Skip to content

Added legacy scanner for Azure pipelines #25

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
e-minguez merged 1 commit into from
Sep 14, 2022
Merged

Added legacy scanner for Azure pipelines #25

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 41 additions & 0 deletions azure-pipelines/old-scan-engine/README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,41 @@
# Azure Pipelines Demo

In this demo we will use Azure Pipelines to build, scan and push a container image.

NOTE: This example uses the [legacy Sysdig scanning engine](https://docs.sysdig.com/en/docs/sysdig-secure/scanning/)

The workflow is as follows:

1. Build the container image and store it locally
2. Run the `sysdiglabs/secure-inline-scan:2` container to perform the scan
3. Push the container image to a remote registry

## Setup

### Variables

It is required to create a `secureApiKey` pipeline variable containing the Sysdig API token in order
to be able to perform the scan. See [the official documentation](https://docs.microsoft.com/en-us/azure/devops/pipelines/process/set-secret-variables)
for instructions on how to do it, but basically:

* Edit the pipeline
* Select "Variables"
* Add a new `secureApiKey` variable with the proper content

### Registry access

It is required to create a Docker registry "Service Connections" to be able to push images to the registry.
See [the official documentation](https://docs.microsoft.com/en-us/azure/devops/pipelines/library/service-endpoints?view=azure-devops&tabs=yaml#docker-hub-or-others)
for instructions on how to do it, but basically:

* Select Project settings > Service connections
* Select + New service connection, select the "Docker Registry", and then select Next
* Add the registry url, user & password and a Service connection name (in this example, the Service connection name is `containerRegistry`)

Then, modify the variables on the [azure-pipelines.yml](azure-pipelines.yml) file to fit your needs:

```
containerRegistryConnection: containerRegistry
imageName: "sysdiglabs/dummy-vuln-app"
tags: "latest"
```
35 changes: 35 additions & 0 deletions azure-pipelines/old-scan-engine/azure-pipelines.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
pool:
vmImage: 'ubuntu-16.04'

variables:
containerRegistryConnection: containerRegistry
imageName: 'sysdiglabs/dummy-vuln-app'
tags: |
latest

steps:
- task: Docker@2
displayName: Build image
inputs:
repository: $(imageName)
command: build
tags: $(tags)

- bash: docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
quay.io/sysdig/secure-inline-scan:2 \
--sysdig-token $(secureApiKey) \
--storage-type docker-daemon \
--storage-path /var/run/docker.sock \
$(imageName):latest

- task: Docker@2
inputs:
command: 'login'
containerRegistry: $(containerRegistryConnection)

- task: Docker@2
inputs:
command: 'push'
tags: $(tags)
containerRegistry: $(containerRegistryConnection)