Scanning Azure Container Registry (ACR) images with Synopsys Detect

Owned by Ari Kamen (Unlicensed)
Last updated: Dec 06, 2023 by Chris Potts
2 min read

Table of Contents

Introduction

Black Duck supports scanning images stored in the Azure Container Registry (ACR). Image scan results are sent to your dedicated Black Duck instance providing vulnerability, license, and operational risk results on the open source software components identified in the ECR image.

There are two ways that you can scan container images in ECR:

Each method is described, below.

Using Synopsys Detect on a local workstation

Before you can scan images in ACR using Synopsys Detect, ensure that you satisfy the following requirements:

To locally scan container images stored in ECR, follow these steps:

  1. Authenticate with ACR. The az acr login command generates an authentication token and authenticates with your registry.

    Generate Docker Login for ECR (Linux)
    az acr login --name <acrName>

  2. Invoke Synopsys Detect, and provide the following at a minimum.

    Synopsys Detect - Scanning Images
    bash <(curl -s https://detect.synopsys.com/detect.sh) \
--blackduck.url=<URL> \
--blackduck.api.token=<token> \
--detect.docker.image=<Image URI> \
--detect.project.name=<Project Name>

  3.  

Using Azure DevOps Pipelines

Invoking the Synopsys Detect extension to scan a Docker image stored in ACR

Talk to your authorized support representative for details on the Synopsys Detect extension.

See also: Azure DevOps (ADO) Plugin

Invoking Synopsys Detect as a script to scan a Docker image stored in ACR

If you would rather run Black Duck Detect as a Script than an extension, follow these steps:

In this example, follow the steps to create your first application using the Azure Portal.
From the available options, select  Node.js sample app > Simple Node.js app > Web App for Containers. 
You must authenticate with ACR; reference how to Authenticate with Azure Container Registry.

Start in Pipelines > Library inside Azure DevOps. 

  1. Reference the Variable Groups for Builds and Releases page for how to create a Variable Group. 
    • Create a variable group for your Black Duck instance:
      • blackduck.url (value is the url of your black duck instance).
      • blackduck.api.token (value is your generated API token, secret)
    • Create a second variable group for your ACR Credentials:
      • acr.username (value is your ACR username).
      • acr.password (value is your ACR password).
  2. Access your Build (CI) pipeline by expanding the Pipelines sidebar item, and then choosing Builds.
  3. Select the Pipeline you want to add Black Duck Detect to, then click Edit.
  4. Link your variable groups by following the steps in Use a Variable Group.
  5. Add a Pipeline task for running Detect:
    • After you click Edit,  the Tasks screen of your CI Pipeline opens.
    • In the Build task, click the plus (+) sign to add a new task.
    • Use the search bar to search for bash.
    • Click Add to add the step to your pipeline.
  6. Configure the bash step to run after the image has been pushed to ACR
    • Select to run an inline script.

    • Reference the following example for the script to run Detect.

      Configuring Detect
      #/bin/bash
 
#Log in to ACR using the configured Variable Group 
docker login <registryname>.azurecr.io -u $(acr.username) -p $(acr.password) 
 
#Call Detect, passing the Docker Image location 
bash <(curl -s https://detect.synopsys.com/detect.sh) \
--blackduck.url=$(blackduck.url) \
--blackduck.api.token=$(blackduck.api.token) \
--detect.docker.image=<registryname>.azurecr.io/<containername>:$(Build.BuildId) \
--detect.project.name=$(Build.DefinitionName) \
--detect.project.version.name=$(Build.BuildNumber)

  7. Save and Queue the Pipeline, and then view the Pipeline Run Results.

  8. View Scan Results in your instance of Black Duck.

For more information about using Black Duck, evaluating scan results, and more, refer to the topic Getting Started with Black Duck located here: Black Duck


©2020 Synopsys, Inc. All Rights Reserved