How to scan docker image between it's built and it's pushed to registry?

[mih-kopylov]

A usual pipeline looks like this:

• build a docker image
• scan the image with something like https://github.com/aquasecurity/trivy
• if no vulnurabilities found, push the image to a registry

How to do the scanning step with the goreleaser? Is there a way to include custom script between build and push steps?

[caarlos0]

there is no way of doing that while releasing... you can however build snapshots and run trivvy after goreleaser ran, and fail the build if there are errors.

[mih-kopylov]

That means I have to build a docker image twice: one for snapshot, another during release command. That doesn't seem correct.

Would you like to create an enhancement ticket for this feature, to validate the built docker image before it's sent to registry?

[caarlos0]

what should happen to the rest of the release process if scanning fails? do we only skip pushing the docker images? what about the other artifacts?

if you are releasing, you should probably have tested beforehand if the image has issues or not anyway, and you'd still need to keep scanning the image afterwards due to possibly newly discovered issues in the base image or packages you use.

so... I don't believe this is something I'd want to implement, as it is confusing regarding what the behavior should be, and the benefit seems minimal.

[mih-kopylov]

That's disappointing.

A usual pipeline looks like:

1. run tests
2. build an artifact
3. upload an artifact
4. build a docker image
5. test a docker image
6. publish the image
   And if any of the steps fail, the whole pipeline fails, because there's no reason to proceed if a previous step command fails that seems evident:

• no need to build an artifact if tests failed
• no need to upload artifact or build a docker image, if artifact build failed
• no need to test a docker image if docker image build failed
• no need to publish a docker image if it failed tests

I agree, there are docker image scanning tools that make sure newly discovered vulnerabilities are not deployed to environment, but there're other tools for that.

The goreleaser covers steps from 2 to 6 excluding 5. So the only way to do the proper testing is to stop after step 4, and publish with other tools. That puts a whole "dockers" flow of goreleaser under a question - probably that should be a separate tool/binary that manages docker build/test/publish steps.

Anyway, I accept your choice.. Thanks for the answer :)