DevSecOps and Cloud Computing Coaching: Perform Security Scan for SpringBoot Microservice Docker image using Trivy Scanner and Azure YAML Pipeline | How to Scan Spring Boot Docker Image in Azure DevOps using Trivy Scanner

Friday, January 10, 2025

Perform Security Scan for SpringBoot Microservice Docker image using Trivy Scanner and Azure YAML Pipeline | How to Scan Spring Boot Docker Image in Azure DevOps using Trivy Scanner

Perform vulnerability scan using Trivy scanner on Azure DevOps Pipeline

What is Trivy?

Trivy is an open-source security scanner tool developed by Aqua Security. It can scan:

container images
file systems/folders
Git repositories
Kubernetes clusters
misconfiguration in files such as Terraform, K8S manifest files

Pre-requisites:

Repo created in ACR, Click here to know how to do that.
Springboot app Source code along with Dockerfile created along with the application source code
Already created Azure DevOps dashboard in

https://dev.azure.com/

ADO Yaml Pipeline for scanning docker image using Trivy scanner in Azure Hosted Build Agent:

# Perform Trivy scan for Docker image and upload docker image into ACR

trigger:
- master

resources:
- repo: self

variables:
  # Container registry service connection established during pipeline creation
  dockerRegistryServiceConnection: '723477ce-4e05-4e6e-a3c1-13bdf919a5cd'
  imageRepository: 'dockerspringbootapp'
  containerRegistry: 'myacrrepo131.azurecr.io'
  dockerfilePath: '$(Build.SourcesDirectory)/Dockerfile'
  tag: '$(Build.BuildId)'

  # Agent VM image name
  vmImageName: 'ubuntu-latest'

stages:
- stage: Build
  displayName: Build and push stage
  jobs:
  - job: Build
    displayName: Build
    pool:
      vmImage: $(vmImageName)
    steps:
    - task: Maven@4
      inputs:
        mavenPomFile: 'pom.xml'
        publishJUnitResults: true
        testResultsFiles: '**/surefire-reports/TEST-*.xml'
        javaHomeOption: 'JDKVersion'
        mavenVersionOption: 'Default'
        mavenAuthenticateFeed: false
        effectivePomSkip: false
        sonarQubeRunAnalysis: false
    - task: Docker@2
      displayName: Build a Docker image 
      inputs:
        command: build
        repository: $(imageRepository)
        dockerfile: $(dockerfilePath)
        containerRegistry: $(dockerRegistryServiceConnection)
        tags: |
          $(tag)
    - task: Bash@3
      displayName: "Install Trivy"
      inputs:
        targetType: inline
        script: |
          curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh
 # Run Trivy Scan
    - task: Bash@3
      displayName: "Run Trivy Scan"
      inputs:
        targetType: inline
        script: |
          ./bin/trivy image --severity HIGH,CRITICAL,MEDIUM --ignore-unfixed $(containerRegistry)/$(imageRepository):$(tag)
    - task: Docker@2
      displayName: push the image to container registry
      inputs:
        command: Push
        repository: $(imageRepository)
        dockerfile: $(dockerfilePath)
        containerRegistry: $(dockerRegistryServiceConnection)
        tags: |
          $(tag)

Scan report can be viewed in Build output of Azure Pipelines

Watch Steps in YouTube channel:

DevSecOps and Cloud Computing Coaching

Friday, January 10, 2025

Perform Security Scan for SpringBoot Microservice Docker image using Trivy Scanner and Azure YAML Pipeline | How to Scan Spring Boot Docker Image in Azure DevOps using Trivy Scanner

No comments:

Post a Comment

How to create Ubuntu 22.0.4 Virtual Machine (VM) in Azure? | Create Ubuntu 22.0.4 VM in Azure | How to connect to Azure VM from your local machine

Followers