AccuKnox container scan Azure DevOps extension

Learn more about AccuKnox

Description

This extension builds a container image from a dockerfile, and performs a container image scan to detect vulnerabilities. Once the scan is complete it generates a report and uploads it to the AccuKnox control plane. The extension can be configured with specific inputs to integrate seamlessly with your DevSecOps pipeline.

How to use it?

1. Add the following task into your pipeline:

- task: AccuKnox-container-scan@0
  inputs:
    dockerfile: $(dockerfile)
    imageName: $(imageName)
    qualityGate: $(qualityGate)
    accuknoxEndpoint: $(accuknoxEndpoint)
    accuknoxTenantId: $(accuknoxTenantId)
    accuknoxToken: $(accuknoxToken)
    accuknoxLabel: $(accuknoxLabel)

2. Generate the AccuKnox API token:

For generating the token, open up the AccuKnox UI. And navigate to the settings > tokens and click on the create button.

Give your token a name and set the expiry date according to your needs. Click on the generate button.

Copy and note down the tenant id and token.

Store the token as a secret in Azure DevOps.

Input values

Input Value	Required	Default Value	Description
dockerfile	Yes	Dockerfile	Dockerfile path, eg. Dockerfile or image/Dockerfile
imageName	Yes	None	Name of the Docker image that you want to scan. This name will also reflect in the AccuKnox control plane.
qualityGate	No	false	Quality gate threshold for container scan. eg. 'UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL'. Quality gate help you to fail the pipeline on detecting the vulnerability of specified severity. You can also have multiple comma separated values.
accuknoxEndpoint	Yes	None	AccuKnox API endpoint for sending the report. eg. cspm.demo.accuknox.com, cspm.accuknox.com
accuknoxTenantId	Yes	None	Your AccuKnox tenant ID. You can see your tenant ID while creating an AccuKnox token.
accuknoxToken	Yes	None	AccuKnox API token.
accuknoxLabel	Yes	None	AccuKnox label to group similar findings together.
qualityGate	No	false	Fail the pipeline on detecting findings of specified severities. e.g. UNKNOWN,LOW,MEDIUM,HIGH,CRITICAL

How it Works

• Container Image Scan: The extension builds a container image from a specified dockerfile and performs the scan to detect the vulnerabilities.
• Report Generation: Once the scan is complete it generates a report.
• Report Upload: The generated report is uploaded to the AccuKnox CSPM panel for centralized monitoring and insights.
• Quality Gate Check: Verifies if the project meets the set quality standards provided via the qualityGate parameter.

Notes

• Ensure all necessary secrets are securely stored in an Azure DevOps variable group.
• AccuKnox control plane provides a centralized view of all container image scan results, enabling detailed security monitoring and analytics.