You can use Quay.io to automate your container builds, with integration to GitHub, Bitbucket, and more. Robot accounts allow you to lock down automated access and audit each deployment. In these examples, we will use a Quay.io cloud account to store our images which we will build, scan and push to the registry using the CLI.
First, we will
docker login into our Quay registry. If you are new to Quay, it is recommended that you complete the tutorial where you will learn how to generate an encrypted password to use with the Docker CLI.
Run the command below, substituting
<QUAY_USER> with your unique Quay.io username and
<GUID> with your encrypted password.
docker login -u="<QUAY_USER>" -p="<GUID>" quay.io
Next, from your terminal, navigate to the directory of the
goof repo you previously cloned. At the root of this directory you will see a
Dockerfile. We will build and tag an image from this Dockerfile using the
docker build command as show below. Again, replace
<QUAY_USER> with your username.
docker build -t <QUAY_USER>/goof .
At this point, you would normally push your image to a registry. However, we will perform one additional and critical step before we do so. We will scan our container image using Snyk to identify vulnerabilities and provide base image recommendations. To do this, we will run the following command in our terminal:
snyk monitor --docker quay.io/<QUAY_USER>/goof \--file=submodules/goof/Dockerfile --org=<SNYK_ORG> \--project-name=quay-cli-container-image
Let's take a moment and break down what we are doing in the above command. The
monitor command will record the state of dependencies and any vulnerabilities to your account on snyk.io so you can later review those results.
Once complete, we are ready to push the image to our Quay registry and will do so by invoking the
docker push command as show below:
docker push quay.io/<QUAY_USER>/goof
Upon successful completion you should see results similar to the following:
We can optionally verify our image was indeed successfully pushed by logging into Quay.io and confirming the appropriate image has been tagged.
When we ran
snyk monitor against our Dockerfile, we passed two parameters:
--project-name. This action allowed the results from our CLI to be saved to our Snyk account. A report of the findings is now available by logging into your Snyk account and viewing the imported projects.
To receive base image remediation advice, including major, minor and alternative upgrades as well as advice when you need to rebuild your image, integrate with your preferred Git repository and import the repo that contains the relevant Dockerfile. You also need to add the Dockerfile to the image.
Once complete, you will see recommendations for base image upgrade.