Build/scan/push pipelines for container images in STO
You generally want to scan any container images you build and then push them to your production registry only if the scan did not detect any serious vulnerabilities.
The following workflows provide some examples of you can set up pipelines to automate security checks for your images.
Build/scan/push with Docker-in-Docker
This workflow is useful if you can use Docker-in-Docker and don't have a CI license. For a hands-on example of how to implement this, go to (STO license) Create a build-scan-push pipeline .
-
Add a Docker-in-Docker background step to your pipeline.
-
Add a Run step to build a local copy of the container image.
-
Add a Security Tests step to scan the snapshot image and ingest the results.
If the scan results meet or exceed the Fail on Severity threshold, the pipeline fails.
-
Add a Run step that pushes the local image to your production container registry.
Example build/scan/push pipeline using Docker-in-Docker
Build/scan/push with CI and Docker-in-Docker
This workflow is useful if you can use Docker-in-Docker and have a CI license. For a hands-on example of how to implement this, go to Create a build-scan-push pipeline (STO and CI).
-
Add a Docker-in-Docker background step to your pipeline.
-
Add a CI Build and Push step to build and push your image with a snapshot tag such as
image:snapshot-donotuse-<+pipeline.executionId>
. -
Add a Security Tests step to scan the snapshot image.
If the scan results meet or exceed the Fail on Severity threshold, the pipeline fails.
-
Add a second CI Build and Push step to build and push your image with a release tag such as
image:<+pipeline.executionId>
.
Example build/scan/push pipeline using CI and Docker-in-Docker
Build/scan/push with Kaniko
This workflow is useful if you don't have a CI license and want to use Kaniko (which doesn't require Privileged mode) instead of a Docker-in-Docker background step.
-
In the Security stage overview, under Shared Paths, add a path on the stage volume where you can share the image TAR across steps.
-
Use a Run step to build a local copy of the container image. The step should also save the TAR of the image to the shared path on the stage volume.
-
Use a Run step to run a manual scan of the local image.
-
Add a Security Tests step to ingest your scan data.
If the scan results meet or exceed the Fail on Severity threshold, the pipeline fails.
-
Set up a Run step that uses kaniko to push the TAR file of the image to your production image registry.
Build/scan/push with CI and skopeo
This workflow is useful if you have a CI license and want to use skopeo (which doesn't require Privileged mode) instead of a Docker-in-Docker background step.
-
In the Security stage overview, under Shared Paths, add a path on the stage volume where you can share the image TAR across steps.
-
Use a CI Build and Push step to build and push your image with a snapshot tag such as
image:snapshot-<+pipeline.executionId>
. -
Use a Run step that uses skopeo to pull the image TAR to your shared path.
-
Use a Run step to scan the local image TAR.
-
Add a Security Tests step to ingest your scan data.
If the scan results meet or exceed the Fail on Severity threshold, the pipeline fails.
-
Add a Run step that uses skopeo to push the image TAR (with an official tag) from the shared path to the container image registry.