In Azure Devops, how can we integrate jfrog-xray for docker image scanning?

Question

We are having AzureCR as our container registry and our Azure Devops build pipelines having docker image build and push tasks to create various application specific custom images over the dockerhubs base images.

We need to have all these custom images and the dockerhub- base public images scanned using the Jfrog Xray before the custom images pushed to the ACR and other deployment taks.

How the Jfrog xray tool can be integrated with Azure Pipeline yaml file to scan the newly built custom images just after the maven build & docker image build tasks and before the image push to ACR .

Is there any way to integrate Azure Devops and jfrog Xray together to scan these custom images as part of Azure Pipeline build just before the push to ACR ?

Tried pipeline

parameters:
  imageName: ''
  includeLatestTag: false
  buildContext: '$(System.DefaultWorkingDirectory)/release/target/docker'
  publishDocker: ''


steps:
- task: Docker@1
  inputs:
    azureSubscriptionEndpoint: 'mysub'
    azureContainerRegistry: $(containerRegistry)
    command: build
    includeLatestTag: ${{ parameters.includeLatestTag }}
    dockerFile: '${{ parameters.buildContext }}/Dockerfile'
    useDefaultContext: false
    buildContext: ${{ parameters.buildContext }}
    imageName: ${{ parameters.imageName }}
    arguments: $(buildArgs)
  name: Build_Docker_Image
  displayName: 'Build Docker image'
  
  
- task: JFrogDocker@1
  inputs:
    command: 'Scan'
    xrayConnection: 'jfrog xray token'
    watchesSource: 'none'
    licenses: true
    allowFailBuild: true
    threads: '3'
    skipLogin: false  
  
- task: Docker@1
  inputs:
    azureSubscriptionEndpoint: 'mysub'
    azureContainerRegistry: $(containerRegistry)
    command: push
    includeLatestTag: ${{ parameters.includeLatestTag }}
    dockerFile: '${{ parameters.buildContext }}/Dockerfile'
    useDefaultContext: false
    buildContext: ${{ parameters.buildContext }}
    imageName: ${{ parameters.imageName }}
  name: Push_Docker_Image
  displayName: 'Push Docker image'

I tried to add the below task in between Dicker image build and push tasks . But not getting any option scan them . Any guidance?

Answer 1

The new JFrog extension, JFrog Azure DevOps Extension, has the JFrog Docker task that allows scanning local docker images (as well as pulling and pushing them from/to Artifactory).

Answer 2

By adding the Xray scan task following the instructions here, we can have the build task wait for the Xray scan to complete. However, it is necessary for the build to publish the build information first to the Artifactory in order to have the Xray processing initiated.

So, my proposal here is to have the build promotion enabled against the target repository to push the images, when the build scan stage is completed.