Thursday, March 21, 2019

Anchore - Container Image Scan Engine

The Anchore engine is an open source project that inspects, analyzes and certifies Docker Images. Anchore conducts static analysis on container images and applies user defined acceptables policies to allow automated container image validation and certification. We can use Anchore to gain deep insight to the OS and non-OS packages contained in the image but also the ability to create governance around the artifact and its contents via customizable policies.

Anchore analysis tools inspect your container image and generate a detailed manifest of the image, a virtual ‘bill of materials’ that includes official operating system packages, unofficial packages, configuration files and language modules and artifacts such as NPM, PiP, GEM, and Java archives.

Anchore engine is available as a Docker image that can run as a standalone or with orchestration platform such as kubernetes. Anchore is also available as a Jenkins plugin, allowing you to integrate container image scanning as part of the CI/CD workflow. The identified vulnerabilities are compared with the Anchore Hosted cloud service and details are provided after the scan

Installing Anchore using docker compose - We will run Anchore on a docker system using the docker compose as below,
jagadishAvailable$Thu Mar 21@ mkdir anchore
jagadishAvailable$Thu Mar 21@ cd anchore
jagadishAvailable$Thu Mar 21@ curl > docker-compose.yaml
jagadishAvailable$Thu Mar 21@ mkdir config
jagadishAvailable$Thu Mar 21@ curl > config/config.yaml
jagadishAvailable$Thu Mar 21@ mkdir db
jagadishAvailable$Thu Mar 21@ docker-compose up -d

Confirm the anchore docker containers are up and running
jagadishAvailable$Tue Mar 21@ anchore-cli --u admin --p foobar --url system status

Service analyzer (dockerhostid-anchore-engine, http://anchore-engine:8084): up
Service policy_engine (dockerhostid-anchore-engine, http://anchore-engine:8087): up
Service catalog (dockerhostid-anchore-engine, http://anchore-engine:8082): up
Service apiext (dockerhostid-anchore-engine, http://anchore-engine:8228): up
Service kubernetes_webhook (dockerhostid-anchore-engine, http://anchore-engine:8338): up
Service simplequeue (dockerhostid-anchore-engine, http://anchore-engine:8083): up

Engine DB Version: 0.0.9
Engine Code Version: 0.3.3

Anchore engine once started runs on the localhost on 8228 port. In order to scan a image, we first need to push the image to the public registry first. In this case i have created a image with the name scanimage and push that to my dockerhub account. Once the image is pushed, we will use anchore to add the image to the local engine using the command,

jagadishAvailable$Tue Mar 21@ anchore-cli --u admin --p foobar --url image add

Image Digest: sha256:f38bfbd1722ea6131a6cacf9c176bbe3ea9048f1079df304691b592a463c1676
Parent Digest: sha256:f38bfbd1722ea6131a6cacf9c176bbe3ea9048f1079df304691b592a463c1676
Analysis Status: not_analyzed
Image Type: docker
Image ID: b9e49720be226946983101f5e59546548f0a92dff31462ce7856c461065c47ef
Dockerfile Mode: None
Distro: None
Distro Version: None
Size: None
Architecture: None
Layer Count: None

Full Tag:

The image will be downloaded and then added to the anchore engine scan. The credentials “admin” and “foobar” are user name and password.

Check the status of the scan using,
jagadishdocker-github$Tue Mar 19@ anchore-cli --u admin --p foobar --url image list

Full   Tag               Image ID                          Analysis Status
scanimage:latest    b9e49720be226946983101 analyzing

We can see that the image is still in analyzing status as shown in the above output. Run the same command until the status changes to analyzed.

Get a Image when the status goes to analyzed using,
jagadishdocker-github$Tue Mar 21@ anchore-cli --u admin --p foobar --url image get

Obtain the results of the Vulnerability scan on the obtained image,
jagadishdocker-github$Tue Mar 21@ anchore-cli --u admin --p foobar --url image vuln os

List operating system packages present in an image:
jagadishdocker-github$Tue Mar 21@ anchore-cli --u admin --p foobar --url image content os

os: available
files: available
npm: available
gem: available
python: available
java: available

This is an introduction to the anchore engine. Hope this helps in getting started.

No comments :

Post a Comment