Open Emil-jonsson opened 7 months ago
I have been doing some testing and found that this scenario does work in the current setup. You can see the environment variable overrides that are supported for Trivy on this wiki page: https://github.com/microsoft/security-devops-azdevops/wiki#trivy-environment-variables
From there, the --input parameter from your initial command line appears to be causing the problem. For my tests, I set only two environment variables to get the desired behavior: GDN_TRIVY_ACTION = 'image' GDN_TRIVY_TARGET = 'repoName.azurecr.io/imageName:tagName'
Please give this a try and let us know if it resolves your issue.
Description The current documentation for the MicrosoftSecurityDevOps@1 task does not include instructions on how to perform Trivy image scans on private Azure Container Registries (ACR). This functionality is crucial, as not all users build their images on VMs with Docker; many utilize containerized agents alongside the ACR build task for image creation. Despite Trivy's documented ability to scan remote/private container registries, the MicrosoftSecurityDevOps@1 task appears to only support scanning local image locations. This discrepancy has left me unable to configure the task to target a remote repository, even though I have successfully set up remote registry scanning using Trivy in a standalone configuration.
Problem Statement Lack of documentation and apparent functionality for scanning images in private ACRs using the MicrosoftSecurityDevOps@1 task. The task defaults to scanning local image locations, ignoring the capability of Trivy to scan remote/private container registries.
Importance This issue is significant for workflows that rely on containerized agents and ACR build tasks for image creation, as it limits the usability of the MicrosoftSecurityDevOps@1 task for security scanning in such environments. Enabling this functionality would greatly enhance security measures for Azure DevOps pipelines that utilize private ACRs.
Expected Behavior:
Environement variable documentation should be more descriptive and informational on how to use it, because it is not clear what Envs to use to target a remote ACR.
I've tried just about every mix of environment variables, even switching between uppercase and lowercase, to get remote scanning to work, but the documentation doesn't really help make sense of how to use Trivy's environment variables with this task. It looks like the task actually does support Trivy's own environment variables, which was a surprise since it's not mentioned anywhere in the docs. This makes setting everything up for remote scanning a bit of a guessing game.
The error encountered suggests a failure to recognize the remote image location, indicating an issue with how the task is configured to interact with private container registries. The task fails to initialize a scanner for the remote image, suggesting a possible misconfiguration or lack of support for scanning images located in private ACRs.
General Error Message:
Working Behavior for standalone task
I am getting the acr_token with acr login task like this:
Question is why this similiar setup does not work using the MicrosoftSecurityDevOps@1 task? Could the documentation be updated to include this scenario, or could the task be enhanced to support this use case? Has anybody else gotten this to work, in that case how?