Join our Discord Server
Ajeet Raina Ajeet Singh Raina is a former Docker Captain, Community Leader and Distinguished Arm Ambassador. He is a founder of Collabnix blogging site and has authored more than 700+ blogs on Docker, Kubernetes and Cloud-Native Technology. He runs a community Slack of 9800+ members and discord server close to 2600+ members. You can follow him on Twitter(@ajeetsraina).

How to Integrate Docker Scout with GitHub Actions

3 min read

Docker Scout is a collection of software supply chain features that provide insights into the composition and security of container images. It analyzes image contents and generates a detailed report of packages and vulnerabilities it detects, providing suggestions for remediation.

How does it work?

Docker Scout is a feature of the Docker Desktop that provides detailed insights into the composition and security of container images. It uses SBOMs to cross-reference with streaming CVE data to surface vulnerabilities (and potential remediation) as soon as possible. An SBOM, or software bill of materials, is a nested inventory, a list of ingredients that make up software components.

Image5

Can I run Docker Scout as CLI?

Yes, Docker scout CLI plugin is available by default on Docker Desktop starting with version 4.17.

Image3

Docker Scout is available through multiple interfaces, including the Docker Desktop and Docker Hub user interfaces, as well as a web-based user interface and a command-line interface (CLI) plugin. Users can view and interact with Docker Scout through these interfaces to gain a deeper understanding of the composition and security of their container images.

Is it possible to run Docker Scout on my Linux system?

To install, run the following command in your terminal:

curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --

Manual Installation

Download the docker-scout binary corresponding to your platform from the latest or other releases. Uncompress it & Copy it in your local CLI plugin directory. Finally, you need to make it executable on Linux and macOS

chmod +x $HOME/.docker/cli-plugins/docker-scout

Don’t forget to authorize the binary to be executable on macOS

xattr -d com.apple.quarantine $HOME/.docker/cli-plugins/docker-scout

Integrating Docker Scout with GitHub Actions

GitHub Actions is a powerful CI/CD (Continuous Integration/Continuous Deployment) platform provided by GitHub. It allows developers to automate their workflows, build and test their code, and deploy applications seamlessly. By integrating Docker Scout with GitHub Actions, developers can enhance the security and quality of their containerized applications. In this article, we will explore how to integrate Docker Scout with GitHub Actions step-by-step.

Step 1: Set up a GitHub repository

To get started, create a new GitHub repository or navigate to an existing one where you want to integrate Docker Scout. Make sure you have the necessary permissions to modify the repository’s settings and workflows.

Step 2: Create a GitHub Actions workflow

Inside your repository, navigate to the “.github/workflows” directory (create it if it doesn’t exist). Create a new YAML file, e.g., “docker-scout.yml,” and open it for editing. This file will define your GitHub Actions workflow.

Step 3: Define the workflow trigger

Add the following code to the beginning of your YAML file to define the trigger for the workflow:

name: Docker Scout Integration
on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - '*'

This configuration triggers the workflow on every push to the ‘main’ branch and for any pull request.

Step 4: Set up the workflow environment

Next, you need to define the environment variables required for the workflow. Add the following code to your YAML file:

env:
  REGISTRY: docker.io
  IMAGE_NAME: ${{ github.repository }}
  SHA: ${{ github.event.pull_request.head.sha || github.event.after }}

These environment variables specify the Docker registry, the image name (derived from the repository), and the commit SHA for the pull request or push event.

Step 5: Define the workflow jobs

Inside the YAML file, you can define one or more jobs that will be executed as part of the workflow. For Docker Scout integration, we’ll focus on the ‘build’ job.

jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
        with:
          ref: ${{ env.SHA }}

      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@v2.5.0
        with:
          driver-opts: |
            image=moby/buildkit:v0.10.6

      - name: Log into registry ${{ env.REGISTRY }}
        uses: docker/login-action@v2.1.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_PAT }}

      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v4.4.0
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          labels: |
            org.opencontainers.image.revision=${{ env.SHA }}
          tags: |
            type=edge,branch=$repo.default_branch
            type=semver,pattern=v{{version}}
            type=sha,prefix=,suffix=,format=short

      - name: Build and push Docker image
        id: build-and-push
        uses: docker/build-push-action@v4.0.0
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Docker Scout
        id: docker-scout
        if: ${{ github.event_name == 'pull_request' }}
        uses: docker/scout-action@dd36f5b0295baffa006aa6623371f226cc03e506
        with:
          command: cves
          image: ${{ steps.meta.outputs.tags }}
          only-severities: critical,high
          exit-code: true

In this job, the following steps are performed:

  • Checking out the repository code.
  • Setting up Docker buildx for building multi-arch images.
  • Logging into the Docker registry.
  • Extracting Docker metadata using the docker/metadata-action.
  • Building and pushing the Docker image using the docker/build-push-action.
  • Running Docker Scout using the docker/scout-action to scan for CVEs (Common Vulnerabilities and Exposures) in the image.

Note that the Docker Scout step is conditionally executed only for pull requests to avoid unnecessary scans for push events.

Step 6: Save and commit the workflow file

Save the YAML file and commit it to the repository. GitHub Actions will automatically pick up the file and start executing the workflow whenever the defined triggers are met.

Step 7: Configure secrets

To securely authenticate with Docker registries, you need to configure secrets in your GitHub repository. Secrets are encrypted environment variables that can be used in workflows. In this case, you’ll need to set up the following secrets:

DOCKER_USER: The username for the Docker registry.
DOCKER_PAT: The personal access token (PAT) or password for the Docker registry.

To set up the secrets, go to your repository’s settings, navigate to the “Secrets” tab, and add the secrets with their respective values.

Use this workflow file and try it out.

Conclusion

Integrating Docker Scout with GitHub Actions brings enhanced security and software supply chain insights to your CI/CD pipelines. By following the steps outlined in this article, you can seamlessly integrate Docker Scout into your GitHub repository’s workflows. This integration enables the automated scanning of container images for vulnerabilities, ensuring that your applications are built on secure foundations. Embracing this integration can significantly improve the quality and security of your Docker-based projects, providing peace of mind to both developers and end-users.

References

Have Queries? Join https://launchpass.com/collabnix

Ajeet Raina Ajeet Singh Raina is a former Docker Captain, Community Leader and Distinguished Arm Ambassador. He is a founder of Collabnix blogging site and has authored more than 700+ blogs on Docker, Kubernetes and Cloud-Native Technology. He runs a community Slack of 9800+ members and discord server close to 2600+ members. You can follow him on Twitter(@ajeetsraina).
Join our Discord Server
Index