Contact UsGet started

Automatic Docker image scan on push using Terraform

Written by
Updated at May 29, 2025

Note

You can enable auto scans of Docker images for vulnerabilities on push to Yandex Container Registry in the vulnerability scanner settings without creating any Yandex Cloud Functions functions and triggers.

To configure automatic Docker image scans for vulnerabilities on push to Yandex Container Registry using Terraform:

  1. Prepare your cloud.
  2. Prepare the environment.
  3. Create an infrastructure.
  4. Push the Docker image.
  5. Check the result.

If you no longer need the resources you created, delete them.

Prepare your cloud

Sign up in Yandex Cloud and create a billing account:

  1. Navigate to the management console and log in to Yandex Cloud or register a new account.
  2. On the Yandex Cloud Billing page, make sure you have a billing account linked and it has the ACTIVE or TRIAL_ACTIVE status. If you do not have a billing account, create one and link a cloud to it.

If you have an active billing account, you can navigate to the cloud page to create or select a folder for your infrastructure to operate in.

Learn more about clouds and folders.

The infrastructure support costs include:

Prepare the environment

  1. Install and configure Docker.

Create an infrastructure

With Terraform, you can quickly create a cloud infrastructure in Yandex Cloud and manage it using configuration files. These files store the infrastructure description written in HashiCorp Configuration Language (HCL). If you change the configuration files, Terraform automatically detects which part of your configuration is already deployed, and what should be added or removed.

Terraform is distributed under the Business Source License. The Yandex Cloud provider for Terraform is distributed under the MPL-2.0 license.

For more information about the provider resources, see the documentation on the Terraform website or its mirror.

To create an infrastructure to automatically scan a Docker image on push using Terraform:

  1. Install Terraform and get the authentication data.

  2. Specify the source for installing the Yandex Cloud provider (see Configure a provider, step 1).

  3. Prepare files with the infrastructure description:

    1. Clone the repository with configuration files.

      git clone https://github.com/yandex-cloud-examples/yc-cr-image-scanning

    2. Go to the directory with the repository. Make sure it contains the following files:

      • image-auto-scan.tf: New infrastructure configuration.
      • image-auto-scan.auto.tfvars: User data file.
      • function.zip: ZIP archive with the function code.

    1. Create a folder for configuration files.

    2. In the directory, create a configuration file named image-auto-scan.tf:

      image-auto-scan.tf
      # Declaring variables for custom parameters

variable "zone" {
  type = string
}

variable "folder_id" {
  type = string
}

# Adding other variables

locals {
  sa_scanner_name    = "scanner"
  sa_invoker_name    = "invoker"
  registry_name      = "my-registry"
  function_name      = "scan-on-push"
  trigger_name       = "trigger-for-reg"
}

# Configuring a provider 

terraform {
  required_providers {
    yandex    = {
      source  = "yandex-cloud/yandex"
      version = ">= 0.47.0"
    }
  }
}

provider "yandex" {
  folder_id = var.folder_id
}

# Creating service accounts

resource "yandex_iam_service_account" "scanner" {
  name        = local.sa_scanner_name
  description = "SA for Container Registry"
  folder_id   = var.folder_id
}

resource "yandex_iam_service_account" "invoker" {
  name        = local.sa_invoker_name
  description = "SA for Cloud Functions"
  folder_id   = var.folder_id
}

# Assigning roles to service accounts

resource "yandex_resourcemanager_folder_iam_member" "sa-role-scanner" {
  folder_id   = var.folder_id
  role        = "container-registry.images.scanner"
  member      = "serviceAccount:${yandex_iam_service_account.scanner.id}"
}

resource "yandex_resourcemanager_folder_iam_member" "sa-role-invoker" {
  folder_id   = var.folder_id
  role        = "functions.functionInvoker"
  member      = "serviceAccount:${yandex_iam_service_account.invoker.id}"
}

# Creating a registry in Container Registry

resource "yandex_container_registry" "my-reg" {
  name      = local.registry_name
  folder_id = var.folder_id
}

# Creating a function

resource "yandex_function" "test-function" {
  name               = local.function_name
  user_hash          = "my-first-function"
  runtime            = "bash"
  entrypoint         = "handler.sh"
  memory             = "128"
  execution_timeout  = "60"
  service_account_id = yandex_iam_service_account.scanner.id
  content {
    zip_filename   = "function.zip"
  }
}

# Creating a trigger

resource "yandex_function_trigger" "my-trigger" {

  name = local.trigger_name
  function {
    id                 = yandex_function.test-function.id
    service_account_id = yandex_iam_service_account.invoker.id
  }
  container_registry {
    registry_id      = yandex_container_registry.my-reg.id
    create_image_tag = true
    batch_cutoff     = "10"
    batch_size       = "1"
  }
}

    3. Create a file with user data named image-auto-scan.auto.tfvars:

      image-auto-scan.auto.tfvars
      zone      = "<availability_zone>"
folder_id = "<folder_ID>"

    4. Prepare a ZIP archive with the function code.

      1. Create the handler.sh file and paste the following code to it:

        handler.sh

        Warning

        If you are creating a file in Windows, make sure that newline characters are in \n Unix format rather than \r\n. You can replace line breaks in a text editor, such as Notepad++, or with such tools as dos2unix or Tofrodos.

        DATA=$(cat | jq -sr '.[0].messages[0].details')
ID=$(echo $DATA | jq -r '.image_id')
NAME=$(echo $DATA | jq -r '.repository_name')
TAG=$(echo $DATA | jq -r '.tag')
yc container image scan --id ${ID} --async 1>&2

      2. Create a ZIP archive named function.zip with the handler.sh file.

    For more information about the parameters of resources used in Terraform, see the provider documentation:

  4. In the image-auto-scan.auto.tfvars file, set the following user-defined properties:

  5. Create resources:

    1. In the terminal, go to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      The terminal will display a list of resources with their properties. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

Push the Docker image

  1. Run Docker Desktop.

  2. Log in to the registry under your username with:

    1. Configure Docker to use docker-credential-yc:

      yc container registry configure-docker

      Result:

      Credential helper is configured in '/home/<user>/.docker/config.json'

      Settings are saved in the current user's profile.

      Warning

      The credential helper only works if you use Docker without sudo. To learn how to configure Docker to run under the current user without sudo, see the official Docker documentation.

    2. Make sure that Docker is configured.

      The following line must appear in the /home/<user>/.docker/config.json configuration file:

      "cr.yandex": "yc"

    3. You can now use Docker, for example, to push Docker images. You do not need to run the docker login command for that.

    1. If you do not have an OAuth token yet, get one at this link.

    2. Run this command:

      echo <OAuth_token> | docker login --username oauth --password-stdin cr.yandex

      Result:

      Login Succeeded

    Note

    The IAM token has a short lifetime: no more than 12 hours. This makes it a good method for applications that automatically request an IAM token.

    1. Get an IAM token.

    2. Run this command:

      yc iam create-token | docker login --username iam --password-stdin cr.yandex

      Result:

      Login Succeeded

  3. Pull a Docker image from Docker Hub:

    docker pull ubuntu:20.04

    Result:

    20.04: Pulling from library/ubuntu
Digest: sha256:cf31af331f38d1d7158470e095b132acd126a7180a54f263d386da88********
Status: Image is up to date for ubuntu:20.04
docker.io/library/ubuntu:20.04

  4. Assign a tag to the Docker image:

    docker tag ubuntu:20.04 cr.yandex/<registry_ID>/ubuntu:20.04

  5. Push the Docker image to Container Registry:

    docker push cr.yandex/<registry_ID>/ubuntu:20.04

    Result:

    The push refers to repository [cr.yandex/crpu20rpdc2f********/ubuntu]
2f140462f3bc: Layer already exists
63c99163f472: Layer already exists
ccdbb80308cc: Layer already exists
20.04: digest: sha256:86ac87f73641c920fb42cc9612d4fb57b5626b56ea2a19b894d0673f******** size: 943

Check the result

  1. View the logs of the scan-on-push function and make sure it has executed.

    1. In the management console, select Cloud Functions.
    2. Go to the Functions section and select the scan-on-push function.
    3. In the window that opens, go to Logs and specify the time period. The default time period is one hour.

    To find out the name or unique ID of a function, get a list of functions in the folder.

    View the function execution log:

    yc serverless function logs scan-on-push

    Result:

    2021-05-18 09:27:43  START RequestID: 34dc9533-ed6e-4468-b9f2-2aa0******** Version: b09i2s85a0c1********
2021-05-18 09:27:43  END RequestID: 34dc9533-ed6e-4468-b9f2-2aa0********
2021-05-18 09:27:43  REPORT RequestID: 34dc9533-ed6e-4468-b9f2-2aa0******** Duration: 538.610 ms Billed Duration: 538.700 ms Memory Size: 128 MB Max Memory Used: 13 MB
2021-05-18 09:29:25  START RequestID: 5b6a3779-dcc8-44ec-8ee2-2e7f******** Version: b09i2s85a0c1********
2021-05-18 09:29:26  END RequestID: 5b6a3779-dcc8-44ec-8ee2-2e7f********
2021-05-18 09:29:26  REPORT RequestID: 5b6a3779-dcc8-44ec-8ee2-2e7f******** Duration: 554.904 ms Billed Duration: 555.000 ms Memory Size: 128 MB Max Memory Used: 13 MB
...

  2. Make sure that a new scan started when you pushed the Docker image.

    1. In the management console, select the parent folder of the registry containing the Docker image.
    2. Select Container Registry.
    3. Select the registry where you pushed your Docker image.
    4. Open the repository with the Docker image.
    5. Select the relevant Docker image and check the Date of last scan parameter value.

    To view scans by Docker image, run the command:

    yc container image list-scan-results --repository-name=<registry_ID>/<Docker_image_name>

    Result:

    +----------------------+----------------------+---------------------+--------+--------------------------------+
|          ID          |        IMAGE         |     SCANNED AT      | STATUS |        VULNERABILITIES         |
+----------------------+----------------------+---------------------+--------+--------------------------------+
| crpu20rpdc2f******** | crpqmsqp5mtb******** | 2021-05-18 14:34:02 | READY  | medium:6, low:13, negligible:3 |
+----------------------+----------------------+---------------------+--------+--------------------------------+

How to delete the resources you created

To stop paying for the resources you created:

  1. Open the image-auto-scan.tf configuration file and delete the description of the new infrastructure from it.

  2. Apply the changes:

    1. In the terminal, go to the folder where you edited the configuration file.

    2. Make sure the configuration file is correct using this command:

      terraform validate

      If the configuration is correct, you will get this message:

      Success! The configuration is valid.

    3. Run this command:

      terraform plan

      The terminal will display a list of resources with their properties. No changes will be made at this step. If the configuration contains any errors, Terraform will point them out.

    4. Apply the changes:

      terraform apply

    5. Type yes and press Enter to confirm the changes.

See also