代码之家 › 专栏 › 技术社区 › roteki

用于多个容器的trivy管道

trivy azure-pipelines azure-devops docker

roteki · 技术社区 · 1 年前

这是我第一次使用自托管代理在Azure DevOps上与trivy和clair合作,我刚刚尝试了在GitHub上找到的这个管道

name: $(BuildDefinitionName)_$(date:yyyyMMdd)_$(BuildID)$(rev:.r)

resources:
- repo: self

variables:
  image_name: openjdk
  image_tag: 17-jdk-slim

jobs:

- job: TrivyScanContainerImage
  displayName: Scan container image by Trivy
  steps:

  - script: |
      mkdir report
      trivy image -s HIGH,CRITICAL $(image_name):$(image_tag) | tee ./report/trivy-image-scan-report.txt
    displayName: "Image scan by Trivy"
    continueOnError: true

  - publish: ./report
    artifact: ImageScans
    displayName: Publish Clair Scan Report
    condition: always()

我想知道如何使其适用于多个容器。

0 回复 | 直到 1 年前

Rui Jarimba 1 年前

您可以声明一个包含要扫描的图像阵列的参数,然后使用循环为每个图像生成一个作业,而不是使用变量。

实例

name: $(BuildDefinitionName)_$(date:yyyyMMdd)_$(BuildID)$(rev:.r)

parameters:
  - name: containerImages
    displayName: 'Container images to scan'
    type: object
    default:
      - name: openjdk
        tag: 17-jdk-slim
      - name: alpine
        tag: 3.14
      - name: nginx
        tag: latest

jobs:
  - ${{ each image in parameters.containerImages }}:
    - job: scan_${{ image.name }} # must be unique, and contain 'a-zA-Z0-9_' characters only
      displayName: "Scan ${{ image.name }}:${{ image.tag }}"
      steps:
        # other tasks here 

        - script: |
            trivy image -s HIGH,CRITICAL ${{ image.name }}:${{ image.tag }} | tee ./report/trivy-image-scan-report.txt
          displayName: "Scan ${{ image.name }}:${{ image.tag }} with Trivy"
          continueOnError: true
        
        # other tasks here