This repository shows an example of building a container image while leveraging Google Cloud's artifact scanning for docker images.
- A Google Cloud Project
- gcloud cli installed
- A github account
- The following apis enabled in the GCP project: cloudbuild, containerregistry, ondemandscanning, and artifactregistry
gcloud services enable cloudbuild.googleapis.com \
containerregistry.googleapis.com \
ondemandscanning.googleapis.com \
artifactregistry.googleapis.com \- Grant the cloudbuild service account access to run on-demand scanning:
gcloud projects add-iam-policy-binding <project_id> \
--member="serviceAccount:<project_number>@cloudbuild.gserviceaccount.com" \
--role="roles/ondemandscanning.admin"-
fork the following repository
-
Install the google cloudbuild github app: https://cloud.google.com/build/docs/automating-builds/build-repos-from-github#installing_gcb_app, skip the add trigger part
-
create a cloudbuild trigger from the repository Note please replace REPOSITORYOWNER with your github username:
gcloud beta builds triggers create github \
--name=test-image \
--repo-name=pso-infra-cicd-docker-scan-demo \
--repo-owner=REPOSITORYOWNER \
--pull-request-pattern=^main$ \
--build-config=cloudbuild_test.yaml \
--comment-control=COMMENTS_ENABLED_FOR_EXTERNAL_CONTRIBUTORS_ONLY
gcloud beta builds triggers create github \
--name=deploy-image \
--repo-name=pso-infra-cicd-docker-scan-demo \
--repo-owner=REPOSITORYOWNER \
--branch-pattern=^main$ \
--build-config=cloudbuild_deploy.yaml
- Create an artifact repository:
gcloud artifacts repositories create web-build-repo --repository-format=docker \
--location=us-central1 --description="Repository for scan and build"- Clone your current repository i.e.
git clone <repo url> - Create a branch
git checkout -b test-deploy - Add the following Dockerfile:
cat << EOF > Dockerfile
FROM httpd:alpine
EOF- Add the change to your repository:
git add --all
git commit -m"submitting a container for deployment"
git push origin test-deploy- From the github console create a pull request, make sure the base is your local main branch and not the forked one.
- The build should fail
- Add the patching
echo "RUN apk add --upgrade apr" >> Dockerfile
- commit the changes to the branch
git add --all
git commit -m"Patching container"
git push origin test-deploy- Verify the build passes
- Merge to the main branch the cloud build should run and push the image to artifact registry