVY using AZURE DEVOPS PIPELINES

I had the Privilege to talk on this topic in THREE Azure Communities:-

NAME OF THE AZURE COMMUNITY TYPE OF SPEAKER SESSION
Microsoft Azure Zurich User Group In Person
Microsoft Azure Pakistan Community Virtual
Cloud Lunch and Learn Virtual
IN-PERSON SESSION:-
I presented ACR (Architecture and Best Practices) + Scan Images in ACR Using TRIVY and DEVOPS in MICROSOFT AZURE ZURICH USER GROUP Forum/Platform
Event Meetup Announcement:-
Image description
Moment Captured with Founder of MICROSOFT AZURE ZURICH USER GROUP "MANUEL MEYER", Co-organizer "THOMAS HAFERMALZ" and Co-Speaker "MOHAMMAD NOFAL":-
Image description
VIRTUAL SESSION:-
I presented ACR (Architecture and Best Practices) + Scan Images in ACR Using TRIVY and DEVOPS in MICROSOFT AZURE PAKISTAN COMMUNITY Forum/Platform
Event Meetup Announcement:-
Image description
LIVE RECORDED SESSION:-
LIVE DEMO was Recorded as part of my Presentation.
Duration of My Demo = 52 Mins 45 Secs
IMAGE ALT TEXT HERE
VIRTUAL SESSION:-
LIVE DEMO was Recorded as part of my Presentation in CLOUD LUNCH AND LEARN Forum/Platform
Duration of My Demo = 44 Mins 16 Secs
IMAGE ALT TEXT HERE
REQUIREMENTS:-
  1. Azure Container Registry
  2. Azure Storage Account
  3. Azure Resource Manager Service Connection
  4. Docker Registry (Azure Container Registry) Service Connection
  5. Dockerfile
  6. Sample HTML File
  7. Azure DevOps Pipeline (YAML)
  8. Trivy Ignore file (.trivyignore)
WHAT DOES THE PIPELINE DO:-
# PIPELINE TASKS
1. BUILD AND PUSH THE IMAGE IN ACR
2. DOWNLOAD AND INSTALL AQUASEC TRIVY
3. EXECUTE TRIVY SCAN AND COPY THE SCAN RESULTS IN ARTIFACTS STAGING DIRECTORY
4. PUBLISH THE ARTIFACTS
5. DOWNLOAD THE PUBLISHED ARTIFACTS
6. COPY THE AQUASEC TRIVY SCAN REPORTS TO BLOB STORAGE CONTAINER WITH DATE TIME STAMP DIRECTORY
WHY IS TRIVY IGNORE FILE (.trivyignore) REQUIRED ?
After Scanning of the Image, we identify LOW, MEDIUM, HIGH and CRITICAL Vulnerabilities. The CVE (Common Vulnerabilities and Exposures) gets listed in the Report. If for some reasons, Application team accepts the risk and wants to skip the LOW and MEDIUM Vulnerabilities from the Scan report, all we have to do is list the respective CVEs in the .trivyignore file and run the pipeline again to scan. The listed CVEs will no longer be in the Scan Report.
Below follows the contents of the Docker File:-
FROM nginx:1.15.9-alpine
COPY . /usr/share/nginx/html
Below follows the contents of the HTML File:-
<html>
<head>
    <title>TEST - ARINDAM MITRA</title>
</head>

</style>
<body>
    <h1 style="font-size:50px; color:#000000; text-align: center">TEST - ARINDAM MITRA</h1>
</body>
</html>
Below follows the contents of the YAML File (Azure DevOps):-
trigger:
  none

resources:
- repo: self

###############################################
# All Declared Variables are listed below:-
###############################################
variables:
  dockerRegistryServiceConnection: '52409f6c-7855-4be2-a142-7192521b3e3f'
  imageRepository: 'amimagescantrivy'
  containerRegistry: 'ampocapplacr.azurecr.io'
  storageaccount: 'am4prodvs4core4shell'
  resourcegroup: 'Demo-Blog-RG'
  sacontainername: 'trivy-scan-reports'
  serviceconn: 'amcloud-cicd-service-connection' 
  dockerfilePath: '$(Build.SourcesDirectory)/ACR+Trivy/Dockerfile'
  target: $(build.artifactstagingdirectory)
  artifact: AM
  tag: '$(Build.BuildId)'

  vmImageName: 'ubuntu-latest'

stages:
- stage: BUILD
  displayName: Build and Push Stage
  jobs:
  - job: BUILD_JOB
    displayName: BUILD IMAGE
    pool:
      vmImage: $(vmImageName)
    steps:

#####################################
# Build and Push the Image to ACR:-
#####################################    
    - task: Docker@2
      displayName: BUILD AND PUSH IMAGE TO ACR
      inputs:
        command: buildAndPush
        repository: $(imageRepository)
        dockerfile: $(dockerfilePath)
        containerRegistry: $(dockerRegistryServiceConnection)
        tags: |
          $(tag)

#######################################
# Download and Install Aquasec Trivy:-
#######################################
    - task: CmdLine@2
      displayName: DOWNLOAD AND INSTALL AQUASEC TRIVY
      inputs:
        script: |
         sudo apt-get install wget apt-transport-https gnupg lsb-release
         wget -qO - https://aquasecurity.github.io/trivy-repo/deb/public.key | sudo apt-key add -
         echo deb https://aquasecurity.github.io/trivy-repo/deb $(lsb_release -sc) main | sudo tee -a /etc/apt/sources.list.d/trivy.list
         sudo apt-get update
         sudo apt-get install trivy
         trivy -v
         pwd

##################################################################################
# Execute Trivy Scan and Copy the Scan Results in Artifacts Staging Directory:-
##################################################################################
    - task: CmdLine@2
      displayName: RUN AQUASEC TRIVY SCAN AND COPY TO ARTIFACTS STAGING DIRECTORY
      inputs:
        script: |
          trivy image --exit-code 0 --severity LOW,MEDIUM $(containerRegistry)/$(imageRepository):$(tag) > low-med.txt
          trivy image --exit-code 1 --severity HIGH,CRITICAL $(containerRegistry)/$(imageRepository):$(tag) > high-critical.txt
          ls -l
          cp -rvf *.txt $(target)

##########################
# Publish the Artifacts:-
##########################
    - task: PublishBuildArtifacts@1
      displayName: PUBLISH ARTIFACTS
      inputs:
        targetPath: '$(target)'
        artifactName: '$(artifact)'

######################################
# Download the Published Artifacts:-
######################################
    - task: DownloadBuildArtifacts@1
      displayName: DOWNLOAD ARTIFACTS
      inputs:
        buildType: 'current'
        downloadType: 'single'
        downloadPath: '$(System.ArtifactsDirectory)'

#########################################################
# The Below Code Snippet did not work because it is 
# only supported by "Windows" Build Agent
#########################################################    
    # - task: AzureFileCopy@4
    #   displayName: COPY AQUASEC TRIVY SCAN REPORTS TO BLOB STORAGE
    #   inputs:
    #     SourcePath: '$(System.ArtifactsDirectory)'
    #     azureSubscription: 'amcloud-cicd-service-connection'
    #     Destination: 'AzureBlob'
    #     storage: '$(storageaccount)'
    #     ContainerName: '$(sacontainername)/$(Date)'

###################################################################################
# Cmd in Line 118 - It works on Linux Build Agent because of the Date Format
# Cmd in Line 119 - It works on Windows Build Agent because of the Date Format
###################################################################################
    - task: AzureCLI@1
      displayName: COPY AQUASEC TRIVY SCAN REPORTS TO BLOB STORAGE
      inputs:
        azureSubscription: '$(serviceconn)'
        scriptType: ps
        scriptLocation: inlineScript
        inlineScript: |
          az storage blob upload-batch -d $(sacontainername)/$(date "+%d-%m-%Y_%H-%M-%S") --account-name $(storageaccount) --account-key $(az storage account keys list -g $(resourcegroup) -n $(storageaccount) --query [0].value -o tsv) -s $(System.ArtifactsDirectory)/AM
#         az storage blob upload-batch -d trivy-scan-reports/$(Get-Date -Format dd-MM-yyyy_HH-mm) --account-name $(storageaccount) --account-key $(az storage account keys list -g $(resourcegroup) -n $(storageaccount) --query [0].value -o tsv) -s $(System.ArtifactsDirectory)/AM

Below follows the contents of Trivy Ignore File (.trivyignore):-
# All LOW and MEDIUM Vulnerabilities has been ignored (Except 2)!!!
#CVE-2018-5711
#CVE-2018-14048
CVE-2018-14498
CVE-2019-1547
CVE-2019-1549
CVE-2019-1551
CVE-2019-1563
CVE-2019-7317
CVE-2019-11038
CVE-2019-12904
CVE-2019-13627
CVE-2020-1971
CVE-2020-14155
CVE-2020-15999
CVE-2020-24977
CVE-2020-28928
CVE-2021-3449
CVE-2021-23841
CVE-2021-23839
PIPELINE RESULTS:-
Image description
ARTIFACTS PUBLISHED:-
Image description
Image description
IMAGE SCAN REPORT STORED INSIDE STORAGE CONTAINER UNDER DATE TIME STAMP DIRECTORY:-
Image description
Image description
HOW IMAGE SCAN REPORT LOOKS LIKE:-
HIGH AND CRITICAL VULNERABILITIES IMAGE SCAN REPORT:-
Image description
LOW AND MEDIUM VULNERABILITIES IMAGE SCAN REPORT:-
Image description
Note- The Only Reason we see 2 CVEs with Severity MEDIUM is because they are commented out in .trivyignore file

Hope You Enjoyed the Session!!!

Stay Safe | Keep Learning | Spread Knowledge