Create a cloud-native delivery chain to automate image building scanning replication and distribution - Container Registry

A delivery chain in Container Registry (ACR) automates the full image lifecycle — build, scan, replicate, and distribute — across regions from a single source code push. Every stage is observable and traceable, and you can configure blocking rules to stop the chain if an image fails a security scan.

This topic describes how to create a delivery chain with all five stages configured.

Prerequisites

Before you begin, make sure you have:

A Container Registry Enterprise Edition (Advanced Edition) instance. Only the Advanced Edition supports delivery chains. See Create a Container Registry Enterprise Edition instance
An image repository with at least one image in that instance. See Create a repository and build images

How it works

Each stage passes its output to the next:

Image building — triggered by a source code push; produces a tagged image.
Security scanning — scans the image; if the blocking rule is triggered, the chain stops and no subsequent stages run.
Image replication — copies the image to one or more destination Enterprise Edition instances across regions.
Distribution triggers — notifies your Container Service for Kubernetes (ACK) clusters to redeploy using the new image.

Step 1: Create a delivery chain and configure basic information

Log on to the Container Registry console.
In the top navigation bar, select a region.
In the left-side navigation pane, click Instances.
On the Instances page, click the target Enterprise Edition instance.
In the left-side navigation pane of the instance management page, choose Delivery Chain > Chain.
In the upper-left corner of the Chain page, click Create Delivery Chain.

In the Basic Information section, configure the following parameters:

Parameter	Description
Name	Name of the delivery chain.
Description	Optional. Description of the delivery chain.
Scope	Select a namespace and an image repository within that namespace.
All Effective	Turn on to include all repositories in the selected namespace. Turn off to specify which repositories to exclude.

Step 2: Configure image building rules

If you selected an on-premises image repository in Step 1, image building is not available. Skip to Step 3.

In the Chain section, click Image Building, then click Add Build Rule.

In the Build Information step, configure the parameters below, then click Next.

Parameter	Description
Type	Source code repository type. Valid values: Branch, Tag.
Branch/Tag	Select or enter a branch or tag name. Regular expressions are supported. For example, `release-(?<imageTag>\w*)` triggers a build when the `release-v1` branch is updated and sets the image tag to `v1`. After you specify a regular expression, only the system can trigger builds — manual builds are disabled.
Build Context Directory	Relative path to the directory containing your Dockerfile, relative to the root of the code branch.
Dockerfile Filename	Name of the Dockerfile. Default: `Dockerfile`.

In the Tag step, configure the image tag settings, click Save, then click Next.

Click Add Configuration to add tag configurations. Up to three image tags are supported.

Parameter	Description
Image Tag	Tag for the built image. Example: `latest`. If you used a named capturing group in Branch/Tag, you can reference the captured value here.
Build Time	Optional. Appends the source code push time (UTC+8) to the tag. Example formats: `20201015` or `202010151613`. If set, only the system can trigger builds.
Commit ID	Optional. Appends characters from the most recent commit ID to the tag. Default: first six characters; adjustable with the slider. If set, only the system can trigger builds.

In the Build Configurations step, configure the parameters below, then click Confirm.

Parameter	Description
Build Architecture	Target architectures. Select multiple to produce one image per architecture per tag.
Build Parameters	Runtime build parameters as key-value pairs. Case-sensitive. Maximum 20 pairs.

Output of this step: A tagged image stored in the repository specified in Step 1. This image is the input for the security scanning stage.

Step 3: Configure the blocking rule for image security scanning

Security scanning checks each image before it is replicated or distributed. If a blocking rule is triggered, the chain stops for all images.

In the Chain section, click Security Scan.

In the Node configuration section, configure the following: Security engine — choose the scan engine: Block strategy — choose how the chain responds when the rule is triggered:

Option	Description
Security Center Scan Engine	Detects vulnerabilities and lets you fix them with a few clicks in Security Center. Requires the Ultimate Edition of Security Center. If Security Center is not activated in the current region, this option is not shown. See Purchase Security Center.
Trivy Scan Engine	Does not support one-click vulnerability fixing through Container Registry.

Strategy	Behavior
Blocking	Stops all subsequent stages for all images when the rule is triggered. Specify the Severity and Vulnerability thresholds, and configure what happens to the original image (delete or back up).
Non-blocking	All subsequent stages proceed regardless of scan results.

Output of this step: If the strategy is Non-blocking or no rule is triggered, the image passes to the replication stage. If Blocking is triggered, the chain ends here.

Step 4: Configure image replication rules

After an image passes security scanning, replication copies it automatically to destination Enterprise Edition instances in other regions.

In the Chain section, click Trigger Synchronization, then click Create Rule.
In the Create Rule dialog box, enter a rule name and specify the destination instance: Click Next.
- Select a region and an existing Enterprise Edition instance as the destination.
- If no suitable instance exists, click Create Instance. See Create a Container Registry Enterprise Edition instance.
If Internet access is disabled, images can be automatically replicated in different regions.

In the Replication Information wizard, configure the replication scope, then click Create Rule.

Parameter	Description
Replication Level	Scope of replication. Valid values: Namespaces (all repositories in the namespace), Repository (a specific repository).
Source Address	Namespace and repository to replicate from. Enter a regular expression to filter which image tags to replicate. Default: all tags. The repository field is available only when Replication Level is set to Repository.

Output of this step: The image is available in all configured destination instances and is ready for distribution.

Step 5: Configure distribution triggers

Distribution triggers notify your ACK clusters to pull the new image and redeploy the application automatically.

In the Chain section, click Trigger, then click Create.

In the Create Trigger dialog box, configure the following parameters, then click Confirm.

Parameter	Description
Name	Name of the trigger.
Trigger URL	The callback URL. Get this URL from your ACK cluster configuration.
Trigger	When to trigger distribution. Valid values: All (every image update triggers distribution), By RegExp (only images with tags matching a regular expression), By Tags (only images with tags in a specified list).

On the Create Delivery Chain page, click Create.

Result

The delivery chain appears on the Chain page.

To monitor execution, log on to your Enterprise Edition instance and go to the Record page. There you can see the status and result of each stage. After a successful run, verify that the updated image is deployed in your ACK cluster.

What's next

To trigger the chain, push a source code change to the configured branch or tag.
To view scan results, go to the Record page and check the security scanning stage output.
To add more destination instances, repeat Step 4 for each additional region.