Posted onJun 15, 2023 • Edited onJun 24, 2023

How to Integrate Docker Scout with GitHub Actions

#docker #scout #security #cli

Docker Scout is a collection of software supply chain features that provide insights into the composition and security of container images. It analyzes image contents and generates a detailed report of packages and vulnerabilities it detects, providing suggestions for remediation.

How does it work?

Docker Scout provides detailed insights into the composition and security of container images. It uses SBOMs to cross-reference with streaming CVE data to surface vulnerabilities (and potential remediation) as soon as possible. An SBOM, or software bill of materials, is a nested inventory, a list of ingredients that make up software components.

Can I run Docker Scout as CLI?

Yes, Docker scout CLI plugin is available by default on Docker Desktop starting with version 4.17.

Docker Scout is available through multiple interfaces, including the Docker Desktop and Docker Hub user interfaces, as well as a web-based user interface and a command-line interface (CLI) plugin. Users can view and interact with Docker Scout through these interfaces to gain a deeper understanding of the composition and security of their container images.

Is it possible to run Docker Scout on my Linux system?

To install, run the following command in your terminal:

curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --

Manual Installation

Download the docker-scout binary corresponding to your platform from thelatest orother releases. Uncompress it & Copy it in your local CLI plugin directory. Finally, you need to make it executable on Linux and macOS

chmod +x $HOME/.docker/cli-plugins/docker-scout

Don't forget to authorize the binary to be executable on macOS

xattr -d com.apple.quarantine $HOME/.docker/cli-plugins/docker-scout

Integrating Docker Scout with GitHub Actions

GitHub Actions is a powerful CI/CD (Continuous Integration/Continuous Deployment) platform provided by GitHub. It allows developers to automate their workflows, build and test their code, and deploy applications seamlessly. By integrating Docker Scout with GitHub Actions, developers can enhance the security and quality of their containerized applications. In this article, we will explore how to integrate Docker Scout with GitHub Actions step-by-step.

Step 1: Set up a GitHub repository

To get started, create a new GitHub repository or navigate to an existing one where you want to integrate Docker Scout. Make sure you have the necessary permissions to modify the repository's settings and workflows.

Step 2: Create a GitHub Actions workflow

Inside your repository, navigate to the ".github/workflows" directory (create it if it doesn't exist). Create a new YAML file, e.g., "docker-scout.yml," and open it for editing. This file will define your GitHub Actions workflow.

Step 3: Define the workflow trigger

Add the following code to the beginning of your YAML file to define the trigger for the workflow:

name: Docker Scout Integrationon:  push:    branches:      - main  pull_request:    branches:      - '*'

This configuration triggers the workflow on every push to the 'main' branch and for any pull request.

Step 4: Set up the workflow environment

Next, you need to define the environment variables required for the workflow. Add the following code to your YAML file:

env:  REGISTRY: docker.io  IMAGE_NAME: ${{ github.repository }}  SHA: ${{ github.event.pull_request.head.sha || github.event.after }}

These environment variables specify the Docker registry, the image name (derived from the repository), and the commit SHA for the pull request or push event.

Step 5: Define the workflow jobs

Inside the YAML file, you can define one or more jobs that will be executed as part of the workflow. For Docker Scout integration, we'll focus on the 'build' job.

jobs:  build:    runs-on: ubuntu-latest    steps:      - name: Checkout repository        uses: actions/checkout@v3        with:          ref: ${{ env.SHA }}      - name: Setup Docker buildx        uses: docker/setup-buildx-action@v2.5.0        with:          driver-opts: |            image=moby/buildkit:v0.10.6      - name: Log into registry ${{ env.REGISTRY }}        uses: docker/login-action@v2.1.0        with:          registry: ${{ env.REGISTRY }}          username: ${{ secrets.DOCKER_USER }}          password: ${{ secrets.DOCKER_PAT }}      - name: Extract Docker metadata        id: meta        uses: docker/metadata-action@v4.4.0        with:          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}          labels: |            org.opencontainers.image.revision=${{ env.SHA }}          tags: |            type=edge,branch=$repo.default_branch            type=semver,pattern=v{{version}}            type=sha,prefix=,suffix=,format=short      - name: Build and push Docker image        id: build-and-push        uses: docker/build-push-action@v4.0.0        with:          context: .          push: true          tags: ${{ steps.meta.outputs.tags }}          labels: ${{ steps.meta.outputs.labels }}          cache-from: type=gha          cache-to: type=gha,mode=max      - name: Docker Scout        id: docker-scout        if: ${{ github.event_name == 'pull_request' }}        uses: docker/scout-action@dd36f5b0295baffa006aa6623371f226cc03e506        with:          command: cves          image: ${{ steps.meta.outputs.tags }}          only-severities: critical,high          exit-code: true

In this job, the following steps are performed:

Checking out the repository code.
Setting up Docker buildx for building multi-arch images.
Logging into the Docker registry.
Extracting Docker metadata using the docker/metadata-action.
Building and pushing the Docker image using the docker/build-push-action.
Running Docker Scout using the docker/scout-action to scan for CVEs (Common Vulnerabilities and Exposures) in the image.

Note that the Docker Scout step is conditionally executed only for pull requests to avoid unnecessary scans for push events.

Step 6: Save and commit the workflow file

Save the YAML file and commit it to the repository. GitHub Actions will automatically pick up the file and start executing the workflow whenever the defined triggers are met.

Step 7: Configure secrets

To securely authenticate with Docker registries, you need to configure secrets in your GitHub repository. Secrets are encrypted environment variables that can be used in workflows. In this case, you'll need to set up the following secrets:

DOCKER_USER: The username for the Docker registry.DOCKER_PAT: The personal access token (PAT) or password for the Docker registry.

To set up the secrets, go to your repository's settings, navigate to the "Secrets" tab, and add the secrets with their respective values.

Conclusion

Integrating Docker Scout with GitHub Actions brings enhanced security and software supply chain insights to your CI/CD pipelines. By following the steps outlined in this article, you can seamlessly integrate Docker Scout into your GitHub repository's workflows. This integration enables the automated scanning of container images for vulnerabilities, ensuring that your applications are built on secure foundations. Embracing this integration can significantly improve the quality and security of your Docker-based projects, providing peace of mind to both developers and end-users.