Configure STO to Download Images from a Private Registry
Harness maintains its own set of scan images for STO-supported scanners. By default, a Harness pipeline build pulls scan images from Docker Hub.
This topic describes how to override the default behavior and use a private registry instead. You can download the scan images you need, perform your own security checks on the images, upload them to a private registry, and then set up your STO steps to download images from this registry.
Create STO scanner images with your own SSL certificates (optional)
Harness STO supports three workflows for running scans with custom certificates.
In this workflow, you set up your STO scan images and pipelines to run scans as non-root and establish trust for your own proxies using self-signed certificates. This workflow supports any STO-compatible scanner that can run natively without root access. This workflow also supports build environments that use a self-signed proxy server between the Harness Delegate and Harness Manager.
Running container image scans as a non-root user is not currently supported.
Save a copy of the following Dockerfile into a folder along with the certificates you want to copy to the image.
Update the
FROM
,COPY
, andUSER
commands as described in the Dockerfile comments.Build the new image and then publish it to your private registry.
Update the scan step in your pipeline as follows:
- Update the Image setting to point to the new image in your registry.
- If you specified a
USER
in your Dockerfile, set the Run as User (runAsUser
) setting to the user you specified in your Dockerfile.
Dockerfile template for adding certificates to an STO scanner image
# STEP 1
# Specify the STO scanner image where you want to add your certificates
# For a list of all images in the Harness Container Registry, run the following:
# curl -X GET https://app.harness.io/registry/_catalog
FROM harness/twistlock-job-runner:latest as scanner
# FYI Root access is required to load and trust certificates
USER root
# STEP 2
# Copy your certificates to the engine
# You can copy multiple ca from completely different paths into SHARE_CA_PATH
COPY ./CERTIFICATE_1.pem ../another-folder/CERTIFICATE_2.pem /shared/customer_artifacts/certificates/
# FYI establishes trust for certificates in Python and the OS
RUN sto_plugin --trust-certs
# Optional: To trust certificates for Java for tools such as
# - Black Duck Hub
# - Checkmarx
# - Sonarqube
# - Veracode
# - NexusIQ
# RUN sh /bin/setup.sh
# STEP 3 (optional)
# Create a user and assume limited permission user
# If you set this, you need to add runAsUser setting in the scan step
# i.e., runAsUser: "1000"
USER 1000
Workflow description
Download the scan images you need, test and validate the images, and store them in your private registry.
noteDo not change the image names in your private registry. The image names must match the names specified by Harness.
Harness maintains a Container Image Registry that is dedicated exclusively to hosting Harness-supported images. You can download your scan images from this registry instead of Docker Hub. To view the list of images in this registry, enter the following command:
curl -X GET https://app.harness.io/registry/_catalog
You can also set up your CI pipelines to download build images from this registry instead of Docker Hub.
For each Security Scan step, add these settings:
runner_registry_domain
— The URL of the Docker registry where the images are stored.The supported format is
<_domain_>/<_directory_>
(such as,app.harness.io/registry
).Do not include the scheme (such as
http://
orhttps://
).runner_registry_image_prefix : harness
— Do not change this setting.runner_registry_username
— As neededrunner_registry_token
— As needed
If you need to use a proxy server, you must also specify the following:
http_proxy
— The hostname and port to use for proxied HTTP requestshttps_proxy
— The hostname and port to use for proxied HTTPS requestsno_proxy
— A comma-separated list of hosts to bypass the proxy
YAML example
The following pipeline downloads its Security Scan image (bandit) and all of its CI build images from the Harness Image Registry.
pipeline:
projectIdentifier: my_project
orgIdentifier: my_org
tags: {}
properties:
ci:
codebase:
connectorRef: $GITHUB_CONNECTOR
repoName: dvpwa
build: <+input>
stages:
- stage:
name: securityTestStage
identifier: securityTestStage
type: CI
spec:
cloneCodebase: true
sharedPaths:
- /var/run
infrastructure:
type: KubernetesDirect
spec:
connectorRef: $K8S_CONNECTOR
namespace: harness-delegate-ng
automountServiceAccountToken: true
nodeSelector: {}
harnessImageConnectorRef: account.harnessImage
os: Linux
execution:
steps:
- step:
type: Background
name: docker-dind
identifier: dockerdind
spec:
connectorRef: $DOCKERHUB_CONNECTOR
image: docker:dind
shell: Sh
privileged: true
- step:
type: Security
name: banditScan
identifier: banditScan
spec:
privileged: true
settings:
policy_type: orchestratedScan
scan_type: repository
product_name: bandit
product_config_name: default
repository_branch: <+codebase.branch>
repository_project: dvpwa
fail_on_severity: CRITICAL
runner_registry_domain: app.harness.io/registry
runner_registry_image_prefix: harness
# Here the Harness delegate downloads from the
# Harness Image Registry rather than a private registry.
# Username and token are undefined.
variables: []
identifier: STO_Tutorial_1
name: STO Tutorial 1