Skip to main content

Scan Image Vulnerability Before Push

This tutorial explains how to build and scan a multi-arch docker image. Built image should only be pushed to registry if there are no HIGH severity vulnerabilities.

We demonstrate the setup with an example project. Check build spec of its main branch:

  1. The build step builds docker image of our example project, and writes the output to a OCI layout directory. Property Platforms in More Settings is specified as _linux/amd64,linux/arm64 to build a multi-arch image
  2. The cache step caches downloaded vulnerability database of trivy scanner to speed up scanning
  3. The scan step uses trivy to scan vulnerabilities of generated OCI layout directory. Property Fail Threshold is set to HIGH to fail the build if high severity vulnerabilities are found. Property Platforms in More Settings is left empty, meaning to scan all platforms in OCI layout
  4. The push step pushes generated OCI layout directory to registry if previous step succeeds

Run the job and we will find that resulting build is failed and image is not pushed due to high severity vulnerabilities being detected:

Now assume that these high severity vulnerabilities actually do not affect our image. Let's ignore them via a trivy ignore file in our fix branch. The scan step in build spec of fix branch is also configured to use this ignore file in More Settings. Run the job from fix branch, and resulting build now succeeds with our image being published: