When integrating a Nexus Repository Manager with AQUA registry integration - one might notice that there is no OOTB webhook option to be able to get the docker images from the Nexus Repository into AQUA as they are created in Nexus.
The reason is that Nexus does not have a webhook endpoint or provides a listener option.
One can overcome this by following the below sample options:
Create a new Capability within Nexus with type 'Webhook Repository'
Keep in mind that you should be able to connect to the webhook server (listener) from your Nexus Server.
In the first example, we utilize PIPEDREAM free option for a webhook endpoint and once we pushed a new image into the Nexus Repo we can see the output of that POST command in PIPEDREAM:
Now, one can trigger the API call to AQUA to POST the scan command as the map the values of the image name and image tag (Name and Version from the example above).
The workflow created will trigger an HTTP request based on the webhook event coming into PIPEDREAM.
For example, see the below configuration:
When using PIPEDREAM - the webhook event is easy be parsed and from Nexus3 you can get the image details which are:
event.body.component.name and event.body.component.version as shown above.
You can also verify the flow success and see that you are getting something like:
Another option is to own the webhook endpoint to which you will configure Nexus to send it's webhook event by a simple flask application (based on Python).
Below is a sample of creating a webhook listener in Flask which will:
- Write the entire webhook event to a log file.
- Parse the image name and it's tag and writes it to a JOSN file.
- Trigger a shell script (which one can write to trigger the needed AQUA API using the JSON file as the JSON Body if needed)
Keep in mind that those are only two examples on how one can get an Image which is pushed into Nexus Repository to be scanned and registered by AQUA as soon as the Image is pushed into Nexus Repo.
One can utilize any webhook listener which can get the event from Nexus and then trigger any operations (such as another webhook, scripting tool, HTTP response an so on) to call the AQUA API.
The Scan API is documented in https://docs.aquasec.com/reference#image-scanning-api
PIPEDREAM information is documented in https://pipedream.com/
Nexus documentation is in https://help.sonatype.com/repomanager3
Flask documentation is in https://flask.palletsprojects.com/en/1.1.x/
Did you find it helpful?Send feedback