Table of Contents

Introduction

Black Duck supports scanning images stored in the Azure Container Registry (ACR). Image scan results are sent to your dedicated Black Duck instance providing vulnerability, license, and operational risk results on the open source software components identified in the ECR image.

There are two ways that you can scan container images in ECR:

• Using Synopsys Detect on a local workstation
• Using an Azure DevOps Pipeline

Each method is described, below.

Using Synopsys Detect on a local workstation

Before you can scan images in ACR using Synopsys Detect, ensure that you satisfy the following requirements:

• One or more container images stored in ACR
  For more information about publishing and storing images in ACR, refer to the container registry topic about pushing images.
• Installed the Azure CLI
• Installed Docker

To locally scan container images stored in ECR, follow these steps:

1. Authenticate with ACR. The az acr login command generates an authentication token and authenticates with your registry.

   az acr login --name <acrName>

   
   

2. Invoke Synopsys Detect, and provide the following at a minimum.

   bash <(curl -s https://detect.synopsys.com/detect.sh) \ --blackduck.url=<URL> \ --blackduck.api.token=<token> \ --detect.docker.image=<Image URI> \ --detect.project.name=<Project Name>

   
   

3. 
    
   

Using Azure DevOps Pipelines

Invoking the Synopsys Detect extension to scan a Docker image stored in ACR

Talk to your authorized support representative for details on the Synopsys Detect extension.

See also: Azure DevOps (ADO) Plugin

Invoking Synopsys Detect as a script to scan a Docker image stored in ACR

If you would rather run Black Duck Detect as a Script than an extension, follow these steps:

In this example, follow the steps to create your first application using the Azure Portal.
From the available options, select  Node.js sample app > Simple Node.js app > Web App for Containers. 
You must authenticate with ACR; reference how to Authenticate with Azure Container Registry.

Start in Pipelines > Library inside Azure DevOps. 

1. Reference the Variable Groups for Builds and Releases page for how to create a Variable Group. 
   • Create a variable group for your Black Duck instance:
     • blackduck.url (value is the url of your black duck instance).
     • blackduck.api.token (value is your generated API token, secret)
   • Create a second variable group for your ACR Credentials:
     • acr.username (value is your ACR username).
     • acr.password (value is your ACR password).
2. Access your Build (CI) pipeline by expanding the Pipelines sidebar item, and then choosing Builds.
3. Select the Pipeline you want to add Black Duck Detect to, then click Edit.
4. Link your variable groups by following the steps in Use a Variable Group.
5. Add a Pipeline task for running Detect:
   • After you click Edit,  the Tasks screen of your CI Pipeline opens.
   • In the Build task, click the plus (+) sign to add a new task.
   • Use the search bar to search for bash.
   • Click Add to add the step to your pipeline.
6. Configure the bash step to run after the image has been pushed to ACR
   • Select to run an inline script.

   • Reference the following example for the script to run Detect.

     #/bin/bash   #Log in to ACR using the configured Variable Group docker login <registryname>.azurecr.io -u $(acr.username) -p $(acr.password)   #Call Detect, passing the Docker Image location bash <(curl -s https://detect.synopsys.com/detect.sh) \ --blackduck.url=$(blackduck.url) \ --blackduck.api.token=$(blackduck.api.token) \ --detect.docker.image=<registryname>.azurecr.io/<containername>:$(Build.BuildId) \ --detect.project.name=$(Build.DefinitionName) \ --detect.project.version.name=$(Build.BuildNumber)

     
     

7. Save and Queue the Pipeline, and then view the Pipeline Run Results.

8. View Scan Results in your instance of Black Duck.

For more information about using Black Duck, evaluating scan results, and more, refer to the topic Getting Started with Black Duck located here: Black Duck