Prepare container
Duration: 5 min | Persona: Apps Operator
In this section, you will copy the Whereami app container in your private Artifact Registry. You will also scan this container image.
Initialize variables:
WORK_DIR=~/
source ${WORK_DIR}acm-workshop-variables.sh
WHEREAMI_VERSION=v1.2.14
PRIVATE_WHEREAMI_IMAGE_NAME=$CONTAINER_REGISTRY_REPOSITORY/whereami:$WHEREAMI_VERSION
echo "export PRIVATE_WHEREAMI_IMAGE_NAME=${PRIVATE_WHEREAMI_IMAGE_NAME}" >> ${WORK_DIR}acm-workshop-variables.sh
source ${WORK_DIR}acm-workshop-variables.sh
Copy the public container image to your private registry:
UPSTREAM_WHEREAMI_IMAGE_NAME=us-docker.pkg.dev/google-samples/containers/gke/whereami:$WHEREAMI_VERSION
gcloud auth configure-docker $CONTAINER_REGISTRY_HOST_NAME --quiet
crane copy $UPSTREAM_WHEREAMI_IMAGE_NAME $PRIVATE_WHEREAMI_IMAGE_NAME
List the container images in your private registry:
gcloud artifacts docker images list $CONTAINER_REGISTRY_REPOSITORY \
--include-tags
Scan the whereami
container image:
gcloud artifacts docker images scan $PRIVATE_WHEREAMI_IMAGE_NAME \
--project ${TENANT_PROJECT_ID} \
--remote \
--format='value(response.scan)' > ${WORK_DIR}scan_id.txt
gcloud artifacts docker images list-vulnerabilities $(cat ${WORK_DIR}scan_id.txt) \
--project ${TENANT_PROJECT_ID} \
--format='table(vulnerability.effectiveSeverity, vulnerability.cvssScore, noteName, vulnerability.packageIssue[0].affectedPackage, vulnerability.packageIssue[0].affectedVersion.name, vulnerability.packageIssue[0].fixedVersion.name)'
Tip
You could use this gcloud artifacts docker images scan
command in your Continuous Integration system in order to detect as early as possible for example Critical
or High
vulnerabilities.