Check out the full write-up on Arindams blog: https://dev.to/arindam0310018/devops-acr-trivy-1o05
These are the slides from this meetup: https://www.meetup.com/de-DE/microsoft-azure-zurich-user-group/events/286652334/
In this session, Arindam demonstrates how to scan docker Images in Azure Container Registry with Aquasec Trivy using Azure DevOps Pipelines.
The low, medium, high and critical CVEs (Common Vulnerabilities and Exposures) scan report are stored in a storage account with datetime stamps. If for some reasons, the application team accepts the risk and wants to skip the low and medium vulnerabilities from the scan report, all we have to do is list the respective CVEs in the .trivyignore file and run the pipeline again to scan. The listed CVEs will no longer be in the scan report.
Arindam is an Azure Cloud & DevOps Architect, Blogger and Speaker. He likes to call himself an infrastructure geek who is passionate about technology. He travelled across the world working in different roles and currently lives in Switzerland where he is engaged as an Infrastructure and Cloud DevOps Specialist.