Prepare containers
Duration: 5 min | Persona: Apps Operator
In this section, you will copy the Bank of Anthos apps containers in your private Artifact Registry. You will also scan one container image.
Initialize variables:
WORK_DIR=~/
source ${WORK_DIR}acm-workshop-variables.sh
BANK_OF_ANTHOS_VERSION=v0.5.10
echo "export BANK_OF_ANTHOS_VERSION=${BANK_OF_ANTHOS_VERSION}" >> ${WORK_DIR}acm-workshop-variables.sh
PRIVATE_BANK_OF_ANTHOS_REGISTRY=$CONTAINER_REGISTRY_REPOSITORY/bankofanthos
echo "export PRIVATE_BANK_OF_ANTHOS_REGISTRY=${PRIVATE_BANK_OF_ANTHOS_REGISTRY}" >> ${WORK_DIR}acm-workshop-variables.sh
source ${WORK_DIR}acm-workshop-variables.shCopy the public container images to your private registry:
UPSTREAM_BANK_OF_ANTHOS_REGISTRY=gcr.io/bank-of-anthos-ci
SERVICES="accounts-db balancereader contacts frontend ledger-db ledgerwriter loadgenerator transactionhistory userservice"
for s in $SERVICES; do crane copy $UPSTREAM_BANK_OF_ANTHOS_REGISTRY/$s:$BANK_OF_ANTHOS_VERSION $PRIVATE_BANK_OF_ANTHOS_REGISTRY/$s:$BANK_OF_ANTHOS_VERSION; doneList the container images in your private registry:
gcloud artifacts docker images list $CONTAINER_REGISTRY_REPOSITORY \
--include-tagsScan the cartservice container image:
gcloud artifacts docker images scan $PRIVATE_BANK_OF_ANTHOS_REGISTRY/cartservice:$BANK_OF_ANTHOS_VERSION \
--project ${TENANT_PROJECT_ID} \
--remote \
--format='value(response.scan)' > ${WORK_DIR}scan_id.txt
gcloud artifacts docker images list-vulnerabilities $(cat ${WORK_DIR}scan_id.txt) \
--project ${TENANT_PROJECT_ID} \
--format='table(vulnerability.effectiveSeverity, vulnerability.cvssScore, noteName, vulnerability.packageIssue[0].affectedPackage, vulnerability.packageIssue[0].affectedVersion.name, vulnerability.packageIssue[0].fixedVersion.name)' Tip
You could use this gcloud artifacts docker images scan command in your Continuous Integration system in order to detect as early as possible for example Critical or High vulnerabilities.