Scan A Docker Container Image With GitHub Actions

In this post, we will learn how to scan a Docker container image that is stored in Azure Container Registry (ACR) with a security vulnerabilities scan using a GitHub Actions workflow.

In the previous post, we learn how to create a GitHub Actions workflow that builds a Docker image and push it to ACR, and today we will build on that knowledge however you don’t have to build the image in the same workflow to use the scan.

Scan

The security scan will do the following, search for vulnerabilities using the Trivy scanner, use the Dockle scan for best practices recommendations and CIS benchmarks.

Workflow

The workflow code below shows the end to end code to build, push and scan a Docker image with GitHub Actions.

name: Build a Docker image and Push it to ACR

on:
  push:
    branches: [ master ]
  pull_request:
    branches: [ master ]

  workflow_dispatch:

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v2
      
      - uses: azure/docker-login@v1
        with:
          login-server: yourACRname.azurecr.io
          username: ${{ secrets.ACR_USERNAME }}
          password: ${{ secrets.ACR_PASSWORD }}

      - run: |
          docker build . -t yourACRname.azurecr.io/appdb:${{ github.sha }}
          docker push yourACRname.azurecr.io/appdb:${{ github.sha }}

      - name: Container image scan
        uses: Azure/container-scan@v0.1
        with:
          image-name: yourACRname.azurecr.io/appdb:${{ github.sha }}
          username: ${{ secrets.ACR_USERNAME }}
          password: ${{ secrets.ACR_PASSWORD }}

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.