How to perform vulnerability scan using Trivy scanner on Azure DevOps Pipeline?
Pre-requisites:
- Repo created in ACR, Click here to know how to do that.
- Dockerfile created along with the application source code
- Already created Azure DevOps dashboard in
ADO Yaml Pipeline for scanning docker image using Trivy scanner:
# Docker
# Build and push an image to Azure Container Registry
# https://docs.microsoft.com/azure/devops/pipelines/languages/docker
trigger:
- master
resources:
- repo: self
variables:
# Container registry service connection established during pipeline creation
dockerRegistryServiceConnection: 'd676875f-d1fb-485a-8da4-88d6bfb04604'
imageRepository: 'mypythondockerrepo'
containerRegistry: 'myacrrep31.azurecr.io'
dockerfilePath: '$(Build.SourcesDirectory)/Dockerfile'
tag: '$(Build.BuildId)'
vmImageName: 'ubuntu-latest'
stages:
- stage: Build
displayName: Build and push stage
jobs:
- job: Build
displayName: Build
pool:
vmImage: $(vmImageName)
steps:
# build docker image
- task: Docker@2
displayName: Build Docker image
inputs:
command: build
repository: $(imageRepository)
dockerfile: $(dockerfilePath)
containerRegistry: $(dockerRegistryServiceConnection)
tags: |
$(tag)
# Install Trivy Scanner on Agent
- task: Bash@3
displayName: "Install Trivy"
inputs:
targetType: inline
script: |
curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh
# Run Trivy Scan
- task: Bash@3
displayName: "Run Trivy Scan"
inputs:
targetType: inline
script: |
./bin/trivy image --severity HIGH,CRITICAL,MEDIUM --ignore-unfixed $(containerRegistry)/$(imageRepository):$(tag)
# Push docker image
- task: Docker@2
displayName: push Docker image to container registry
inputs:
command: push
repository: $(imageRepository)
dockerfile: $(dockerfilePath)
containerRegistry: $(dockerRegistryServiceConnection)
tags: |
$(tag)
Scan report can be viewed in Build output of Azure Pipelines
This is a highly practical article that explains how Aqua Security's Trivy can be configured for vulnerability scanning in modern development environments. The author clearly demonstrates the importance of identifying security weaknesses in containers, dependencies, and software artifacts before deployment. The step-by-step guidance makes the topic accessible while emphasizing the growing role of proactive security practices in software development and DevOps workflows.
ReplyDeleteThe article highlights vulnerability assessment, security scanning, and threat detection techniques that help organizations identify and remediate risks before they impact production systems. These concepts are closely related to Cyber Security Projects for Final Year Students, where security monitoring, vulnerability management, and defensive security strategies are applied to protect modern applications and infrastructure.
ReplyDeleteImplementing automated security checks using tools like Trivy strengthens the overall security posture of software delivery pipelines and cloud-native environments. These practices align well with Information Security Projects, which focus on safeguarding digital assets through risk assessment, secure system design, and comprehensive protection mechanisms.