Skip to main content

Promote Image If No Vulnerabilities Found

This tutorial explains how to scan existing docker image in registry, and promote it as to a different repository if no vulnerabilities found.

We demonstrate the setup with an example project. The ci job of the project builds a multi-arch docker image and pushes it to ci repository of current project. The release job pulls the image, scan it, and pushes it to a different repository:

  1. The checkout step clones code in order to get the build version being used
  2. The pull step pulls ci docker image from registry and saves it to a OCI layout directory
  3. The cache step caches downloaded vulnerability database of trivy scanner to speed up scanning
  4. The scan step scanes OCI layout directory generated above. It also ignores certain vulnerabilities not affecting to current project via ignore file
  5. The push step pushes the OCI layout directory to release repository of current project if previous step succeeds

After running the release job, the docker image in ci repsitory is promoted to release repository as there is no high severity vulnerabilities found except for those ignored: