Deployment Task

This article details the present options to register more than 1 tag from a CI pipeline, such as Jenkins or Bamboo. Aqua, by default, needs to add the image information to the database in order for the image to be registered. During this process, it is assessed during the image assurance policy. Because of this, there are 3 options on how to add those additional tags.



Deployment Steps


Option 1:

 

1. Register and scan the image tag from the pipeline that is used in deployment configurations.

 

2. Have the other images pushed to the registry System > Integrations > Image Registries > Selected Registry > Advanced Settings. From that location, you can leverage the registry auto-pull or webhook event notifications to auto-pull and register the image. 

OR 


2. Send an API call to the console from the CI. This will have the same outcome, but it will be more immediate and will be called directly.
POST /api/v1/scanner/registry/Docker%20Hub/image/mongo:latest/scan

 

This will move the scanning to the console and let the CI finish faster.

 

You can also add additional scanners to the console, which will help with the new scanning tasks.

 


 

Option 2:

 

1. Add build steps to the CI to take the .json artifact and modify the image name/tag. This will keep the same scan results, but it will now be under the correct image.

 

2. Run
sudo docker run -ti -v /var/run/docker.sock:/var/run/docker.sock -v /tmp:/tmp registry.aquasec.com/scanner:4.0 import --user scanner --password password --host http://consoleURL:8080 AquaSecurity.json


 

3. Add another build step (if required) to the CI to modify the .json artifact's image again for an additional tag.

 

4. Run
sudo docker run -ti -v /var/run/docker.sock:/var/run/docker.sock -v /tmp:/tmp registry.aquasec.com/scanner:4.0 import --user scanner --password password --host http://consoleURL:8080 AquaSecurity.json


5. Repeat until the number of tags is satisfied.

 


 

Option3:

 

1. Handle all scans consecutively in the CI. This is more time intensive on the CI process and removes the need for additional scanners on the console.
sudo docker run -ti -v /var/run/docker.sock:/var/run/docker.sock -v /tmp:/tmp registry.aquasec.com/scanner:4.0 scan --user scanner --password password --host http://consoleURL:8080 --jsonfile /tmp/AquaSecurity.json --local --register-compliant imageName:tag1


sudo docker run -ti -v /var/run/docker.sock:/var/run/docker.sock -v /tmp:/tmp registry.aquasec.com/scanner:4.0 scan --user scanner --password password --host http://consoleURL:8080 --jsonfile /tmp/AquaSecurity.json --local --register-compliant imageName:tag2


sudo docker run -ti -v /var/run/docker.sock:/var/run/docker.sock -v /tmp:/tmp registry.aquasec.com/scanner:4.0 scan --user scanner --password password --host http://consoleURL:8080 --jsonfile /tmp/AquaSecurity.json --local --register-compliant imageName:tag3



Related Information

https://docs.aquasec.com/v4.0/reference#section-start-image-scan

https://docs.aquasec.com/docs/command-line

https://docs.aquasec.com/docs/add-a-registry-and-scan-images#section-add-an-image-registry-to-aqua