Black Duck supports scanning images stored in the Azure Container Registry (ACR). Image scan results are sent to your dedicated Black Duck instance providing vulnerability, license, and operational risk results on the open source software components identified in the ECR image.
There are two ways that you can scan container images in ECR:
Each method is described, below.
Before you can scan images in ACR using Synopsys Detect, ensure that you satisfy the following requirements:
To locally scan container images stored in ECR, follow these steps:
Authenticate with ACR. The az acr login command generates an authentication token and authenticates with your registry.
az acr login --name <acrName> |
Invoke Synopsys Detect, and provide the following at a minimum.
bash <(curl -s https://detect.synopsys.com/detect.sh) \ --blackduck.url=<URL> \ --blackduck.api.token=<token> \ --detect.docker.image=<Image URI> \ --detect.project.name=<Project Name> |
Talk to your authorized support representative for details on the Synopsys Detect extension.
See also: Azure DevOps (ADO) Plugin
If you would rather run Black Duck Detect as a Script than an extension, follow these steps:
In this example, follow the steps to create your first application using the Azure Portal.
From the available options, select Node.js sample app > Simple Node.js app > Web App for Containers.
You must authenticate with ACR; reference how to Authenticate with Azure Container Registry.
Start in Pipelines > Library inside Azure DevOps.
Reference the following example for the script to run Detect.
#/bin/bash #Log in to ACR using the configured Variable Group docker login <registryname>.azurecr.io -u $(acr.username) -p $(acr.password) #Call Detect, passing the Docker Image location bash <(curl -s https://detect.synopsys.com/detect.sh) \ --blackduck.url=$(blackduck.url) \ --blackduck.api.token=$(blackduck.api.token) \ --detect.docker.image=<registryname>.azurecr.io/<containername>:$(Build.BuildId) \ --detect.project.name=$(Build.DefinitionName) \ --detect.project.version.name=$(Build.BuildNumber) |
Save and Queue the Pipeline, and then view the Pipeline Run Results.
For more information about using Black Duck, evaluating scan results, and more, refer to the topic Getting Started with Black Duck located here: Black Duck