Perform Security Scan for SpringBoot Microservice Docker image using Trivy Scanner and Azure YAML Pipeline | How to Scan Spring Boot Docker Image in Azure DevOps using Trivy Scanner

Perform vulnerability scan using Trivy scanner on Azure DevOps Pipeline

What is Trivy?

Trivy is an open-source security scanner tool developed by Aqua Security. It can scan:

• container images 
• file systems/folders 
• Git repositories
• Kubernetes clusters
• misconfiguration in files such as Terraform, K8S manifest files

Pre-requisites:

• Repo created in ACR, Click here to know how to do that.
• Springboot app Source code along with Dockerfile created along with the application source code
• Already created Azure DevOps dashboard in 

  https://dev.azure.com/

ADO Yaml Pipeline for scanning docker image using Trivy scanner in Azure Hosted Build Agent:

# Perform Trivy scan for Docker image and upload docker image into ACR

trigger:

- master

resources:

- repo: self

variables:

# Container registry service connection established during pipeline creation

dockerRegistryServiceConnection: '723477ce-4e05-4e6e-a3c1-13bdf919a5cd'

imageRepository: 'dockerspringbootapp'

containerRegistry: 'myacrrepo131.azurecr.io'

dockerfilePath: '$(Build.SourcesDirectory)/Dockerfile'

tag: '$(Build.BuildId)'

# Agent VM image name

vmImageName: 'ubuntu-latest'

stages:

- stage: Build

displayName: Build and push stage

jobs:

- job: Build

displayName: Build

pool:

vmImage: $(vmImageName)

steps:

- task: Maven@4

inputs:

mavenPomFile: 'pom.xml'

publishJUnitResults: true

testResultsFiles: '**/surefire-reports/TEST-*.xml'

javaHomeOption: 'JDKVersion'

mavenVersionOption: 'Default'

mavenAuthenticateFeed: false

effectivePomSkip: false

sonarQubeRunAnalysis: false

- task: Docker@2

displayName: Build a Docker image

inputs:

command: build

repository: $(imageRepository)

dockerfile: $(dockerfilePath)

containerRegistry: $(dockerRegistryServiceConnection)

tags: |

$(tag)

- task: Bash@3

displayName: "Install Trivy"

inputs:

targetType: inline

script: |

curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh

# Run Trivy Scan

- task: Bash@3

displayName: "Run Trivy Scan"

inputs:

targetType: inline

script: |

./bin/trivy image --severity HIGH,CRITICAL,MEDIUM --ignore-unfixed $(containerRegistry)/$(imageRepository):$(tag)

- task: Docker@2

displayName: push the image to container registry

inputs:

command: Push

repository: $(imageRepository)

dockerfile: $(dockerfilePath)

containerRegistry: $(dockerRegistryServiceConnection)

tags: |

$(tag)

Scan report can be viewed in Build output of Azure Pipelines

Watch Steps in YouTube channel: