apps-operator security-tips

Prepare container

Apps Operator Apps Operator Duration: 5 min | Persona: Apps Operator

In this section, you will copy the Whereami app container in your private Artifact Registry. You will also scan this container image.

Initialize variables:

WORK_DIR=~/
source ${WORK_DIR}acm-workshop-variables.sh
WHEREAMI_VERSION=v1.2.14
PRIVATE_WHEREAMI_IMAGE_NAME=$CONTAINER_REGISTRY_REPOSITORY/whereami:$WHEREAMI_VERSION
echo "export PRIVATE_WHEREAMI_IMAGE_NAME=${PRIVATE_WHEREAMI_IMAGE_NAME}" >> ${WORK_DIR}acm-workshop-variables.sh
source ${WORK_DIR}acm-workshop-variables.sh

Copy the public container image to your private registry:

UPSTREAM_WHEREAMI_IMAGE_NAME=us-docker.pkg.dev/google-samples/containers/gke/whereami:$WHEREAMI_VERSION
gcloud auth configure-docker $CONTAINER_REGISTRY_HOST_NAME --quiet
crane copy $UPSTREAM_WHEREAMI_IMAGE_NAME $PRIVATE_WHEREAMI_IMAGE_NAME

List the container images in your private registry:

gcloud artifacts docker images list $CONTAINER_REGISTRY_REPOSITORY \
    --include-tags

Scan the whereami container image:

gcloud artifacts docker images scan $PRIVATE_WHEREAMI_IMAGE_NAME \
    --project ${TENANT_PROJECT_ID} \
    --remote \
    --format='value(response.scan)' > ${WORK_DIR}scan_id.txt
gcloud artifacts docker images list-vulnerabilities $(cat ${WORK_DIR}scan_id.txt) \
    --project ${TENANT_PROJECT_ID} \
    --format='table(vulnerability.effectiveSeverity, vulnerability.cvssScore, noteName, vulnerability.packageIssue[0].affectedPackage, vulnerability.packageIssue[0].affectedVersion.name, vulnerability.packageIssue[0].fixedVersion.name)'
Tip

You could use this gcloud artifacts docker images scan command in your Continuous Integration system in order to detect as early as possible for example Critical or High vulnerabilities.