AccuKnox container scan Azure DevOps extension

Learn more about AccuKnox

Description

This extension performs a container image scan to detect vulnerabilities. Once the scan is complete it generates a report and uploads it to the AccuKnox control plane. The extension can be configured with specific inputs to integrate seamlessly with your DevSecOps pipeline.

How to use it?

1. Add the following task into your pipeline:

- task: AccuKnox-container-scan@1
  inputs:
    imageName: my-image
    tag: test
    inputSoftFail: true
    accuknoxEndpoint: $(accuknoxEndpoint)
    accuknoxTenantId: $(accuknoxTenantId)
    accuknoxToken: $(accuknoxToken)
    accuknoxLabel: $(accuknoxLabel)

2. Generate the AccuKnox API token:

For generating the token, open up the AccuKnox UI. And navigate to the settings > tokens and click on the create button.

Give your token a name and set the expiry date according to your needs. Click on the generate button.

Copy and note down the tenant id and token.

Store the token as a secret in Azure DevOps.

Input values

Input Value	Required	Default Value	Description
imageName	Yes	None	Name of the Docker image that you want to scan. This name will also reflect in the AccuKnox control plane.
tag	Yes	BUILD_BUILDNUMBER	Docker image tag
severity	No	false	Severity threshold for container scan. eg. 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'. Soft Fail input help you to fail the pipeline on detecting the vulnerability of specified severity. You can also have multiple comma separated values.
accuknoxEndpoint	Yes	None	AccuKnox API endpoint for sending the report. eg. cspm.demo.accuknox.com
accuknoxTenantId	Yes	None	Your AccuKnox tenant ID. You can see your tenant ID while creating an AccuKnox token.
accuknoxToken	Yes	None	AccuKnox API token.
accuknoxLabel	Yes	None	AccuKnox label to group similar findings together.
inputSoftFail	No	false	Fail the pipeline on detecting findings of specified severities.

How it Works

• Container Image Scan: The extension performs the scan to detect the vulnerabilities.
• Report Generation: Once the scan is complete it generates a report.
• Report Upload: The generated report is uploaded to the AccuKnox CSPM panel for centralized monitoring and insights.
• Quality Gate Check: Verifies if the project meets the set quality standards provided via the inputSoftFail parameter.

Notes

• Ensure all necessary secrets are securely stored in an Azure DevOps variable group.
• AccuKnox control plane provides a centralized view of all container image scan results, enabling detailed security monitoring and analytics.