add non root option to pr-merged and to docs

aquasecurity · Sep 20, 2023 · 68feb14 · 68feb14
1 parent c6401db
commit 68feb14
Show file tree

Hide file tree

Showing 2 changed files with 42 additions and 0 deletions.
diff --git a/.github/workflows/pr-merged.yml b/.github/workflows/pr-merged.yml
@@ -35,8 +35,21 @@ jobs:
         docker tag aquasec/aqua-scanner:${{ env.new_version }}-arm64 aquasec/aqua-scanner:latest-arm64
         docker push aquasec/aqua-scanner:latest-arm64
         
+        docker pull aquasec/aqua-scanner:${{ env.new_version }}-amd64-nonroot
+        docker tag aquasec/aqua-scanner:${{ env.new_version }}-amd64-nonroot aquasec/aqua-scanner:latest-amd64-nonroot
+        docker push aquasec/aqua-scanner:latest-amd64-nonroot
+        
+        docker pull aquasec/aqua-scanner:${{ env.new_version }}-arm64-nonroot
+        docker tag aquasec/aqua-scanner:${{ env.new_version }}-arm64-nonroot aquasec/aqua-scanner:latest-arm64-nonroot
+        docker push aquasec/aqua-scanner:latest-arm64-nonroot
+
+
+
         docker manifest create aquasec/aqua-scanner:latest aquasec/aqua-scanner:latest-amd64 aquasec/aqua-scanner:latest-arm64
         docker manifest push aquasec/aqua-scanner:latest
+        
+        docker manifest create aquasec/aqua-scanner:latest-nonroot aquasec/aqua-scanner:latest-amd64-nonroot aquasec/aqua-scanner:latest-arm64-nonroot
+        docker manifest push aquasec/aqua-scanner:latest-nonroot
     - name: DockerHub description update
       uses: peter-evans/dockerhub-description@v3
       with:

diff --git a/README-dockerhub.md b/README-dockerhub.md
@@ -145,6 +145,35 @@ podman run --rm \
 
 When working within CI environment, it's important to include the Source Code Management (SCM) tokens for pull requests. You can find additional guidance and details on this matter within our platform for your reference about each SCM.
 
+# aqua-scanner nonroot Tag
+
+We provide a dedicated nonroot tag, for running the aqua-scanner on a nonroot user.
+
+## Running nonroot tag on Azure DevOps pipeline
+
+To use this tag effectively in Azure DevOps Pipelines, follow the steps below ([Azure documentation](This README provides guidance on how to use the Docker Hub nonroot User Tag in Azure DevOps Pipelines to run containers with reduced privileges.)). 
+
+## Add user 0 option to the container options
+```shell
+trigger:
+  - main
+
+container:
+  image: aquasec/aqua-scanner:nonroot
+  options: -u 0
+  env:
+    AQUA_KEY: $(AQUA_KEY)
+    AQUA_SECRET: $(AQUA_SECRET)
+    AZURE_TOKEN: $(AZURE_TOKEN)
+    TRIVY_RUN_AS_PLUGIN: aqua
+steps:
+- checkout: self
+  fetchDepth: 0
+- script: |
+    trivy fs --scanners config,vuln,secret .
+  displayName: Aqua scanner
+```
+
 ## Compatibility
 The plugin is designed for Docker environments and is compatible with Linux containers.