search

microsoft / security-devops-azdevops

Microsoft Security DevOps extension for Azure DevOps.
MIT License
63 stars 17 forks source link

Trivy image scan on private ACR #98

Open Emil-jonsson opened 7 months ago

Emil-jonsson commented 7 months ago

Description The current documentation for the MicrosoftSecurityDevOps@1 task does not include instructions on how to perform Trivy image scans on private Azure Container Registries (ACR). This functionality is crucial, as not all users build their images on VMs with Docker; many utilize containerized agents alongside the ACR build task for image creation. Despite Trivy's documented ability to scan remote/private container registries, the MicrosoftSecurityDevOps@1 task appears to only support scanning local image locations. This discrepancy has left me unable to configure the task to target a remote repository, even though I have successfully set up remote registry scanning using Trivy in a standalone configuration.

Problem Statement Lack of documentation and apparent functionality for scanning images in private ACRs using the MicrosoftSecurityDevOps@1 task. The task defaults to scanning local image locations, ignoring the capability of Trivy to scan remote/private container registries.

Importance This issue is significant for workflows that rely on containerized agents and ACR build tasks for image creation, as it limits the usability of the MicrosoftSecurityDevOps@1 task for security scanning in such environments. Enabling this functionality would greatly enhance security measures for Azure DevOps pipelines that utilize private ACRs.

Expected Behavior:

Environement variable documentation should be more descriptive and informational on how to use it, because it is not clear what Envs to use to target a remote ACR.

- task: MicrosoftSecurityDevOps@1
  displayName: 'Microsoft Security DevOps'
  inputs:
    command: 'run'
    policy: 'microsoft'
    tools: 'trivy'
  env:
    TRIVY_ACTION: 'image'
    TRIVY_TARGET: 'image
    TRIVY_AUTH_URL: 
    TRIVY_USERNAME:
    TRIVY_PASSWORD:
    TRIVY_IMAGE_SRC:
    TRIVY_REGISTRY_TOKEN:
    TRIVY_INPUT: 
    TRIVY_IMAGEPATH:

I've tried just about every mix of environment variables, even switching between uppercase and lowercase, to get remote scanning to work, but the documentation doesn't really help make sense of how to use Trivy's environment variables with this task. It looks like the task actually does support Trivy's own environment variables, which was a surprise since it's not mentioned anywhere in the docs. This makes setting everything up for remote scanning a bit of a guessing game.

The error encountered suggests a failure to recognize the remote image location, indicating an issue with how the task is configured to interact with private container registries. The task fails to initialize a scanner for the remote image, suggesting a possible misconfiguration or lack of support for scanning images located in private ACRs.

General Error Message:

Microsoft.Guardian.TrivyRedist_linux_amd64.0.45.0/tools/trivy image --exit-code 100 --format sarif --input <registryURL>/my-image:tag --output /agent/_work/1/s/.gdn/.r/trivy/001/trivy.sarif <registryURL>/my-image:tag

FATAL image scan error: scan error: unable to initialize a scanner: unable to initialize the archive scanner: 2 errors occurred:
    * unable to open <remote image> as a Docker image: unable to open the file: open <remote image>: no such file or directory
    * unable to open <remote image> as an OCI Image: stat <remote image>/index.json: no such file or directory

Working Behavior for standalone task

- task: Bash@3
  displayName: 'Trivy scan - Generate report'
  inputs:
    targetType: 'inline'
    script: |
      trivy image --skip-db-update --exit-code 0 --severity LOW,MEDIUM,HIGH,CRITICAL registryURL/my-image:tag
  env:
    TRIVY_AUTH_URL: "https://registryURL"
    TRIVY_USERNAME: "00000000-0000-0000-0000-000000000000" # Dummy username for ACR token authentication
    TRIVY_PASSWORD: $(ACR_TOKEN)

I am getting the acr_token with acr login task like this:

az acr login --name ContainerRegistryName --expose-token --output tsv --query accessToken

Question is why this similiar setup does not work using the MicrosoftSecurityDevOps@1 task? Could the documentation be updated to include this scenario, or could the task be enhanced to support this use case? Has anybody else gotten this to work, in that case how?

chrisnielsen-MS commented 7 months ago

I have been doing some testing and found that this scenario does work in the current setup. You can see the environment variable overrides that are supported for Trivy on this wiki page: https://github.com/microsoft/security-devops-azdevops/wiki#trivy-environment-variables

From there, the --input parameter from your initial command line appears to be causing the problem. For my tests, I set only two environment variables to get the desired behavior: GDN_TRIVY_ACTION = 'image' GDN_TRIVY_TARGET = 'repoName.azurecr.io/imageName:tagName'

Please give this a try and let us know if it resolves your issue.