In this post, we will learn how to scan a Docker container image that is stored in Azure Container Registry (ACR) with a security vulnerabilities scan using a GitHub Actions workflow.
In the previous post, we learn how to create a GitHub Actions workflow that builds a Docker image and push it to ACR, and today we will build on that knowledge however you don’t have to build the image in the same workflow to use the scan.
Scan
The security scan will do the following, search for vulnerabilities using the Trivy scanner, use the Dockle scan for best practices recommendations and CIS benchmarks.
Workflow
The workflow code below shows the end to end code to build, push and scan a Docker image with GitHub Actions.
name: Build a Docker image and Push it to ACR
on:
push:
branches: [ master ]
pull_request:
branches: [ master ]
workflow_dispatch:
jobs:
build:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- uses: azure/docker-login@v1
with:
login-server: yourACRname.azurecr.io
username: ${{ secrets.ACR_USERNAME }}
password: ${{ secrets.ACR_PASSWORD }}
- run: |
docker build . -t yourACRname.azurecr.io/appdb:${{ github.sha }}
docker push yourACRname.azurecr.io/appdb:${{ github.sha }}
- name: Container image scan
uses: Azure/container-scan@v0.1
with:
image-name: yourACRname.azurecr.io/appdb:${{ github.sha }}
username: ${{ secrets.ACR_USERNAME }}
password: ${{ secrets.ACR_PASSWORD }}