Part 3 – Notify container image vulnerability assessment result to email using Azure Logic App

The previous article walked you through some basic steps to upload Docker container’s vulnerability assessment result to a storage account for further review. Now you are asked to send an email notification to your team every time an assessment result is ready.

There are several ways to achieve email notification in Azure. In this article, we are going to explore the Azure Logic App with some common built-in Actions and Triggers to send emails to SecOps or DevOps team.

First, let’s revisit the entire flow:

Notes: you should have basic knowledge of the Azure Logic App to complete the guidance in this article.

Here is what we would like to achieve:

  • Trigger an action every time a new vulnerability assessment result is uploaded to a storage account.
  • Get the metadata (image tag name,¬† location) of the vulnerability assessment result.
  • Generate a 24-hour SAS token to share with external parties if you need it.
  • Send an email that contains the docker image tag name as well as an absolute URL to access the assessment result.

Below is the list of built-in actions we can use to achieve the requirement:

When a blob is added or modified (properties only) (V2)

The first action is straightforward. Select the storage account and container that you configured in GitHub workflow to store docker image vulnerability assessment results. Under Number of blobs to return set to 1 because we want to send an email every time a new assessment result is uploaded to the storage account.

You can set the frequency for the action to check your storage account.

Get Blob Metadata using path (V2)

In the second action, specify the connection of the storage account and the path of the Blob to retrieve. We use dynamic content to add List of Files Path field that will be using for the next action.

Create SAS URI by path (V2)

In this action, we need two things:

  • Get the blob path from the previous action.
  • Configure the action to add 24 hours to the SAS expiry time.

For the first requirement, you can simply get it done by adding the Path of the blob.

For the second requirement, add a new parameter and select Expiry Time. Use the expression with addHours function to add 24 hours from the current time.

addHours(utcNow(), 24)

Below is the sample code for this action in case you aren’t familiar with the Designer view:

{
    "inputs": {
        "host": {
            "connection": {
                "referenceName": "azureblob_2"
            }
        },
        "method": "post",
        "body": {
            "Permissions": "Read",
            "ExpiryTime": "@{addHours(utcNow(), 24)}"
        },
        "path": "/v2/datasets/@{encodeURIComponent('privcontainervulresult')}/CreateSharedLinkByPath",
        "queries": {
            "path": "@body('Get_Blob_Metadata_using_path_(V2)')?['Path']"
        }
    }
}

Send an email (V2)

The final action is just to prepare recipient’s address, email subject, and email body. You will be asked to sign in to your email (e.g. Outlook.com) first.

There are a couple of things to do:

  • The vulnerability assessment result is just a JSON file. You would expect to only retrieve the image name (e.g. 783023892378dsa0d8asd8a30203203) not the whole filename.
  • The email body should include the absolute URL to let people access the assessment result.

To trim the file extension (.JSON) you can use split() function. Here is the trick:

For the absolute blob URL with a generated SAS token, you can reference Web Url from the previous action’s output. Your action’s configuration should look like the following screenshot:

When everything is done save your workflow then trigger the docker image build and wait. You can test by manually uploading a .JSON file to the specified storage account and container.

If you would like to test with Gmail, follow this guide https://docs.microsoft.com/en-us/azure/connectors/connectors-google-data-security-privacy-policy#steps-for-affected-logic-apps

Tl;dr: Gmail connector has been updated to comply with data security privacy. That said, to make it work you must grab client ID and client secret from Google Developer app.

This entry was posted in Security Automation and tagged , . Bookmark the permalink.

2 Responses to Part 3 – Notify container image vulnerability assessment result to email using Azure Logic App

  1. Pingback: Part 1 - Quick look at CICD Integration in Azure Security Center to scan your docker image -Microsoft Azure Security Randomness

  2. Pingback: Part 2 - Upload container vulnerability assessment result to Azure Storage Account -Microsoft Azure Security Randomness

Leave a Reply

Your email address will not be published. Required fields are marked *