trivy pipeline for multiple containers

Question

this is my first time working with trivy and clair on Azure DevOps using self-hosted agent and I just tried this pipeline that I have found on GitHub

name: $(BuildDefinitionName)_$(date:yyyyMMdd)_$(BuildID)$(rev:.r)

resources:
- repo: self

variables:
  image_name: openjdk
  image_tag: 17-jdk-slim

jobs:

- job: TrivyScanContainerImage
  displayName: Scan container image by Trivy
  steps:

  - script: |
      mkdir report
      trivy image -s HIGH,CRITICAL $(image_name):$(image_tag) | tee ./report/trivy-image-scan-report.txt
    displayName: "Image scan by Trivy"
    continueOnError: true

  - publish: ./report
    artifact: ImageScans
    displayName: Publish Clair Scan Report
    condition: always() 

I want to know how to make it work for mutliple containers.

Answer 1

You can use a parameter to pass multiple images like as below.

name: $(BuildDefinitionName)_$(date:yyyyMMdd)_$(BuildID)$(rev:.r)

parameters:
- name: images
  type: object
  default:
    img1: tag1
    img2: tag2
    img3: tag3

jobs:
- job: TrivyScanContainerImage
  displayName: Scan container image by Trivy
  steps:
  - ${{ each image in parameters.images }}:
    - script: |
        mkdir report
        trivy image -s HIGH,CRITICAL ${{ image.Key }}:${{ image.Value }} | tee ./report/trivy-image-scan-report-${{ image.Key }}_${{ image.Value }}.txt
      displayName: 'Image scan by Trivy - ${{ image.Key }}:${{ image.Value }}'
      continueOnError: true

  - publish: ./report
    artifact: ImageScans
    displayName: 'Publish Clair Scan Report'
    condition: always() 

By this way, in the same job, it will generate a copy of "Image scan by Trivy" step for scanning each image and generating the scan report file for each image into the report folder. Then use one "Publish Clair Scan Report" steps to publish all the reports.

Answer 2

Instead of using variables you can declare a parameter containing an array of images to scan and then use a loop to generate a job for each one.

Example:

name: $(BuildDefinitionName)_$(date:yyyyMMdd)_$(BuildID)$(rev:.r)

parameters:
  - name: containerImages
    displayName: 'Container images to scan'
    type: object
    default:
      - name: openjdk
        tag: 17-jdk-slim
      - name: alpine
        tag: 3.14
      - name: nginx
        tag: latest

jobs:
  - ${{ each image in parameters.containerImages }}:
    - job: scan_${{ image.name }} # must be unique, and contain 'a-zA-Z0-9_' characters only
      displayName: "Scan ${{ image.name }}:${{ image.tag }}"
      steps:
        # other tasks here 

        - script: |
            trivy image -s HIGH,CRITICAL ${{ image.name }}:${{ image.tag }} | tee ./report/trivy-image-scan-report.txt
          displayName: "Scan ${{ image.name }}:${{ image.tag }} with Trivy"
          continueOnError: true
        
        # other tasks here

Running the pipeline: