GoogleContainerTools
How to scan image before its pushed to the repository?
Description of the issue:
Is it possible to scan image using trivy for vulnerabilities before its pushed to the repository ? I have task inside azure devops pipeline:
- task: Maven@3
displayName: 'Create docker image and push'
inputs:
mavenPomFile: ${{ parameters.jibPomFile }}
goals: -Dmaven.repo.local=${{ parameters.mavenCache }} --batch-mode -Djacoco.skip=true -Djava.awt.headless=true com.google.cloud.tools:jib-maven-plugin:build
pom.xml part
<plugin>
<groupId>com.google.cloud.tools</groupId>
<artifactId>jib-maven-plugin</artifactId>
<version>${jib-maven-plugin.version}</version>
<configuration>
<from>
<image>some-name/zulu-alpine:4563</image>
</from>
<to>some-name:${project.version}</to>
<container>
<jvmFlags>
<jvmFlag>-server</jvmFlag>
----------
</jvmFlags>
</container>
</configuration>
</plugin>
and I want to run this this command on the image before its pushed: trivy image --format template --template "@$(System.DefaultWorkingDirectory)/Junit.tpl" -o junit-report.xml $IMAGE
Is it possible to do this somehow?
You might make it work using the jib local docker builds instead of the usual jib behaviour of pushing blobs of data straight to the registry -- there's no intermediate writing to disk, i.e. it's not doing the equivalent of docker build + docker push but more like a docker build+push to the registry.
If you want to build the Docker image and scan it before pushing, you can opt for building a TAR file instead by using jib:buildTar. The TAR file can be scanned by Trivy:
trivy image --input jib-image.tar
and you can then push the tar file, or do another jib:build which does push directly.
