DEV Community

Cover image for How to Integrate Docker Scout with GitHub Actions
Ajeet Singh Raina for Docker

Posted on • Updated on

How to Integrate Docker Scout with GitHub Actions

Docker Scout is a collection of software supply chain features that provide insights into the composition and security of container images. It analyzes image contents and generates a detailed report of packages and vulnerabilities it detects, providing suggestions for remediation.

How does it work?

Image5

Docker Scout provides detailed insights into the composition and security of container images. It uses SBOMs to cross-reference with streaming CVE data to surface vulnerabilities (and potential remediation) as soon as possible. An SBOM, or software bill of materials, is a nested inventory, a list of ingredients that make up software components.

Can I run Docker Scout as CLI?

Yes, Docker scout CLI plugin is available by default on Docker Desktop starting with version 4.17.

Image3

Docker Scout is available through multiple interfaces, including the Docker Desktop and Docker Hub user interfaces, as well as a web-based user interface and a command-line interface (CLI) plugin. Users can view and interact with Docker Scout through these interfaces to gain a deeper understanding of the composition and security of their container images.

Is it possible to run Docker Scout on my Linux system?

To install, run the following command in your terminal:



curl -sSfL https://raw.githubusercontent.com/docker/scout-cli/main/install.sh | sh -s --


Enter fullscreen mode Exit fullscreen mode

Manual Installation

Download the docker-scout binary corresponding to your platform from the latest or other releases. Uncompress it & Copy it in your local CLI plugin directory. Finally, you need to make it executable on Linux and macOS



chmod +x $HOME/.docker/cli-plugins/docker-scout


Enter fullscreen mode Exit fullscreen mode

Don't forget to authorize the binary to be executable on macOS



xattr -d com.apple.quarantine $HOME/.docker/cli-plugins/docker-scout


Enter fullscreen mode Exit fullscreen mode

Integrating Docker Scout with GitHub Actions

GitHub Actions is a powerful CI/CD (Continuous Integration/Continuous Deployment) platform provided by GitHub. It allows developers to automate their workflows, build and test their code, and deploy applications seamlessly. By integrating Docker Scout with GitHub Actions, developers can enhance the security and quality of their containerized applications. In this article, we will explore how to integrate Docker Scout with GitHub Actions step-by-step.

Step 1: Set up a GitHub repository

To get started, create a new GitHub repository or navigate to an existing one where you want to integrate Docker Scout. Make sure you have the necessary permissions to modify the repository's settings and workflows.

Step 2: Create a GitHub Actions workflow

Inside your repository, navigate to the ".github/workflows" directory (create it if it doesn't exist). Create a new YAML file, e.g., "docker-scout.yml," and open it for editing. This file will define your GitHub Actions workflow.

Step 3: Define the workflow trigger

Add the following code to the beginning of your YAML file to define the trigger for the workflow:



name: Docker Scout Integration
on:
  push:
    branches:
      - main
  pull_request:
    branches:
      - '*'


Enter fullscreen mode Exit fullscreen mode

This configuration triggers the workflow on every push to the 'main' branch and for any pull request.

Step 4: Set up the workflow environment

Next, you need to define the environment variables required for the workflow. Add the following code to your YAML file:



env:
  REGISTRY: docker.io
  IMAGE_NAME: ${{ github.repository }}
  SHA: ${{ github.event.pull_request.head.sha || github.event.after }}


Enter fullscreen mode Exit fullscreen mode

These environment variables specify the Docker registry, the image name (derived from the repository), and the commit SHA for the pull request or push event.

Step 5: Define the workflow jobs

Inside the YAML file, you can define one or more jobs that will be executed as part of the workflow. For Docker Scout integration, we'll focus on the 'build' job.



jobs:
  build:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout repository
        uses: actions/checkout@v3
        with:
          ref: ${{ env.SHA }}

      - name: Setup Docker buildx
        uses: docker/setup-buildx-action@v2.5.0
        with:
          driver-opts: |
            image=moby/buildkit:v0.10.6

      - name: Log into registry ${{ env.REGISTRY }}
        uses: docker/login-action@v2.1.0
        with:
          registry: ${{ env.REGISTRY }}
          username: ${{ secrets.DOCKER_USER }}
          password: ${{ secrets.DOCKER_PAT }}

      - name: Extract Docker metadata
        id: meta
        uses: docker/metadata-action@v4.4.0
        with:
          images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}
          labels: |
            org.opencontainers.image.revision=${{ env.SHA }}
          tags: |
            type=edge,branch=$repo.default_branch
            type=semver,pattern=v{{version}}
            type=sha,prefix=,suffix=,format=short

      - name: Build and push Docker image
        id: build-and-push
        uses: docker/build-push-action@v4.0.0
        with:
          context: .
          push: true
          tags: ${{ steps.meta.outputs.tags }}
          labels: ${{ steps.meta.outputs.labels }}
          cache-from: type=gha
          cache-to: type=gha,mode=max

      - name: Docker Scout
        id: docker-scout
        if: ${{ github.event_name == 'pull_request' }}
        uses: docker/scout-action@dd36f5b0295baffa006aa6623371f226cc03e506
        with:
          command: cves
          image: ${{ steps.meta.outputs.tags }}
          only-severities: critical,high
          exit-code: true


Enter fullscreen mode Exit fullscreen mode

In this job, the following steps are performed:

  • Checking out the repository code.
  • Setting up Docker buildx for building multi-arch images.
  • Logging into the Docker registry.
  • Extracting Docker metadata using the docker/metadata-action.
  • Building and pushing the Docker image using the docker/build-push-action.
  • Running Docker Scout using the docker/scout-action to scan for CVEs (Common Vulnerabilities and Exposures) in the image.

Note that the Docker Scout step is conditionally executed only for pull requests to avoid unnecessary scans for push events.

Step 6: Save and commit the workflow file

Save the YAML file and commit it to the repository. GitHub Actions will automatically pick up the file and start executing the workflow whenever the defined triggers are met.

Step 7: Configure secrets

To securely authenticate with Docker registries, you need to configure secrets in your GitHub repository. Secrets are encrypted environment variables that can be used in workflows. In this case, you'll need to set up the following secrets:



DOCKER_USER: The username for the Docker registry.
DOCKER_PAT: The personal access token (PAT) or password for the Docker registry.


Enter fullscreen mode Exit fullscreen mode

To set up the secrets, go to your repository's settings, navigate to the "Secrets" tab, and add the secrets with their respective values.

Conclusion

Integrating Docker Scout with GitHub Actions brings enhanced security and software supply chain insights to your CI/CD pipelines. By following the steps outlined in this article, you can seamlessly integrate Docker Scout into your GitHub repository's workflows. This integration enables the automated scanning of container images for vulnerabilities, ensuring that your applications are built on secure foundations. Embracing this integration can significantly improve the quality and security of your Docker-based projects, providing peace of mind to both developers and end-users.

References

Top comments (0)