-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathscanDockerImage.yml
62 lines (58 loc) · 2.27 KB
/
scanDockerImage.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# Repo: FirelyTeam/azure-pipeline-templates
# File: scanDockerImage.yml
# Description: scan an docker image for vulnerabilities
parameters:
- name: 'dockerRegistryConnection'
type: 'string'
displayName: 'The Azure Docker Registry connection'
- name: 'dockerRegistryName'
type: 'string'
displayName: 'The name of the Docker registry, like firely.azure.io'
- name: 'dockerImageRepoName'
type: 'string'
displayName: 'The name of the Docker repository, like firely/server'
- name: 'dockerImageRepoVersion'
type: 'string'
displayName: 'The version of the Docker repository'
- name: 'trivyIgnoreFile'
type: 'string'
default: ''
displayName: 'The version of the Docker repository'
- name : trivyCacheAzureSubscription
type: string
default: ''
displayName: 'Subscription used to retrieve Trivy cache. If left empty, no cache will be used.'
- name : trivyCacheStorageAccount
type: string
default: ''
displayName: 'Storage account name where the Trivy cache is stored'
jobs:
- job: scanDockerImage
displayName: Scan Docker image for vulnerabilities
steps:
- checkout: self
- task: Docker@2
displayName: Login to ACR
inputs:
command: login
containerRegistry: ${{ parameters.dockerRegistryConnection }}
- task: Bash@3
displayName: 'Pull Docker image from private registry'
inputs:
targetType: inline
script: |
docker pull ${{ parameters.dockerRegistryName }}/${{ parameters.dockerImageRepoName }}:${{ parameters.dockerImageRepoVersion }}
- template: ./scanWithRetryTask.yml
parameters:
dockerExtraArguments: ""
trivyExtraArguments: "image ${{ parameters.dockerRegistryName }}/${{ parameters.dockerImageRepoName }}:${{ parameters.dockerImageRepoVersion }}"
trivyIgnoreFile: ${{ parameters.trivyIgnoreFile }}
displayName: Scan image with Trivy
trivyCacheAzureSubscription: ${{ parameters.trivyCacheAzureSubscription }}
trivyCacheStorageAccount: ${{ parameters.trivyCacheStorageAccount }}
localTrivyCachePath: $(Agent.TempDirectory)/trivy-cache
# The Trivy task does not work yet.
# - task: trivy@1
# displayName: Scan image with Trivy
# inputs:
# image: ${{ parameters.dockerRegistryName }}/${{ parameters.dockerImageRepoName }}:${{ parameters.dockerImageRepoVersion }}