Azure Cloud Engineering Journey

Implement Free Container Scanning in your Azure DevOps Pipelines 2024

Implement Free Container Scanning in your Azure DevOps Pipelines 2024

Taher Khan's photo
Taher Khan
·

2 min read

I came across Sam Cogan's excellent article on implementing container scanning on Azure DevOps pipeline. This blog post will show how I implemented Sam's solution and the issues I came across while I was working on it.

We were looking for a free and quick solution that would give us some basic container scanning and this solution was just what we were looking for. This solution requires the defender container to be on, we already had this so no extra cost was incurred. Fast forward to August 2023 and security centre has since changed to Microsoft Defender for cloud

The pipeline builds an asp.net application and containerises it, pushes it to an Azure container registry. The problem is the images can contain vulnerabilities and if they end up in production could possibly be exploited.

Microsoft defender uses Qualys scanners to scan your images when it is pushed into the registry. the results can be obtained using Azure resource graph explorer.

Installing the PowerShell Graph Module

You may need to install the PowerShell Graph Module on your Azure DevOps agent for the script to work correctly.

Authentication issues

The Powershell script given by Sam Cogan contains azure cli commands and this presents an issue with authentication .

  - task: AzureCLI@2
    displayName: 'Azure CLI - Promote Service Principal'
    inputs:
      azureSubscription: ${{parameters.azureSubscription}}
      scriptType: pscore
      scriptLocation: inlineScript
      addSpnToEnvironment: true
      inlineScript: |
        Write-Host "##vso[task.setvariable variable=ARM_CLIENT_ID]$env:servicePrincipalId"
        Write-Host "##vso[task.setvariable variable=ARM_CLIENT_SECRET]$env:servicePrincipalKey"
        Write-Host "##vso[task.setvariable variable=ARM_TENANT_ID]$env:tenantId"


  - task: AzurePowerShell@5
    displayName: 'Container Security Scan'
    inputs:
      azureSubscription: ${{parameters.azureSubscription}}
      scriptType: filePath
      scriptPath: '$(System.DefaultWorkingDirectory)/buildscripts/scan.ps1'
      scriptArguments:
        -repositorySearchString ${{parameters.registryName}} `
        -imageTag $(Build.BuildNumber) `
        -registryName ${{parameters.acrName}} `
        -registrysubscription ${{parameters.azureSubscription}}
        -username "$($env:ARM_CLIENT_ID)"
        -password "$($env:ARM_CLIENT_SECRET)"
        -tenantId "$($env:ARM_TENANT_ID)"
      azurePowerShellVersion: latestVersion
      pwsh: true

Printing PowerShell script output to the DevOps pipeline output

coming soon!

Summary

All in all, this is a nifty script that will get a basic container scanning solution into your Azure DevOps pipeline, it will tell you whether or not your image contains vulnerabilities and remove that image if you wish depending on how you set it up. its low cost, easy to set up and can be modified further to suit your specific needs.

sam coganAzure container registrycontainers