Quickstart: Stay up to date with container image dependency updates and security using Dependabot and Copacetic
In this quickstart guide, we'll walk you through the process to configure and use Dependabot and Copacetic to streamline, maintain, and stay up to date with software dependency updates and enhance container image security in the containers secure supply chain.
These tools will automate the process, ensuring your container images are always current and secure.
In this quickstart, you learn how to:
Update container image dependencies and security using Dependabot. Continuously monitor, scan, and patch container images using Copa.
Prerequisites
- An Azure subscription. If you don't have an Azure subscription, create a free account before you begin.
- The latest version of the Azure CLI installed and configured for your subscription.
- An existing Azure Container Registry (ACR) in your subscription.
Update container image dependencies and security using Dependabot
Dependabot is a tool that automates the process of keeping software dependencies up-to-date. It works by scanning your repository for outdated dependencies and creating pull requests to update them to the latest version. It checks for updates to your dependencies on a daily basis and creates pull requests to update them. You can configure Dependabot to create pull requests for all types of dependencies, including Docker images. We recommend using dependabot to automatically bump dependencies in your Dockerfiles, Kubernetes yaml files, and Helm chart values yaml files to get the latest security patches and reduce security risks.
Use Dependabot with GitHub
- Follow the instructions to set up Dependabot with GitHub here
Use Dependabot with Azure DevOps
- Follow the instructions to configure Dependabot with Azure DevOps:
Grant Permissions by creating a service account with name
YOUR-PROJECT-NAME Build Service (YOUR-ORGANIZATION-NAME)with the following permissions:-Force Push -Contribute to pull requests -Create branch
Configure Dependabot by adding a
dependabotconfiguration file similar to this example:version: 2 updates: - package-ecosystem: "docker" directory: "/" assignees: - "dependabot"
Create an Azure DevOps Pipeline by adding an
azure-pipeline.yamlfile with the following content:schedules: - cron: '0 14 * * *' displayName: 'Every day at 7am PST' branches: include: [main] always: true trigger: none jobs: - job: steps: - script: | git clone https://github.com/dependabot/dependabot-core.git cd dependabot-core DOCKER_BUILDKIT=1 docker build \ --build-arg "USER_UID=$(id -u)" \ --build-arg "USER_GID=$(id -g)" \ -t "dependabot/dependabot-core" . cd .. displayName: build dependabot-core Docker image - script: | git clone https://github.com/dependabot/dependabot-script.git cd dependabot-script docker run -v "$(pwd):/home/dependabot/dependabot-script" -w /home/dependabot/dependabot-script dependabot/dependabot-core bundle install -j 3 --path vendor displayName: install dependencies - script: | #!/bin/bash SYSTEM_COLLECTIONURI_TRIM=`echo "${SYSTEM_COLLECTIONURI:22}"` PROJECT_PATH="$SYSTEM_COLLECTIONURI_TRIM$SYSTEM_TEAMPROJECT/_git/$BUILD_REPOSITORY_NAME" echo "path: $PROJECT_PATH" docker run -v "$(pwd)/dependabot-script:/home/dependabot/dependabot-script" \ -w '/home/dependabot/dependabot-script' \ -e AZURE_ACCESS_TOKEN=$(System.AccessToken) \ -e PACKAGE_MANAGER=docker \ -e PROJECT_PATH=$PROJECT_PATH \ -e DIRECTORY_PATH=/ \ -e OPTIONS="$OPTIONS" \ dependabot/dependabot-core bundle exec ruby ./generic-update-script.rb displayName: "run dependabot" env: OPTIONS: | { "kubernetes_updates": true }
Run the pipeline Create and verify new ADO pipeline from above
azure-pipelines.yamlfile.
Currently Dependabot supports updating container image dependencies in various scenarios, including Dockerfile, Kubernetes YAML, and Helm values.yaml. When specifying images in your configuration files, you can follow this syntax:
-Dockerfile -Kubernetes YAML -Helm values.yaml
Note
The syntax allows Dependabot to identify and update container image dependencies within your configuration files, ensuring that you stay up-to-date with the latest versions and security patches.
# Dockerfile
foo:
image:
repository: sql/sql
tag: 1.2.3
registry: docker.io
# Helm values.yaml
foo:
image:
repository: sql/sql
tag: 1.2.3
registry: docker.io
Alternatively, for Helm values.yaml, you can use the version field to specify the image version:
foo:
image:
repository: sql/sql
version: 1.2.3
Continuously monitor, scan, and patch container images using Copacetic
Copacetic (copa) is a Microsoft-backed CNCF open-source project that directly patches Linux OS package vulnerabilities in container images given the vulnerability scanning results from popular scanner tools. Copacetic allows to patch containers quickly without going upstream for a full rebuild. This will help the container images to quickly redeploy into production. Copacetic is only for Linux OS vulnerabilities. For app-level vulnerabilities, patches must be done before the image is built.
Use Copacetic
Follow the quick start guide to begin using Copa.
Sample ADO Pipeline:
-You can find a sample Azure DevOps pipeline for using Copa here.
Copa can also be integrated into Github Actions workflows to patch image vulnerabilities using the Copacetic Action. This action patches a set of designated images for a repository using their associated vulnerability reports.