https://garden.io logo
Join Discord
Powered by
how would run a third party tool within garden (tr...
# 🤖|ask-kapa
a
@microscopic-river-74022 how would run a third party tool within garden (trivy for example) to scan images before they are published using 
garden publish
? Preferably scan before the push occurs.
m
Please stand by @ancient-island-74119 as I search the knowledge base. I normally take about 15 seconds or so. :wave:
---------------------- Garden provides a flexible way to run custom scripts or third-party tools as part of your workflow using Run actions. Run actions are one of the four main action kinds in Garden (the others being Builds, Deploys, and Tests). You can use a Run action to execute a tool like Trivy to scan your images before they are published. However, the knowledge sources do not provide a built-in mechanism to hook into the publish process to run a scan before the push occurs. Instead, you would typically define a Run action that executes Trivy after the image is built but before you call 
garden publish
. This allows you to integrate any custom logic or tool into your pipeline, ensuring that images are scanned before they are pushed to a registry. Here’s the general approach: 1. Define a Run action in your Garden configuration that runs Trivy against the built image. 2. Sequence your actions so that the Run action (Trivy scan) runs after the build and before the publish step. 3. Only proceed to 
garden publish
 if the scan passes. Garden’s Stack Graph and Run actions are designed to support this kind of extensibility: > Garden's Run actions (one of the four main action kinds, the others being Builds, Deploys and Tests) can also be used to wrap any script or tool that you'd like to call in your pipeline, so you always have a general-purpose escape hatch for any custom logic you need to run in your pipeline that doesn't fit easily into Garden's way of doing things. [Custom deployment scripts]() Note: The knowledge sources do not provide a specific example for Trivy or for running a scan as a pre-publish hook, but the described approach using Run actions is the recommended way to integrate such tools with Garden.
If you need the scan to block the publish step, ensure your pipeline or CI/CD workflow runs the scan and only calls 
garden publish
if the scan succeeds. There is currently no documented way to have Garden automatically run a scan as part of the 
garden publish
command itself. ---------------------- Note: you can ask me a follow up question by @ mentioning me again :speech_balloon: ----------------------
message has been deleted
Previous
Powered by