In the pursuit of automating things we have come a long way where everything such as build, test and deployment is automated. In today’s world where we deal with a lot of data, security is one of our primary concerns.

What about automating vulnerability identification for container images in your CI/CD workflow? In this article I explain how to scan your Azure Container Registry-based container images with the integrated vulnerability scanner when they’re built as part of your GitHub workflows.

To set up the scanner, you’ll need to enable Microsoft Defender for container registries and the CI/CD integration. When your CI/CD workflows push images to your registries, you can view registry scan results and a summary of CI/CD scan results. The findings of the CI/CD scans are an enrichment to the existing registry scan findings by Qualys.

You’ll get traceability information such as the GitHub workflow and the GitHub run URL, to help identify the workflows that are resulting in vulnerable images.

Prerequisites

To scan your images as they’re pushed by CI/CD workflows into your registries, you must have Microsoft
Defender for container registries enabled on the subscription.

Steps

To enable vulnerability scans of images in your GitHub workflows we need to follow these two steps:

  • Enable the CI/CD integration in Defender for Cloud
  • Add the necessary lines to your GitHub workflow

Step 1 : Enable the CI/CD integration in Defender for Cloud

  1. From Defender for Cloud’s menu, open Environment settings.
  2. Select the relevant subscription.
  3. From the sidebar of the settings page for that subscription, select Integrations.
  4. In the pane that appears, select an Application Insights account to push the CI/CD scan results from your workflow.
  5. Copy the authentication token and connection string into your GitHub workflow.

Step 2. Add the necessary lines to your GitHub workflow and perform a scan

TIP
I recommend creating two secrets in your repository to reference in your YAML file as shown below. The secrets
can be named according to your own naming conventions. In this example, the secrets are referenced as
AZ_APPINSIGHTS_CONNECTION_STRING and AZ_SUBSCRIPTION_TOKEN.
The push to the registry must happen prior to the results being published

1. From your GitHub workflow, enable CI/CD scanning as follows:

- name: Build and Tag Image
  run: |
   echo "github.sha=$GITHUB_SHA"
   docker build -t githubdemo1.azurecr.io/k8sdemo:${{ github.sha }} .

- uses: Azure/container-scan@v0
  name: Scan image for vulnerabilities
  id: container-scan
  
  continue-on-error: true
  with:
   image-name: githubdemo1.azurecr.io/k8sdemo:${{ github.sha }}

- name: Push Docker image
  run: |
   docker push githubdemo1.azurecr.io/k8sdemo:${{ github.sha }}
 

- name: Post logs to appinsights
  uses: Azure/publish-security-assessments@v0
  with:
   scan-results-path: ${{ steps.container-scan.outputs.scan-report-path }}
   connection-string: ${{ secrets.AZ_APPINSIGHTS_CONNECTION_STRING }}
   subscription-token: ${{ secrets.AZ_SUBSCRIPTION_TOKEN }}

2. Run the workflow that will push the image to the selected container registry. Once the image is pushed into the registry, a scan of the registry runs and you can view the CI/CD scan results along with the registry scan results within Microsoft Defender for Cloud. Running the above YAML file will install an instance of Aqua Security’s Trivy in your build system. Trivy is licensed under the Apache 2.0 License and has dependencies on data feeds, many of which contain their own terms of use.

3. View CI/CD scan results.

View CI/CD scan results

1. To view the findings, open the Recommendations page. If issues were found, you’ll see the recommendation Container registry images should have vulnerability findings resolved (powered by Qualys)

2. Select the recommendation. The recommendation details page opens with additional information. This information includes the list of registries with vulnerable images (“Affected resources”) and the remediation steps.

3. Open the affected resources list and select an unhealthy registry to see the repositories within it that have vulnerable images.

The registry details page opens with the list of affected repositories.

4. Select a specific repository to see the repositories within it that have vulnerable images.

The repository details page opens. It lists the vulnerable images together with an assessment of the severity of the findings.

5. Select a specific image to see the vulnerabilities.

The list of findings for the selected image opens.

6. To learn more about which GitHub workflow is pushing these vulnerable images, select the information bubble: