Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Trivy image scan on private ACR #98

Open
Emil-jonsson opened this issue Mar 1, 2024 · 1 comment
Open

Trivy image scan on private ACR #98

Emil-jonsson opened this issue Mar 1, 2024 · 1 comment

Comments

@Emil-jonsson
Copy link

Description
The current documentation for the MicrosoftSecurityDevOps@1 task does not include instructions on how to perform Trivy image scans on private Azure Container Registries (ACR). This functionality is crucial, as not all users build their images on VMs with Docker; many utilize containerized agents alongside the ACR build task for image creation. Despite Trivy's documented ability to scan remote/private container registries, the MicrosoftSecurityDevOps@1 task appears to only support scanning local image locations. This discrepancy has left me unable to configure the task to target a remote repository, even though I have successfully set up remote registry scanning using Trivy in a standalone configuration.

Problem Statement
Lack of documentation and apparent functionality for scanning images in private ACRs using the MicrosoftSecurityDevOps@1 task.
The task defaults to scanning local image locations, ignoring the capability of Trivy to scan remote/private container registries.

Importance
This issue is significant for workflows that rely on containerized agents and ACR build tasks for image creation, as it limits the usability of the MicrosoftSecurityDevOps@1 task for security scanning in such environments. Enabling this functionality would greatly enhance security measures for Azure DevOps pipelines that utilize private ACRs.

Expected Behavior:

Environement variable documentation should be more descriptive and informational on how to use it, because it is not clear what Envs to use to target a remote ACR.

- task: MicrosoftSecurityDevOps@1
  displayName: 'Microsoft Security DevOps'
  inputs:
    command: 'run'
    policy: 'microsoft'
    tools: 'trivy'
  env:
    TRIVY_ACTION: 'image'
    TRIVY_TARGET: 'image
    TRIVY_AUTH_URL: 
    TRIVY_USERNAME:
    TRIVY_PASSWORD:
    TRIVY_IMAGE_SRC:
    TRIVY_REGISTRY_TOKEN:
    TRIVY_INPUT: 
    TRIVY_IMAGEPATH:

I've tried just about every mix of environment variables, even switching between uppercase and lowercase, to get remote scanning to work, but the documentation doesn't really help make sense of how to use Trivy's environment variables with this task. It looks like the task actually does support Trivy's own environment variables, which was a surprise since it's not mentioned anywhere in the docs. This makes setting everything up for remote scanning a bit of a guessing game.

The error encountered suggests a failure to recognize the remote image location, indicating an issue with how the task is configured to interact with private container registries. The task fails to initialize a scanner for the remote image, suggesting a possible misconfiguration or lack of support for scanning images located in private ACRs.

General Error Message:

Microsoft.Guardian.TrivyRedist_linux_amd64.0.45.0/tools/trivy image --exit-code 100 --format sarif --input <registryURL>/my-image:tag --output /agent/_work/1/s/.gdn/.r/trivy/001/trivy.sarif <registryURL>/my-image:tag

FATAL image scan error: scan error: unable to initialize a scanner: unable to initialize the archive scanner: 2 errors occurred:
	* unable to open <remote image> as a Docker image: unable to open the file: open <remote image>: no such file or directory
	* unable to open <remote image> as an OCI Image: stat <remote image>/index.json: no such file or directory

Working Behavior for standalone task

- task: Bash@3
  displayName: 'Trivy scan - Generate report'
  inputs:
    targetType: 'inline'
    script: |
      trivy image --skip-db-update --exit-code 0 --severity LOW,MEDIUM,HIGH,CRITICAL registryURL/my-image:tag
  env:
    TRIVY_AUTH_URL: "https://registryURL"
    TRIVY_USERNAME: "00000000-0000-0000-0000-000000000000" # Dummy username for ACR token authentication
    TRIVY_PASSWORD: $(ACR_TOKEN)

I am getting the acr_token with acr login task like this:

az acr login --name ContainerRegistryName --expose-token --output tsv --query accessToken

Question is why this similiar setup does not work using the MicrosoftSecurityDevOps@1 task?
Could the documentation be updated to include this scenario, or could the task be enhanced to support this use case?
Has anybody else gotten this to work, in that case how?
@chrisnielsen-MS
Copy link
Contributor

I have been doing some testing and found that this scenario does work in the current setup. You can see the environment variable overrides that are supported for Trivy on this wiki page: https://github.com/microsoft/security-devops-azdevops/wiki#trivy-environment-variables

From there, the --input parameter from your initial command line appears to be causing the problem. For my tests, I set only two environment variables to get the desired behavior:
GDN_TRIVY_ACTION = 'image'
GDN_TRIVY_TARGET = 'repoName.azurecr.io/imageName:tagName'

Please give this a try and let us know if it resolves your issue.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Emil-jonsson @chrisnielsen-MS