Giter Club home page Giter Club logo

container-scan's Introduction

Container Scan

This action can be used to help you add some additional checks to help you secure your Docker Images in your CI. This would help you attain some confidence in your docker image before pushing them to your container registry or a deployment.

It internally uses Trivy and Dockle for running certain kinds of scans on these images.

  • Trivy helps you find the common vulnerabilities within your docker images.
  • Dockle is a container linter, which helps you identify if you haven't followed
    • Certain best practices while building the image
    • CIS Benchmarks to secure your docker image

Action inputs

Action input Description Default Value
image-name (Required) The Docker image to be scanned ''
severity-threshold (Optional) Minimum severity threshold set to control flagging of the vulnerabilities found during the scan. The available levels are: (UNKNOWN, LOW, MEDIUM, HIGH, CRITICAL); if you set the severity-threshold to be `MEDIUM` every CVE found of a level higher than or equal to `MEDIUM` would be displayed HIGH
run-quality-checks (Optional) This is a boolean value. When set to `true` adds additional checks to ensure the image follows best practices and CIS standards. true
username (Optional) Username to authenticate to the Docker registry. This is only required when you're trying to pull an image from your private registry ''
password (Optional) Password to authenticate to the Docker registry. This is only required when you're trying to pull an image from your private registry ''

Action output

The action generates an output file consisting of detailed description of all the detected vulnerabilities and best practice violations in JSON format. This file can be accessed by using the output variable scan-report-path.

Ignoring vulnerabilities

In case you would like the action to ignore any vulnerabilities and best practice checks, create an allowedlist file at the path .github/containerscan/allowedlist.yaml in your repo. Here's an example allowedlist.yaml file.

general:
  vulnerabilities:
    - CVE-2003-1307
    - CVE-2007-0086
    - CVE-2019-3462
    - CVE-2011-3374
  bestPracticeViolations:
    - CIS-DI-0005
    - DKL-LI-0003
    - CIS-DI-0006
    - DKL-DI-0006

Install Scanitizer (currently in Beta) on your repository for more convenient management of allowedlist file.

Example YAML snippets

Container scan of an image available locally or publically available on dockerhub

- uses: azure/container-scan@v0
  with:
    image-name: my-image

Container scan of an image available on a private registry

- uses: azure/container-scan@v0
  with:
    image-name: loginServerUrl/my-image # loginServerlUrl would be empty if it's hosted on dockerhub
    username: ${{ secrets.DOCKER_USERNAME }}
    password: ${{ secrets.DOCKER_PASSWORD }}

End to end workflow

The following is an example of not just this action, but how this action could be used along with other actions to setup a CI.

Where your CI would:

  • Build a docker image
  • Scan the docker image for any security vulnerabilities
  • Publish it to your private container registry.
on: [push]

jobs:
  build-secure-and-push:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@master

    - run: docker build . -t contoso.azurecr.io/k8sdemo:${{ github.sha }}
      
    - uses: Azure/container-scan@v0
      with:
        image-name: contoso.azurecr.io/k8sdemo:${{ github.sha }}
    
    - uses: Azure/docker-login@v1
      with:
        login-server: contoso.azurecr.io
        username: ${{ secrets.REGISTRY_USERNAME }}
        password: ${{ secrets.REGISTRY_PASSWORD }}
    
    - run: docker push contoso.azurecr.io/k8sdemo:${{ github.sha }}

Contributing

This project welcomes contributions and suggestions. Most contributions require you to agree to a Contributor License Agreement (CLA) declaring that you have the right to, and actually do, grant us the rights to use your contribution. For details, visit https://cla.opensource.microsoft.com.

When you submit a pull request, a CLA bot will automatically determine whether you need to provide a CLA and decorate the PR appropriately (e.g., status check, comment). Simply follow the instructions provided by the bot. You will only need to do this once across all repos using our CLA.

This project has adopted the Microsoft Open Source Code of Conduct. For more information see the Code of Conduct FAQ or contact [email protected] with any additional questions or comments.

container-scan's People

Contributors

shigupt202 avatar dependabot[bot] avatar ajinkya599 avatar microsoftopensource avatar thesattiraju avatar microsoft-github-operations[bot] avatar

Watchers

James Cloos avatar  avatar

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    ๐Ÿ–– Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. ๐Ÿ“Š๐Ÿ“ˆ๐ŸŽ‰

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google โค๏ธ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.