Pre-deploy Image Scanning

Image Scanning is a great candidate to be used in Pre-deploy workflows. Scanning during pre-deploy allows a separate approval to be created specifically for reviewing the scan results.

Configuring the setup only takes a few minutes, firstly

1. Create a new workflow of type Pre-deploy

2. Add the scan operation

I am using the Anchore AnalyzeImage operation which will scan a remote docker image and upload the results to an existing Anchore Engine. Feel free to use any scan utility you wish. In order for the Pre-deploy workflow to generate a task you need to set two variables in the workflow. Click the variable button and set your values. These can be set dynamically in the workflow via the assign operation as well.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 <?xml version="1.0" encoding="UTF-8"?> <ns0:WorkFlow xmlns:ns1="http://flexagon.com/flexdeploy/workflow/common" xmlns:ns0="http://flexagon.com/flexdeploy/workflow"> <ns1:Name>ScanImage</ns1:Name> <ns1:Description></ns1:Description> <ns0:Variables> <ns0:Variable> <ns1:Name>FD_REVIEW_REQUIRED</ns1:Name> <ns1:Type>Boolean</ns1:Type> <ns0:returnAsOutput>true</ns0:returnAsOutput> <ns1:isConstant>false</ns1:isConstant> <ns1:InitialValue>true</ns1:InitialValue> </ns0:Variable> <ns0:Variable> <ns1:Name>FD_REVIEW_GROUP</ns1:Name> <ns1:Type>String</ns1:Type> <ns0:returnAsOutput>true</ns0:returnAsOutput> <ns1:isConstant>false</ns1:isConstant> <ns1:InitialValue>"FD Administrators"</ns1:InitialValue> </ns0:Variable> </ns0:Variables> <ns0:Steps> <ns0:Step> <ns1:Name>analyzeImage</ns1:Name> <ns1:StepId>1</ns1:StepId> <ns0:InvokePlugin> <ns0:PluginName>FlexagonAnchorePlugin</ns0:PluginName> <ns0:PluginOperation>analyzeImage</ns0:PluginOperation> <ns0:consumesArtifacts>false</ns0:consumesArtifacts> <ns0:producesArtifacts>false</ns0:producesArtifacts> <ns0:EndpointSelection> <ns0:EndpointSelectionChoice>All</ns0:EndpointSelectionChoice> </ns0:EndpointSelection> <ns0:EndpointExecutionChoice>Any</ns0:EndpointExecutionChoice> <ns0:PluginInputs> <ns0:PluginInput> <ns0:Name>FDANCR_INP_USER</ns0:Name> <ns0:ValueType>Text</ns0:ValueType> <ns0:Encrypted>false</ns0:Encrypted> <ns1:Type>String</ns1:Type> <ns0:Text>admin</ns0:Text> </ns0:PluginInput> <ns0:PluginInput> <ns0:Name>FDANCR_INP_PASSWORD</ns0:Name> <ns0:ValueType>Text</ns0:ValueType> <ns0:Encrypted>true</ns0:Encrypted> <ns1:Type>String</ns1:Type> <ns0:Text>changeme</ns0:Text> </ns0:PluginInput> <ns0:PluginInput> <ns0:Name>FDANCR_INP_URL</ns0:Name> <ns0:ValueType>Text</ns0:ValueType> <ns0:Encrypted>false</ns0:Encrypted> <ns1:Type>String</ns1:Type> <ns0:Text>http://yourhost:8228/v1</ns0:Text> </ns0:PluginInput> <ns0:PluginInput> <ns0:Name>FDANCR_INP_IMAGE_NAME</ns0:Name> <ns0:ValueType>Expression</ns0:ValueType> <ns0:Encrypted>false</ns0:Encrypted> <ns1:Type>String</ns1:Type> <ns0:Value> <ns0:Expression>"docker.io/"+FD_PROJECT_DOCKER_IMAGE_NAME</ns0:Expression> </ns0:Value> </ns0:PluginInput> <ns0:PluginInput> <ns0:Name>FDANCR_INP_WAIT_FOR_RESULTS</ns0:Name> <ns0:ValueType>Text</ns0:ValueType> <ns0:Encrypted>false</ns0:Encrypted> <ns1:Type>Boolean</ns1:Type> <ns0:Text>true</ns0:Text> </ns0:PluginInput> <ns0:PluginInput> <ns0:Name>FDANCR_INP_SCAN_FAIL_CONDITION</ns0:Name> <ns0:ValueType>Text</ns0:ValueType> <ns0:Encrypted>false</ns0:Encrypted> <ns1:Type>String</ns1:Type> </ns0:PluginInput> <ns0:PluginInput> <ns0:Name>FDANCR_INP_FORCE_ANALYZE</ns0:Name> <ns0:ValueType>Text</ns0:ValueType> <ns0:Encrypted>false</ns0:Encrypted> <ns1:Type>Boolean</ns1:Type> <ns0:Text>false</ns0:Text> </ns0:PluginInput> </ns0:PluginInputs> <ns0:UserInputs/> <ns0:PluginOutputs> <ns0:OutputValue> <ns0:NameInCallee>FDANCR_OUT_FINAL_ACTION</ns0:NameInCallee> </ns0:OutputValue> <ns0:OutputValue> <ns0:NameInCallee>FDANCR_OUT_STATUS</ns0:NameInCallee> </ns0:OutputValue> <ns0:OutputValue> <ns0:NameInCallee>FDANCR_OUT_STOP_COUNT</ns0:NameInCallee> </ns0:OutputValue> <ns0:OutputValue> <ns0:NameInCallee>FDANCR_OUT_WARN_COUNT</ns0:NameInCallee> </ns0:OutputValue> <ns0:OutputValue> <ns0:NameInCallee>FDANCR_OUT_ALL_COUNT_LIST</ns0:NameInCallee> <ns0:NameInCaller></ns0:NameInCaller> </ns0:OutputValue> </ns0:PluginOutputs> <ns0:UserOutputs/> </ns0:InvokePlugin> </ns0:Step> </ns0:Steps> </ns0:WorkFlow>

3. Add the Pre-deploy workflow to your Project

Now we just need to set the pre-deploy workflow on the project.

Now, whenever we deploy, either manually or through a release, we can optionally execute the pre-deploy.