Table of Contents
Table of Contents |
---|
Introduction
Black Duck can scan container images stored in Google Container Registry (GCR). Scan results are sent to your Black Duck instance to provide vulnerability, license, and operational risk results on the open source software components identified in the GCR image.
There are two ways to scan container images in GCR:
- By using Synopsys Detect on a local workstation.
- Invoking Synopsys Detect in Cloud Build.
These methods are described in more detail in the following section:
Using Synopsys Detect on a local workstation
Ensure that you satisfy the following prerequisites before you can scan images in GCR by using Synopsys Detect.
- One or more container images stored in GCR (For more information about publishing and storing images in GCR, refer to the container registry topic about pushing and pulling images.)
- Installed and initialized the gcloud CLI
- Installed Docker
To locally scan container images stored in ECR, follow these steps:
Authenticate with GCR. Synopsys recommends using gcloud as a Docker credential helper by running the following command. Other options are also available.
Code Block | ||||
---|---|---|---|---|
| ||||
gcloud auth configure-docker |
Invoke Synopsys Detect, by providing at least the following:
Code Block | ||||
---|---|---|---|---|
| ||||
bash <(curl -s https://detect.synopsys.com/detect.sh) \
--blackduck.url=<URL> \
--blackduck.api.token=<token> \
--detect.docker.image=<Image URI> \
--detect.project.name=<Project Name> |
Using the Synopsys Cloud Build Scanner
Another way to scan Docker Images in GCR is by Invoking Synopsys Detect from Google Cloud Build.
Scanning an image from GCR
To scan an existing image from GCR, first pull and save the image to TAR. Detect can then be invoked against the TAR.
Code Block | ||||||
---|---|---|---|---|---|---|
| ||||||
- name: 'gcr.io/cloud-builders/docker'
args: ['pull', '${_IMAGE_NAME}']
- name: 'gcr.io/cloud-builders/docker'
args: ['save', '-o', './${_IMAGE_NAME}.tar', 'gcr.io/$PROJECT_ID/${_IMAGE_NAME}']
- name: 'gcr.io/cloud-marketplace/blackduck-public/synopsys-cloudbuild-scanner'
secretEnv: [ 'BD_TOKEN' ]
args:
- '--blackduck.url'
- '<<Black Duck URL>>'
- '--blackduck.api.token'
- '$$BD_TOKEN'
- '--blackduck.trust.cert'
- 'true'
- '--detect.project.name'
- '${_IMAGE_NAME}'
- '--detect.project.version.name'
- 'container-tar'
- '--detect.tools' # List of Scanners to Run
- 'SIGNATURE_SCAN,BINARY_SCAN'
- '--detect.source.path' # Target for Signature Scan
- './${_IMAGE_NAME}.tar'
- '--detect.binary.scan.file.path'
- './${_IMAGE_NAME}.tar' # Target for Binary Scan
- '--detect.policy.check.fail.on.severities'
- 'BLOCKER'
substitutions:
_IMAGE_NAME: ducky-crm-cb
options:
substitution_option: 'ALLOW_LOOSE'
secrets:
- kmsKeyName: projects/[PROJECT-ID]/locations/global/keyRings/[KEYRING-NAME]/cryptoKeys/[KEY-NAME]
secretEnv:
BD_TOKEN: <base64-encoded encrypted Black Duck Token> |
...
Using Binary Authorization? The Synopsys Cloud Build Scanner can write Container Analysis Notes to Attestors.
This is the preferred workflow when using Detect to attest an image since the image must be present in GCR before an attestation can be created.
If performing an attestation, you'll add a few extra arguments to the Synopsys Cloud Build Scanner Step. Navigate to Attest an Image for Binary Authorization for information on setting up your attestor and keys.
Code Block | ||||
---|---|---|---|---|
| ||||
- name: 'gcr.io/cloud-builders/docker'
args: ['pull', 'gcr.io/$PROJECT_ID/${_IMAGE_NAME}']
- name: 'gcr.io/cloud-builders/docker'
args: ['save', '-o', './${_IMAGE_NAME}.tar', 'gcr.io/$PROJECT_ID/${_IMAGE_NAME}']
- name: 'gcr.io/cloud-marketplace/blackduck-public/synopsys-cloudbuild-scanner'
secretEnv: [ 'PRIVATE_KEY_PASSWD', 'BD_TOKEN' ]
args:
- '--blackduck.url'
- '<<Black Duck URL>>'
- '--blackduck.api.token'
- '$$BD_TOKEN'
- '--blackduck.trust.cert'
- 'true'
- '--detect.project.name'
- '${_IMAGE_NAME}'
- '--detect.project.version.name'
- 'container-tar'
- '--detect.tools' # List of Scanners to Run
- 'SIGNATURE_SCAN,BINARY_SCAN'
- '--detect.source.path' # Target for Signature Scan
- './${_IMAGE_NAME}.tar'
- '--detect.binary.scan.file.path'
- './${_IMAGE_NAME}.tar' # Target for Binary Scan
- '--detect.policy.check.fail.on.severities'
- 'BLOCKER'
- '--binary.authorization.attestor.id'
- 'blackduck-scan'
- '--binary.authorization.attestor.private.key.file'
- '/workspace/key.pgp'
- '--binary.authorization.image.path'
- 'gcr.io/blackduck-dev/ducky-crm-cb:latest'
- '--binary.authorization.attestor.key.file'
- '/workspace/blackduck-dev-e27bc11ea4a5.json'
substitutions:
_IMAGE_NAME: ducky-crm-cb
options:
substitution_option: 'ALLOW_LOOSE'
secrets:
- kmsKeyName: projects/[PROJECT-ID]/locations/global/keyRings/[KEYRING-NAME]/cryptoKeys/[KEY-NAME]
secretEnv:
BD_TOKEN: <base64-encoded encrypted Black Duck Token>
PRIVATE_KEY_PASSWD: <base64-encoded encrypted Private Key Password> |
...
To scan a freshly built image that's not yet present in GCR, save to TAR after you build the image and scan. This can be configured to stop the image being pushed to GCR if Detect fails.
Code Block | ||||
---|---|---|---|---|
| ||||
- name: 'gcr.io/cloud-builders/mvn'
args: [ 'clean', 'compile', '-DskipTests' ]
- name: 'gcr.io/cloud-builders/docker'
args: ['build', '-t', 'gcr.io/$PROJECT_ID/${_IMAGE_NAME}', '.']
- name: 'gcr.io/cloud-builders/docker'
args: ['save', '-o', './${_IMAGE_NAME}.tar', 'gcr.io/$PROJECT_ID/${_IMAGE_NAME}']
- name: 'gcr.io/cloud-marketplace/blackduck-public/synopsys-cloudbuild-scanner'
secretEnv: [ 'BD_TOKEN' ]
args:
- '--blackduck.url'
- '<<Black Duck URL>>'
- '--blackduck.api.token'
- '$$BD_TOKEN'
- '--blackduck.trust.cert'
- 'true'
- '--detect.project.name'
- '${_IMAGE_NAME}'
- '--detect.project.version.name'
- 'container-tar'
- '--detect.tools' # List of Scanners to Run
- 'SIGNATURE_SCAN,BINARY_SCAN'
- '--detect.source.path' # Target for Signature Scan
- './${_IMAGE_NAME}.tar'
- '--detect.binary.scan.file.path'
- './${_IMAGE_NAME}.tar' # Target for Binary Scan
- '--detect.policy.check.fail.on.severities'
- 'BLOCKER'
substitutions:
_IMAGE_NAME: ducky-crm-cb
options:
substitution_option: 'ALLOW_LOOSE'
secrets:
- kmsKeyName: projects/[PROJECT-ID]/locations/global/keyRings/[KEYRING-NAME]/cryptoKeys/[KEY-NAME]
secretEnv:
BD_TOKEN: <base64-encoded encrypted Black Duck Token>
images:
- gcr.io/$PROJECT_ID/${_IMAGE_NAME} |
See the following for Scanning images in Google Container Registry