When building an image in Jenkins, it is often part of the pipeline to scan the image locally before pushing it to the registry. Depending on the architecture, this may result in the image being added automatically via an Automatic Registry Pull, but this will subsequently result in another scan. By adding the register-compliant option during the scan process, you can also register the image to Aqua, based on the outcome of the image assurance policy.
The scanner-CLI has two arguments that need to be passed (register-compliant and registry), and both are used here. When you scan a local build in Jenkins, it is scanning the selected image against the image assurance policy for its security stature. If it were to fail this step, and the image is non-compliant, it would cause the entire CI build to fail and it will not register the image in Aqua. If successful, the image will pass the CI pipeline, as well as register the image in the Aqua database.
The Scanner-CLI command looks like this:
docker run --rm -v /var/run/docker.sock:/var/run/docker.sock -v /tmp:/tmp aquasec/scanner-cli:3.2 --image image_to_scan --host http://url:ip --user scanner_user --password scanner_password --register-compliant --registry "RegistryName-as-displayed-in-aqua" --local --jsonfile out.json --htmlfile out.html > /dev/null
Note: In the Jenkins pipeline, most of these can be added as variables from the pipeline.
docker run --rm -v $DOCKER_SOCKET:$DOCKER_SOCKET -v /tmp:/tmp $AQUA_SCANNER --image $image --host $AQUA_SERVER --user $AQUA_USER --password $AQUA_PASSWORD --register-compliant --registry "RegistryName-as-displayed-in-aqua" --local --jsonfile out.json --htmlfile out.html > /dev/null
Older Options (pre - 4.0)
Alternatively, you can select the register option or schedule a scan via the API. Both of these options, however, register the image regardless if the image is compliant or non-compliant. This can lead to issues on nightly scans. This is because the image, most likely, was not pushed to the registry due to the failure in the CI pipeline, even though the image was registered.
Did you find it helpful?Send feedback