Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Jun2022 [Slides]: ACR Image Scanning with Trivy...

Azure Zurich User Group
PRO
June 28, 2022
Technology
0
170

Jun2022 [Slides]: ACR Image Scanning with Trivy and DevOps by Arindam Mitra

Check out the full write-up on Arindams blog: https://dev.to/arindam0310018/devops-acr-trivy-1o05

These are the slides from this meetup: https://www.meetup.com/de-DE/microsoft-azure-zurich-user-group/events/286652334/

In this session, Arindam demonstrates how to scan docker Images in Azure Container Registry with Aquasec Trivy using Azure DevOps Pipelines.
The low, medium, high and critical CVEs (Common Vulnerabilities and Exposures) scan report are stored in a storage account with datetime stamps. If for some reasons, the application team accepts the risk and wants to skip the low and medium vulnerabilities from the scan report, all we have to do is list the respective CVEs in the .trivyignore file and run the pipeline again to scan. The listed CVEs will no longer be in the scan report.

About Arindam:
Arindam is an Azure Cloud & DevOps Architect, Blogger and Speaker. He likes to call himself an infrastructure geek who is passionate about technology. He travelled across the world working in different roles and currently lives in Switzerland where he is engaged as an Infrastructure and Cloud DevOps Specialist.

Links:
Blog: https://dev.to/arindam0310018
Linkedin: https://www.linkedin.com/in/arindam-mitra-28981095/
Sessionize: https://sessionize.com/arindam0310018/
Twitter: https://twitter.com/arindam0310018
Github: https://github.com/arindam0310018

Azure Zurich User Group
PRO

June 28, 2022
Tweet

More Decks by Azure Zurich User Group

See All by Azure Zurich User Group
[Nov24]: Bringing your first LLM into Production or Beware of your Boss’s Nephew by Christian Hidber
azurezurich
PRO
0
16
[Nov24] ChatGPT OverYour Own Data by Marco Gerber
azurezurich
PRO
0
13
Bicep and Terraform Code generation (without AI) by Thomas Hafermalz
azurezurich
PRO
0
29
ABS2024: FinOps in Azure by Francisco Teles
azurezurich
PRO
0
90
ABS2024: Model Platform by Arindam Mitra, Anass Alhyar, Raj Subramani
azurezurich
PRO
0
47
ABS2024: Azure AI Deep Dive with Ausgleichskasse Basel Stadt by Jörg Bieri & Ivan Babic
azurezurich
PRO
0
65
ABS2024: Breaching the Cloud: How to Exploit and Mitigate Common Security Risks by Hans-Peter Weiss & Jan Schneider
azurezurich
PRO
0
81
ABS2024: Building an Enterprise Data Platform with Microsoft Fabric by Gerald Reif & Weili Gao
azurezurich
PRO
0
140
ABS2024: ChatGPT Over Your Own Data by Marco Gerber & Michael Rüefli
azurezurich
PRO
0
71

Other Decks in Technology

See All in Technology
rootlessコンテナのすゝめ - 研究室サーバーでもできる安全なコンテナ管理
kitsuya0828
3
380
[FOSS4G 2024 Japan LT] LLMを使ってGISデータ解析を自動化したい!
nssv
1
210
個人でもIAM Identity Centerを使おう!(アクセス管理編)
ryder472
3
200
いざ、BSC討伐の旅
nikinusu
2
780
IBC 2024 動画技術関連レポート / IBC 2024 Report
cyberagentdevelopers
PRO
0
110
10XにおけるData Contractの導入について: Data Contract事例共有会
10xinc
5
610
信頼性に挑む中で拡張できる・得られる1人のスキルセットとは?
ken5scal
2
530
AWS Media Services 最新サービスアップデート 2024
eijikominami
0
200
Oracle Cloud Infrastructure データベース・クラウド:各バージョンのサポート期間
oracle4engineer
PRO
28
12k
Taming you application's environments
salaboy
0
180
EventHub Startup CTO of the year 2024 ピッチ資料
eventhub
0
110
ハイパーパラメータチューニングって何をしているの
toridori_dev
0
140

Featured

See All Featured
Designing Experiences People Love
moore
138
23k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
Ruby is Unlike a Banana
tanoku
97
11k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
47
5k
How to train your dragon (web standard)
notwaldorf
88
5.7k
Facilitating Awesome Meetings
lara
50
6.1k
Six Lessons from altMBA
skipperchong
27
3.5k
YesSQL, Process and Tooling at Scale
rocio
169
14k
Automating Front-end Workflow
addyosmani
1366
200k
Agile that works and the tools we love
rasmusluckow
327
21k
The Invisible Side of Design
smashingmag
298
50k
The Language of Interfaces
destraynor
154
24k

Transcript

  1. ACR & SCAN IMAGES IN ACR WITH TRIVY AND DEVOPS

  2. HELLO! I am Arindam Mitra Today, I will be talking

    on ACR and How to Scan Images in ACR using Trivy and DevOps. You can look me at: : https://www.linkedin.com/in/arindam-mitra-28981095/ : https://github.com/arindam0310018 : https://dev.to/arindam0310018/-my-contributions--3bgp : https://sessionize.com/arindam0310018 2

  3. AGENDA 3 ARCHITECTURE CONCEPTS QUESTIONS USE CASES AND AUTOMATION LIVE

    DEMO BEST PRACTISES Any Questions Please ? Live Demo: Experience in Real Time ? Use Cases and Automation around Azure Container Registry (ACR) ? Best Practises: Azure Container Registry (ACR) ? Network Architecture of Azure Container Registry (ACR) ? Concepts and Components of Azure Container Registry (ACR) ?

  4. ➢ Is Azure Container Registry a Private Container ? ➢

    What does Azure Container Registry Support ? ➢ Tiers and Differences ➢ Automatic Image Build ➢ Security ➢ Costs CONCEPTS 4

  5. ➢ Public or Private Endpoint ? ➢ Public Endpoint with

    IP Whitelisting ? ➢ Private Endpoint ? ➢ Hub or Spoke – Where will the ACR reside ? ➢ Design by Shared Subscriptions ? ➢ Design by Dedicated Subscriptions and Environments ? ➢ Peering “Must Know” Concepts ? ➢ One ACR Across all Environments ? ARCHITECTURE 5

  6. ➢ One ACR with Private Endpoint in Hub ➢ All

    Spokes will be Peered to HUB (Which is Obvious) ➢ Per Application, there will be Service Principal to build and Push Images to ACR. ➢ Service Principal will have ACRPULL and ACRPUSH Role Based Access Control (RBAC) on the Resource Group Containing Hub ACR or Hub ACR itself. ARCH DESIGN: HUB & SPOKE 6

  7. ➢ Shared Subscription = Multiple Application Segregated using Resource Group.

    ➢ One ACR with Private Endpoint in Shared Subscription. ➢ All Applications in the Shared Subscription will consume the same ACR. ➢ Per Application, there will be Service Principal to build and Push Images to ACR. ➢ Service Principal will have ACRPULL and ACRPUSH Role Based Access Control (RBAC) on the Resource Group Containing ACR or On the Resource (ACR) itself. ARCH DESIGN: SHARED SUBS 7

  8. ➢ Dedicated Subscription = One Application Per Environment and Per

    Subscription ➢ One ACR with Private Endpoint in Per Application and Environment Dedicated Subscription. ➢ For Example: Application having a Dedicated “Non-Prod” and “Prod” Subscription. So there will be 2 ACRs. ➢ Non-Prod Subscription can further have “Dev”, “QA”, “UAT/PRE-PROD” Environment categorized in Resource Groups. ➢ Per Environment, there will be Service Principal to build and Push Images ➢ Service Principal will have ACRPULL and ACRPUSH Role Based Access Control (RBAC) on the Resource Group Containing ACR or On the Resource (ACR) itself. ARCH DESIGN: DEDICATED SUBS 8

  9. ➢ One ACR with Private Endpoint in Per Application Dedicated

    Subscription (Prod) but Shared Virtual Network (VNet). ➢ Consider Application having a Dedicated “Non-Prod” and “Prod” Subscription. ➢ Non-Prod Subscription can further have “Dev”, “QA”, “UAT/PRE-PROD” Environment categorized in Resource Groups. ➢ Shared VNet will then be Peered with DEV, QA, UAT/PRE- PROD, and PROD VNet. ➢ Per Environment, there will be Service Principal to build and Push Images ➢ Service Principal will have ACRPULL and ACRPUSH Role Based Access Control (RBAC) on the Resource Group Containing ACR or On the Resource (ACR) itself. ARCH DESIGN: ALL IN ONE ACR 9

  10. ➢ Image Tagging ➢ Image Scanning ➢ Approval as who

    can push the Image with Event Notification. ➢ Retention of Images BEST PRACTISES 10

  11. ➢ Use Case(s): Hosts images to “Build Infrastructure at Scale“:-

    ➢ Web App for Containers ➢ ACI Instance - Container Groups and Containers ➢ AKS - HPA and KEDA ➢ Azure Container Apps ➢ Automations:- ➢ Powershell ➢ Terraform ➢ Biceps USE CASES AND AUTOMATIONS 11

  12. ➢ Scan Image Vulnerabilities in ACR Using TRIVY and AZURE

    DEVOPS ➢ Blog Link: https://dev.to/arindam0310018/devops- acr-trivy-1o05 ➢ Github: https://github.com/arindam0310018/ACR- Trivy LIVE DEMO DETAILS 12

  13. “LETS EXPERIENCE IN REAL TIME !!! 13 13

  14. “Any Questions please, happy to answer to the best of

    my knowledge. 14 14

  15. CREDITS Special THANK YOU to MANUEL MEYER and THOMAS HAFERMALZ

    for the providing the opportunity to speak @ AZURE ZURICH USER GROUP In Person Session. 15

  16. 16 THANK YOU!!! For any further questions? You can write

    me at: [email protected] [email protected]