Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Jun2022 [Slides]: ACR Image Scanning with Trivy and DevOps by Arindam Mitra

Jun2022 [Slides]: ACR Image Scanning with Trivy and DevOps by Arindam Mitra

Check out the full write-up on Arindams blog: https://dev.to/arindam0310018/devops-acr-trivy-1o05

These are the slides from this meetup: https://www.meetup.com/de-DE/microsoft-azure-zurich-user-group/events/286652334/

In this session, Arindam demonstrates how to scan docker Images in Azure Container Registry with Aquasec Trivy using Azure DevOps Pipelines.
The low, medium, high and critical CVEs (Common Vulnerabilities and Exposures) scan report are stored in a storage account with datetime stamps. If for some reasons, the application team accepts the risk and wants to skip the low and medium vulnerabilities from the scan report, all we have to do is list the respective CVEs in the .trivyignore file and run the pipeline again to scan. The listed CVEs will no longer be in the scan report.

About Arindam:
Arindam is an Azure Cloud & DevOps Architect, Blogger and Speaker. He likes to call himself an infrastructure geek who is passionate about technology. He travelled across the world working in different roles and currently lives in Switzerland where he is engaged as an Infrastructure and Cloud DevOps Specialist.

Links:
Blog: https://dev.to/arindam0310018
Linkedin: https://www.linkedin.com/in/arindam-mitra-28981095/
Sessionize: https://sessionize.com/arindam0310018/
Twitter: https://twitter.com/arindam0310018
Github: https://github.com/arindam0310018

Tweet

More Decks by Azure Zurich User Group

Other Decks in Technology

Transcript

  1. HELLO! I am Arindam Mitra Today, I will be talking

    on ACR and How to Scan Images in ACR using Trivy and DevOps. You can look me at: : https://www.linkedin.com/in/arindam-mitra-28981095/ : https://github.com/arindam0310018 : https://dev.to/arindam0310018/-my-contributions--3bgp : https://sessionize.com/arindam0310018 2
  2. AGENDA 3 ARCHITECTURE CONCEPTS QUESTIONS USE CASES AND AUTOMATION LIVE

    DEMO BEST PRACTISES Any Questions Please ? Live Demo: Experience in Real Time ? Use Cases and Automation around Azure Container Registry (ACR) ? Best Practises: Azure Container Registry (ACR) ? Network Architecture of Azure Container Registry (ACR) ? Concepts and Components of Azure Container Registry (ACR) ?
  3. ➢ Is Azure Container Registry a Private Container ? ➢

    What does Azure Container Registry Support ? ➢ Tiers and Differences ➢ Automatic Image Build ➢ Security ➢ Costs CONCEPTS 4
  4. ➢ Public or Private Endpoint ? ➢ Public Endpoint with

    IP Whitelisting ? ➢ Private Endpoint ? ➢ Hub or Spoke – Where will the ACR reside ? ➢ Design by Shared Subscriptions ? ➢ Design by Dedicated Subscriptions and Environments ? ➢ Peering “Must Know” Concepts ? ➢ One ACR Across all Environments ? ARCHITECTURE 5
  5. ➢ One ACR with Private Endpoint in Hub ➢ All

    Spokes will be Peered to HUB (Which is Obvious) ➢ Per Application, there will be Service Principal to build and Push Images to ACR. ➢ Service Principal will have ACRPULL and ACRPUSH Role Based Access Control (RBAC) on the Resource Group Containing Hub ACR or Hub ACR itself. ARCH DESIGN: HUB & SPOKE 6
  6. ➢ Shared Subscription = Multiple Application Segregated using Resource Group.

    ➢ One ACR with Private Endpoint in Shared Subscription. ➢ All Applications in the Shared Subscription will consume the same ACR. ➢ Per Application, there will be Service Principal to build and Push Images to ACR. ➢ Service Principal will have ACRPULL and ACRPUSH Role Based Access Control (RBAC) on the Resource Group Containing ACR or On the Resource (ACR) itself. ARCH DESIGN: SHARED SUBS 7
  7. ➢ Dedicated Subscription = One Application Per Environment and Per

    Subscription ➢ One ACR with Private Endpoint in Per Application and Environment Dedicated Subscription. ➢ For Example: Application having a Dedicated “Non-Prod” and “Prod” Subscription. So there will be 2 ACRs. ➢ Non-Prod Subscription can further have “Dev”, “QA”, “UAT/PRE-PROD” Environment categorized in Resource Groups. ➢ Per Environment, there will be Service Principal to build and Push Images ➢ Service Principal will have ACRPULL and ACRPUSH Role Based Access Control (RBAC) on the Resource Group Containing ACR or On the Resource (ACR) itself. ARCH DESIGN: DEDICATED SUBS 8
  8. ➢ One ACR with Private Endpoint in Per Application Dedicated

    Subscription (Prod) but Shared Virtual Network (VNet). ➢ Consider Application having a Dedicated “Non-Prod” and “Prod” Subscription. ➢ Non-Prod Subscription can further have “Dev”, “QA”, “UAT/PRE-PROD” Environment categorized in Resource Groups. ➢ Shared VNet will then be Peered with DEV, QA, UAT/PRE- PROD, and PROD VNet. ➢ Per Environment, there will be Service Principal to build and Push Images ➢ Service Principal will have ACRPULL and ACRPUSH Role Based Access Control (RBAC) on the Resource Group Containing ACR or On the Resource (ACR) itself. ARCH DESIGN: ALL IN ONE ACR 9
  9. ➢ Image Tagging ➢ Image Scanning ➢ Approval as who

    can push the Image with Event Notification. ➢ Retention of Images BEST PRACTISES 10
  10. ➢ Use Case(s): Hosts images to “Build Infrastructure at Scale“:-

    ➢ Web App for Containers ➢ ACI Instance - Container Groups and Containers ➢ AKS - HPA and KEDA ➢ Azure Container Apps ➢ Automations:- ➢ Powershell ➢ Terraform ➢ Biceps USE CASES AND AUTOMATIONS 11
  11. ➢ Scan Image Vulnerabilities in ACR Using TRIVY and AZURE

    DEVOPS ➢ Blog Link: https://dev.to/arindam0310018/devops- acr-trivy-1o05 ➢ Github: https://github.com/arindam0310018/ACR- Trivy LIVE DEMO DETAILS 12
  12. CREDITS Special THANK YOU to MANUEL MEYER and THOMAS HAFERMALZ

    for the providing the opportunity to speak @ AZURE ZURICH USER GROUP In Person Session. 15