Join our Discord Server
Ajeet Raina Ajeet Singh Raina is a former Docker Captain, Community Leader and Distinguished Arm Ambassador. He is a founder of Collabnix blogging site and has authored more than 700+ blogs on Docker, Kubernetes and Cloud-Native Technology. He runs a community Slack of 9800+ members and discord server close to 2600+ members. You can follow him on Twitter(@ajeetsraina).

How to Integrate Docker Scout with Microsoft Azure DevOps Pipeline

4 min read

Azure DevOps Pipeline is a powerful and flexible continuous integration and continuous delivery (CI/CD) platform provided by Microsoft. It allows you to automate the building, testing, and deployment of your applications, making the software development life cycle more efficient and reliable. With Azure DevOps Pipeline, you can define, manage, and execute pipelines that deliver code changes from development to production in a consistent and repeatable manner.

What is Docker Scout?

Docker Scout is intended for anyone involved in the SDLC that focuses on maintaining or improving the security of their application. This includes developers, DevOps engineers, security professionals, and anyone else involved in the software development lifecycle. The feature is particularly useful for organizations that need to ensure the security and compliance of their container images and want to have a detailed understanding of the software supply chain. Docker Scout can be used by individuals or teams, and is available to users with a paid Docker subscription.

Docker Scout provides developers and organizations with detailed insights into the security of their container images, enabling them to make informed decisions about how to address vulnerabilities and improve the overall security of their software.

Integration of Docker Scout and Azure DevOps Pipeline

This section of the Azure DevOps Pipeline configuration is designed to work with a repository that is connected to Azure DevOps and contains the definition and contents of a Docker image. The main purpose of this pipeline is to automate the process of building the Docker image and generating a Common Vulnerabilities and Exposures (CVE) report using Docker Scout.

What this section covers:

  • Repository Connection: The pipeline is triggered whenever there is a commit to the main branch of the repository. This indicates that there is new code or changes that need to be built into a Docker image.
  • Build Docker Image: The pipeline’s first step is to build the Docker image based on the Dockerfile provided in the repository. It uses the Docker@2 task to perform this. The image is built with a specific tag that includes the Build ID, ensuring uniqueness and traceability.
  • Install Docker Scout: Before analyzing the Docker image for CVEs, the pipeline fetches and installs the Docker Scout CLI. This is done using a curl command that downloads the necessary script and installs it on the pipeline agent.
  • Docker Hub Authentication: To interact with Docker Hub and perform the CVE analysis, the pipeline logs in to Docker Hub using credentials stored as environment variables. This is essential for Docker Scout to access the necessary information about the image.
  • CVE Analysis with Docker Scout: The pipeline then uses the Docker Scout CLI to perform a CVE analysis on the built Docker image. The command used is docker scout CVEs, and it specifies the image and tag to be analyzed. The –exit-code flag ensures that the pipeline will fail if any critical or high-severity CVEs are detected in the image.

By following this process, the pipeline automates the building of the Docker image and the CVE analysis using Docker Scout. This helps ensure that security vulnerabilities are identified and addressed early in the development process, contributing to the overall security and quality of the Docker images being produced.

Getting Started

  1. Login to Azure Portal
  1. Create New Azure DevOps Organization
  1. Create a new project.
  1. Create your Pipeline
  1. Choose the right repo(in our case, we will choose GitHub)

Provide https://github.com/dockersamples/scout-demo-voting-app as the repository URL.

7. Add Variables

To pass the Docker Hub PAT on Azure DevOps Pipeline, you can use a secret variable. A secret variable is a variable that is stored securely in Azure DevOps. You can then access the secret variable in your pipeline using the $(secret.<name>) syntax.

To create a secret variable, follow these steps:

  • Go to the Pipelines page in Azure DevOps.
  • Click on the name of the pipeline that you want to add the secret variable to.
  • Click on the Variables tab.
  • Click on the + New variable button.
  • In the Name field, enter a name for the secret variable.
  • In the Value field, enter the value of the secret variable.
  • Select the Secret checkbox.
  • Click on the Create button.
  1. Review your pipeline YAML
trigger:
- main

resources:
- repo: self

variables:
  tag: '$(Build.BuildId)'
  vote_image: 'yournamespace/scout-demo-voting-app-vote'
  result_image: 'yournamespace/scout-demo-voting-app-result'
  worker_image: 'yournamespace/scout-demo-voting-app-worker'

stages:
- stage: Build
  displayName: Build images
  jobs:
  - job: BuildResult
    displayName: Build Result service
    pool:
      vmImage: ubuntu-latest
    steps:
    - task: Docker@2
      displayName: Build an image
      inputs:
        command: build
        dockerfile: '$(Build.SourcesDirectory)/result/Dockerfile' # Path to the Dockerfile for Result service
        repository: $(result_image)
        tags: |
          $(tag)
    - task: CmdLine@2
      displayName: Find CVEs on image
      inputs:
        script: |
          # Install the Docker Scout CLI
          curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
          # Login to Docker Hub required for Docker Scout CLI
          docker login -u $(DOCKER_HUB_USER) -p $(DOCKER_HUB_PAT)
          # Get a CVE report for the built image and fail the pipeline when critical or high CVEs are detected
          docker scout cves $(result_image):$(tag) --exit-code --only-severity critical,high

  - job: BuildWorker
    displayName: Build Worker service
    pool:
      vmImage: ubuntu-latest
    steps:
    - task: Docker@2
      displayName: Build an image
      inputs:
        command: build
        dockerfile: '$(Build.SourcesDirectory)/worker/Dockerfile' # Path to the Dockerfile for Worker service
        repository: $(worker_image)
        tags: |
          $(tag)
    - task: CmdLine@2
      displayName: Find CVEs on image
      inputs:
        script: |
          # Install the Docker Scout CLI
          curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
          # Login to Docker Hub required for Docker Scout CLI
          docker login -u $(DOCKER_HUB_USER) -p $(DOCKER_HUB_PAT)
          # Get a CVE report for the built image and fail the pipeline when critical or high CVEs are detected
          docker scout cves $(worker_image):$(tag) --exit-code --only-severity critical,high

  - job: BuildVote
    displayName: Build Vote service
    pool:
      vmImage: ubuntu-latest
    steps:
    - task: Docker@2
      displayName: Build an image
      inputs:
        command: build
        dockerfile: '$(Build.SourcesDirectory)/vote/Dockerfile' # Path to the Dockerfile for Vote service
        repository: $(vote_image)
        tags: |
          $(tag)
    - task: CmdLine@2
      displayName: Find CVEs on image
      inputs:
        script: |
          # Install the Docker Scout CLI
          curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --
          # Login to Docker Hub required for Docker Scout CLI
          docker login -u $(DOCKER_HUB_USER) -p $(DOCKER_HUB_PAT)
          # Get a CVE report for the built image and fail the pipeline when critical or high CVEs are detected
          docker scout cves $(vote_image):$(tag) --exit-code --only-severity critical,high

You can find the azure-pipelines.yaml file for the Voting app in this link.

Results:

All the pipeline jobs were successfully run. 

Here’s the quick summary of the overall Pipeline:

Results Service Output:

Worker Service Output:

Vote Service Output:

Incorporating Docker Scout into your Azure DevOps Pipelines offers a powerful solution for streamlining secure Docker image development. This integration automates the build process while ensuring early detection and mitigation of security vulnerabilities. By implementing this approach, you can significantly enhance the security posture of your containerized applications and streamline your development workflow.

If you’re looking to bolster your Docker image security and streamline your CI/CD pipeline, consider integrating Docker Scout with Azure DevOps Pipelines. The combined power of these tools can significantly enhance your development process and deliver more secure applications.

Further Reading:

Have Queries? Join https://launchpass.com/collabnix

Ajeet Raina Ajeet Singh Raina is a former Docker Captain, Community Leader and Distinguished Arm Ambassador. He is a founder of Collabnix blogging site and has authored more than 700+ blogs on Docker, Kubernetes and Cloud-Native Technology. He runs a community Slack of 9800+ members and discord server close to 2600+ members. You can follow him on Twitter(@ajeetsraina).
Join our Discord Server
Index