Contact UsGet started

Automatic Docker image scans on push using the management console, CLI, and API

Written by
Updated at May 26, 2025

Note

You can enable auto scans of Docker images for vulnerabilities on push to Yandex Container Registry in the vulnerability scanner settings without creating any Yandex Cloud Functions functions and triggers.

To configure automatic vulnerability scans of Docker images on push to Yandex Container Registry:

  1. Prepare your cloud.
  2. Prepare the environment.
  3. Create a function.
  4. Create a trigger.
  5. Push the Docker image.
  6. Check the result.

If you no longer need the resources you created, delete them.

Getting started

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The infrastructure support costs include:

Prepare the environment

If you do not have the Yandex Cloud CLI yet, install and initialize it.

  1. Install and configure Docker.

  2. Create a registry to push a Docker image to.

    1. In the management console, select the folder to create a registry in.
    2. In the list of services, select Container Registry.
    3. Click Create registry.
    4. Specify a name for the registry.
    5. Click Create registry.

    Run this command:

    yc container registry create --name my-reg

    Result:

    done
id: crpd50616s9a********
folder_id: b1g88tflru0e********
name: my-reg
status: ACTIVE
created_at: "2019-01-09T14:34:06.601Z"

    Use the create method for the Registry resource.

  3. Create a service account named scanner and assign it the container-registry.images.scanner role for the folder where you created the registry.

    1. In the management console, select a folder where you want to create a service account.
    2. At the top of the screen, go to the Service accounts tab.
    3. Click Create service account.
    4. Enter a name for the service account.
    5. Click Add role and select the container-registry.images.scanner role.
    6. Click Create.

    1. Create a service account:

      yc iam service-account create --name service-acc

      Result:

      id: ajelabcde12f********
folder_id: b0g12ga82bcv********
created_at: "2021-05-17T14:32:18.900092Z"
name: service-acc

    2. Assign the role to the service account:

      yc resource-manager folder add-access-binding <folder_ID> \
  --role container-registry.images.scanner \
  --subject serviceAccount:<service_account_ID>

    Use the create method for the ServiceAccount resource and updateAccessBindings for Folder.

  4. Repeat the steps to create a service account named invoker and assign it the functions.functionInvoker role for the folder where you created the registry.

Create a function

In Cloud Functions, create a function named scan-on-push that will run the Docker image scan:

  1. In the management console, select the folder where you want to create a function.
  2. Select Cloud Functions.
  3. Click Create function.
  4. Enter a name, e.g., scan-on-push, and description for the function.
  5. Click Create.
  6. Go to Editor and create a version of the function:
    1. Under Function code:

      • Select the Bash runtime environment and click Continue.

      • Select how you want to edit the function: Code editor.

      • In the function edit window, click Create file. In the window that opens, enter handler.sh as the file name and click Create.

      • Copy the following code to the handler.sh file:

        DATA=$(cat | jq -sr '.[0].messages[0].details')
ID=$(echo $DATA | jq -r '.image_id')
NAME=$(echo $DATA | jq -r '.repository_name')
TAG=$(echo $DATA | jq -r '.tag')
yc container image scan --id ${ID} --async 1>&2

      • Specify the entry point: handler.sh.

    2. Under Parameters, specify:
      • Timeout: 60
      • Memory: 128 MB
      • Service account: scanner
    3. Click Save changes.

  1. Create a function named scan-on-push:

    yc serverless function create --name=scan-on-push

    Result:

    id: d4ejb1799eko********
folder_id: aoek49ghmknn********
created_at: "2021-17-05T14:07:32.134Z"
name: scan-on-push
log_group_id: eolm8aoq9vcp********
http_invoke_url: https://functions.yandexcloud.net/d4ejb1799eko********
status: ACTIVE

  2. Create the handler.sh file and paste the following code to it:

    DATA=$(cat | jq -sr '.[0].messages[0].details')
ID=$(echo $DATA | jq -r '.image_id')
NAME=$(echo $DATA | jq -r '.repository_name')
TAG=$(echo $DATA | jq -r '.tag')
yc container image scan --id ${ID} --async 1>&2

  3. Create a version of the scan-on-push function:

    yc serverless function version create \
  --function-name=scan-on-push \
  --runtime bash \
  --entrypoint handler.sh \
  --memory 128m \
  --execution-timeout 60s \
  --source-path handler.sh \
  --service-account-id <service_account_ID>

    Where:

    • --function-name: Name of the function whose version you want to create.
    • --runtime: Runtime environment.
    • --entrypoint: Entry point in <function_file_name>.<handler_name> format.
    • --memory: Amount of RAM.
    • --execution-timeout: Maximum function running time before the timeout is reached.
    • --source-path: File with the function code.
    • --service-account-id: Service account ID.

    Result:

    done (1s)
id: d4egi3pmsd1q********
function_id: d4e275oj7jtp********
...
tags:
- $latest
log_group_id: ckg6nb0c7uf1********

Use the create and the createVersion methods for the Function resource.

Create a trigger

Create a trigger that will invoke your function when creating a Docker image tag.

  1. In the management console, select the folder where you want to create a trigger.
  2. Select Cloud Functions.
  3. Go to the Triggers tab.
  4. Click Create trigger.
  5. Under Basic settings:
    • Enter a name and description for the trigger.
    • In the Type field, select Container Registry.
  6. Under Container Registry settings:
  7. Under Function settings:
    • Select the scan-on-push function.
    • Specify the $latest function version tag.
    • Specify the invoker service account which will invoke the function.
  8. Click Create trigger.

To create a trigger, run the command:

yc serverless trigger create container-registry \
  --name <trigger_name> \
  --registry-id <registry_ID> \
  --events 'create-image-tag' \
  --invoke-function-id <function_ID> \
  --invoke-function-service-account-id <service_account_ID>

Where:

  • --name: Trigger name.
  • --registry-id: ID of the registry to push the Docker image to.
  • --events: Events activating the trigger.
  • --invoke-function-id: Function ID.
  • --invoke-function-service-account-id: ID of the service account with the permissions to invoke the function.

Result:

id: a1spt834cjmk********
folder_id: b1g86q4m5vej********
created_at: "2021-05-18T20:42:54.898949653Z"
...
      function_tag: $latest
      service_account_id: aje1insoe23e********
status: ACTIVE

Use the Create method for the Trigger resource.

Push the Docker image

  1. Run Docker Desktop.

  2. Log in to the registry under your username with:

    1. Configure Docker to use docker-credential-yc:

      yc container registry configure-docker

      Result:

      Credential helper is configured in '/home/<user>/.docker/config.json'

      Settings are saved in the current user's profile.

      Warning

      The credential helper only works if you use Docker without sudo. To learn how to configure Docker to run under the current user without sudo, see the official Docker documentation.

    2. Make sure that Docker is configured.

      The following line must appear in the /home/<user>/.docker/config.json configuration file:

      "cr.yandex": "yc"

    3. You can now use Docker, for example, to push Docker images. You do not need to run the docker login command for that.

    1. If you do not have an OAuth token yet, get one at this link.

    2. Run this command:

      echo <OAuth_token> | docker login --username oauth --password-stdin cr.yandex

      Result:

      Login Succeeded

    Note

    The IAM token has a short lifetime: no more than 12 hours. This makes it a good method for applications that automatically request an IAM token.

    1. Get an IAM token.

    2. Run this command:

      yc iam create-token | docker login --username iam --password-stdin cr.yandex

      Result:

      Login Succeeded

  3. Pull a Docker image from Docker Hub:

    docker pull ubuntu:20.04

    Result:

    20.04: Pulling from library/ubuntu
Digest: sha256:cf31af331f38d1d7158470e095b132acd126a7180a54f263d386da88********
Status: Image is up to date for ubuntu:20.04
docker.io/library/ubuntu:20.04

  4. Assign a tag to the Docker image:

    docker tag ubuntu:20.04 cr.yandex/<registry_ID>/ubuntu:20.04

  5. Push the Docker image to Container Registry:

    docker push cr.yandex/<registry_ID>/ubuntu:20.04

    Result:

    The push refers to repository [cr.yandex/crpu20rpdc2f********/ubuntu]
2f140462f3bc: Layer already exists
63c99163f472: Layer already exists
ccdbb80308cc: Layer already exists
20.04: digest: sha256:86ac87f73641c920fb42cc9612d4fb57b5626b56ea2a19b894d0673f******** size: 943

Check the result

  1. View the logs of the scan-on-push function and make sure it has executed.

    1. In the management console, select Cloud Functions.
    2. Go to the Functions section and select the scan-on-push function.
    3. In the window that opens, go to Logs and specify the time period. The default time period is one hour.

    To find out the name or unique ID of a function, get a list of functions in the folder.

    View the function execution log:

    yc serverless function logs scan-on-push

    Result:

    2021-05-18 09:27:43  START RequestID: 34dc9533-ed6e-4468-b9f2-2aa0******** Version: b09i2s85a0c1********
2021-05-18 09:27:43  END RequestID: 34dc9533-ed6e-4468-b9f2-2aa0********
2021-05-18 09:27:43  REPORT RequestID: 34dc9533-ed6e-4468-b9f2-2aa0******** Duration: 538.610 ms Billed Duration: 538.700 ms Memory Size: 128 MB Max Memory Used: 13 MB
2021-05-18 09:29:25  START RequestID: 5b6a3779-dcc8-44ec-8ee2-2e7f******** Version: b09i2s85a0c1********
2021-05-18 09:29:26  END RequestID: 5b6a3779-dcc8-44ec-8ee2-2e7f********
2021-05-18 09:29:26  REPORT RequestID: 5b6a3779-dcc8-44ec-8ee2-2e7f******** Duration: 554.904 ms Billed Duration: 555.000 ms Memory Size: 128 MB Max Memory Used: 13 MB
...

  2. Make sure that a new scan started when you pushed the Docker image.

    1. In the management console, select the parent folder of the registry containing the Docker image.
    2. Select Container Registry.
    3. Select the registry where you pushed your Docker image.
    4. Open the repository with the Docker image.
    5. Select the relevant Docker image and check the Date of last scan parameter value.

    To view scans by Docker image, run the command:

    yc container image list-scan-results --repository-name=<registry_ID>/<Docker_image_name>

    Result:

    +----------------------+----------------------+---------------------+--------+--------------------------------+
|          ID          |        IMAGE         |     SCANNED AT      | STATUS |        VULNERABILITIES         |
+----------------------+----------------------+---------------------+--------+--------------------------------+
| crpu20rpdc2f******** | crpqmsqp5mtb******** | 2021-05-18 14:34:02 | READY  | medium:6, low:13, negligible:3 |
+----------------------+----------------------+---------------------+--------+--------------------------------+

How to delete the resources you created

To stop paying for the resources you created:

  1. Delete the Docker image stored in Yandex Container Solution, as well as the registry.
  2. Delete the Cloud Functions function.
  3. Delete the Cloud Functions trigger.

See also