Introduction

Black Duck can scan container images stored in Google Container Registry (GCR). Scan results are sent to your Black Duck instance to provide vulnerability, license, and operational risk results on the open source software components identified in the GCR image.

There are two ways to scan container images in GCR:

By using Synopsys Detect on a local workstation.
Invoking Synopsys Detect in Cloud Build.

These methods are described in more detail in the following section:

Using Synopsys Detect on a local workstation

Ensure that you satisfy the following prerequisites before you can scan images in GCR by using Synopsys Detect.

One or more container images stored in GCR (For more information about publishing and storing images in GCR, refer to the container registry topic about pushing and pulling images.)
Installed and initialized the gcloud CLI
Installed Docker

To locally scan container images stored in ECR, follow these steps:

Authenticate with GCR. Synopsys recommends using gcloud as a Docker credential helper by running the following command. Other options are also available.

Code Block

theme	RDark
title	Generate Docker Login for GCR (Linux)

gcloud auth configure-docker

Invoke Synopsys Detect, by providing at least the following:

Code Block

theme	RDark
title	Synopsys Detect - Scanning Images

bash <(curl -s https://detect.synopsys.com/detect.sh) \
--blackduck.url=<URL> \
--blackduck.api.token=<token> \
--detect.docker.image=<Image URI> \
--detect.project.name=<Project Name>

Using the Synopsys Cloud Build Scanner

Another way to scan Docker Images in GCR is by Invoking Synopsys Detect from Google Cloud Build.

Scanning an image from GCR

To scan an existing image from GCR, first pull and save the image to TAR. Detect can then be invoked against the TAR.

Code Block

theme	RDark
title	Sample build specification YAML to scan an image in GCR
collapse	true

- name: 'gcr.io/cloud-builders/docker'
  args: ['pull', '${_IMAGE_NAME}']
- name: 'gcr.io/cloud-builders/docker'
  args: ['save', '-o', './${_IMAGE_NAME}.tar', 'gcr.io/$PROJECT_ID/${_IMAGE_NAME}']
- name: 'gcr.io/cloud-marketplace/blackduck-public/synopsys-cloudbuild-scanner'
  secretEnv: [ 'BD_TOKEN' ]
  args:
  - '--blackduck.url'
  - '<<Black Duck URL>>'
  - '--blackduck.api.token'
  - '$$BD_TOKEN'
  - '--blackduck.trust.cert'
  - 'true'
  - '--detect.project.name'
  - '${_IMAGE_NAME}'
  - '--detect.project.version.name'
  - 'container-tar'
  - '--detect.tools' # List of Scanners to Run
  - 'SIGNATURE_SCAN,BINARY_SCAN'
  - '--detect.source.path' # Target for Signature Scan
  - './${_IMAGE_NAME}.tar'
  - '--detect.binary.scan.file.path'
  - './${_IMAGE_NAME}.tar' # Target for Binary Scan
  - '--detect.policy.check.fail.on.severities'
  - 'BLOCKER'
substitutions: 
  _IMAGE_NAME: ducky-crm-cb
options:
    substitution_option: 'ALLOW_LOOSE'
secrets:
- kmsKeyName: projects/[PROJECT-ID]/locations/global/keyRings/[KEYRING-NAME]/cryptoKeys/[KEY-NAME]
  secretEnv:
    BD_TOKEN: <base64-encoded encrypted Black Duck Token>

...

Using Binary Authorization? The Synopsys Cloud Build Scanner can write Container Analysis Notes to Attestors.

This is the preferred workflow when using Detect to attest an image since the image must be present in GCR before an attestation can be created.

If performing an attestation, you'll add a few extra arguments to the Synopsys Cloud Build Scanner Step. Navigate to Attest an Image for Binary Authorization for information on setting up your attestor and keys.

Code Block

title	Sample Build Specification YAML to Scan and Attest an Image in GCR
collapse	true

- name: 'gcr.io/cloud-builders/docker'
  args: ['pull', 'gcr.io/$PROJECT_ID/${_IMAGE_NAME}']
- name: 'gcr.io/cloud-builders/docker'
  args: ['save', '-o', './${_IMAGE_NAME}.tar', 'gcr.io/$PROJECT_ID/${_IMAGE_NAME}']
- name: 'gcr.io/cloud-marketplace/blackduck-public/synopsys-cloudbuild-scanner'
  secretEnv: [ 'PRIVATE_KEY_PASSWD', 'BD_TOKEN' ]
  args:
  - '--blackduck.url'
  - '<<Black Duck URL>>'
  - '--blackduck.api.token'
  - '$$BD_TOKEN'
  - '--blackduck.trust.cert'
  - 'true'
  - '--detect.project.name'
  - '${_IMAGE_NAME}'
  - '--detect.project.version.name'
  - 'container-tar'
  - '--detect.tools' # List of Scanners to Run
  - 'SIGNATURE_SCAN,BINARY_SCAN'
  - '--detect.source.path' # Target for Signature Scan
  - './${_IMAGE_NAME}.tar'
  - '--detect.binary.scan.file.path'
  - './${_IMAGE_NAME}.tar' # Target for Binary Scan
  - '--detect.policy.check.fail.on.severities'
  - 'BLOCKER'
  - '--binary.authorization.attestor.id'
  - 'blackduck-scan'
  - '--binary.authorization.attestor.private.key.file'
  - '/workspace/key.pgp'
  - '--binary.authorization.image.path'
  - 'gcr.io/blackduck-dev/ducky-crm-cb:latest'
  - '--binary.authorization.attestor.key.file'
  - '/workspace/blackduck-dev-e27bc11ea4a5.json'
substitutions: 
  _IMAGE_NAME: ducky-crm-cb
options:
    substitution_option: 'ALLOW_LOOSE'
secrets:
- kmsKeyName: projects/[PROJECT-ID]/locations/global/keyRings/[KEYRING-NAME]/cryptoKeys/[KEY-NAME]
  secretEnv:
    BD_TOKEN: <base64-encoded encrypted Black Duck Token>
    PRIVATE_KEY_PASSWD: <base64-encoded encrypted Private Key Password>

...

To scan a freshly built image that's not yet present in GCR, save to TAR after you build the image and scan. This can be configured to stop the image being pushed to GCR if Detect fails.

Code Block

title	Sample Build Specification YAML to Scan an Image before pushing to GCR
collapse	true

- name: 'gcr.io/cloud-builders/mvn'
  args: [ 'clean', 'compile', '-DskipTests' ]
- name: 'gcr.io/cloud-builders/docker'
  args: ['build', '-t', 'gcr.io/$PROJECT_ID/${_IMAGE_NAME}', '.']
- name: 'gcr.io/cloud-builders/docker'
  args: ['save', '-o', './${_IMAGE_NAME}.tar', 'gcr.io/$PROJECT_ID/${_IMAGE_NAME}']
- name: 'gcr.io/cloud-marketplace/blackduck-public/synopsys-cloudbuild-scanner'
  secretEnv: [ 'BD_TOKEN' ]
  args:
  - '--blackduck.url'
  - '<<Black Duck URL>>'
  - '--blackduck.api.token'
  - '$$BD_TOKEN'
  - '--blackduck.trust.cert'
  - 'true'
  - '--detect.project.name'
  - '${_IMAGE_NAME}'
  - '--detect.project.version.name'
  - 'container-tar'
  - '--detect.tools' # List of Scanners to Run
  - 'SIGNATURE_SCAN,BINARY_SCAN'
  - '--detect.source.path' # Target for Signature Scan
  - './${_IMAGE_NAME}.tar'
  - '--detect.binary.scan.file.path'
  - './${_IMAGE_NAME}.tar' # Target for Binary Scan
  - '--detect.policy.check.fail.on.severities'
  - 'BLOCKER'
substitutions: 
  _IMAGE_NAME: ducky-crm-cb

options:
    substitution_option: 'ALLOW_LOOSE'
secrets:
- kmsKeyName: projects/[PROJECT-ID]/locations/global/keyRings/[KEYRING-NAME]/cryptoKeys/[KEY-NAME]
  secretEnv:
    BD_TOKEN: <base64-encoded encrypted Black Duck Token>
images:
  - gcr.io/$PROJECT_ID/${_IMAGE_NAME}

See the following for Scanning images in Google Container Registry

Versions Compared

Old Version 17

New Version Current

Key

Table of Contents

Introduction

Using Synopsys Detect on a local workstation

Using the Synopsys Cloud Build Scanner

Scanning an image from GCR

Page Comparison

Versions Compared

Old Version 17

New Version Current

Key

<span class="diff-html-removed" data-a11y-before="Start of deleted content" data-a11y-after="End of deleted content" id="removed-diff-0">[data-colorid=n5zfdvvbdy]{color:#091e42} html[data-color-mode=dark] [data-colorid=n5zfdvvbdy]{color:#bdd2f6}</span>Table of Contents

Introduction

Using Synopsys Detect on a local workstation

Using the Synopsys Cloud Build Scanner

Scanning an image from GCR

Table of Contents