From 2fd9d06448b2d4304328a82e37d214717523c353 Mon Sep 17 00:00:00 2001 From: Eduardo Minguez Date: Wed, 14 Sep 2022 13:10:46 +0200 Subject: [PATCH] Added legacy scanner for Azure pipelines --- azure-pipelines/old-scan-engine/README.md | 41 +++++++++++++++++++ .../old-scan-engine/azure-pipelines.yml | 35 ++++++++++++++++ 2 files changed, 76 insertions(+) create mode 100644 azure-pipelines/old-scan-engine/README.md create mode 100644 azure-pipelines/old-scan-engine/azure-pipelines.yml diff --git a/azure-pipelines/old-scan-engine/README.md b/azure-pipelines/old-scan-engine/README.md new file mode 100644 index 0000000..727e546 --- /dev/null +++ b/azure-pipelines/old-scan-engine/README.md @@ -0,0 +1,41 @@ +# Azure Pipelines Demo + +In this demo we will use Azure Pipelines to build, scan and push a container image. + +NOTE: This example uses the [legacy Sysdig scanning engine](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/) + +The workflow is as follows: + +1. Build the container image and store it locally +2. Run the `sysdiglabs/secure-inline-scan:2` container to perform the scan +3. Push the container image to a remote registry + +## Setup + +### Variables + +It is required to create a `secureApiKey` pipeline variable containing the Sysdig API token in order +to be able to perform the scan. See [the official documentation](https://docs.microsoft.com/en-us/azure/devops/pipelines/process/set-secret-variables) +for instructions on how to do it, but basically: + +* Edit the pipeline +* Select "Variables" +* Add a new `secureApiKey` variable with the proper content + +### Registry access + +It is required to create a Docker registry "Service Connections" to be able to push images to the registry. +See [the official documentation](https://docs.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#docker-hub-or-others) +for instructions on how to do it, but basically: + +* Select Project settings > Service connections +* Select + New service connection, select the "Docker Registry", and then select Next +* Add the registry url, user & password and a Service connection name (in this example, the Service connection name is `containerRegistry`) + +Then, modify the variables on the [azure-pipelines.yml](azure-pipelines.yml) file to fit your needs: + +``` +containerRegistryConnection: containerRegistry +imageName: "sysdiglabs/dummy-vuln-app" +tags: "latest" +``` diff --git a/azure-pipelines/old-scan-engine/azure-pipelines.yml b/azure-pipelines/old-scan-engine/azure-pipelines.yml new file mode 100644 index 0000000..c7c418e --- /dev/null +++ b/azure-pipelines/old-scan-engine/azure-pipelines.yml @@ -0,0 +1,35 @@ +pool: + vmImage: 'ubuntu-16.04' + +variables: + containerRegistryConnection: containerRegistry + imageName: 'sysdiglabs/dummy-vuln-app' + tags: | + latest + +steps: +- task: Docker@2 + displayName: Build image + inputs: + repository: $(imageName) + command: build + tags: $(tags) + +- bash: docker run --rm \ + -v /var/run/docker.sock:/var/run/docker.sock \ + quay.io/sysdig/secure-inline-scan:2 \ + --sysdig-token $(secureApiKey) \ + --storage-type docker-daemon \ + --storage-path /var/run/docker.sock \ + $(imageName):latest + +- task: Docker@2 + inputs: + command: 'login' + containerRegistry: $(containerRegistryConnection) + +- task: Docker@2 + inputs: + command: 'push' + tags: $(tags) + containerRegistry: $(containerRegistryConnection) \ No newline at end of file