Since we announced Anchore 1.0 back in October we have spent a great deal of time talking to our community users, partners and enterprises about their compliance and governance needs. Many of these conversations followed a similar pattern: Initial excitement about Docker and container deployments, followed by concerns about security, then the challenge of balancing the desire to support agile development and innovation with the need for compliance and security. We’ve heard from these users that many have a basic system in place to perform the first level of checks on their images, which are focused on CVEs, however, they understand that this is not enough. In our conversations with these organizations, we spend a lot of time talking about the CVE scanning being the tip of the iceberg and many of our discussions then focus on how to go deeper into container inspection and analysis.
At Anchore our focus has been to deliver tools and services that go below the surface to perform deep analysis on container images and allow organizations to define policies that specify rules to govern security vulnerabilities, package whitelists and blacklists, configuration file contents, presence of credentials in image, manifest changes, exposed ports or any user-defined checks.
Last week we outlined a number of new features we added to the Anchore Navigator which added deeper container scanning including the ability to report on Node.JS NPM modules. Today we would like to announce the latest release of both Anchore’s open source project and Anchore’s Enterprise offering.
Over the coming weeks, we will deep dive into each of the new features in this release and outline the roadmap for the coming months.
We’ll highlight the 3 most significant features in the 1.0.3 release however you can get more details from the changelog in our Github repository.
Node.JS NPM Support
In addition to the operating system packages and all files in the image Anchore now reports on all Node.js NPMs that are installed in the image. These software libraries are often overlooked; they are not covered by security scanning tools and do not undergo the same level of scrutiny and governance than the operating system yet in many cases you’ll find more NPM packages in your image than you have operating system packages.
Node.JS Data Feed
The enterprise offering builds on top of the NPM reporting in the open source project to allow organizations to build policies that govern the use of NPM modules in their container images. For example allowing an organization to blacklist specific modules, specify minimum versions or even block deployment of outdated modules.
Advanced Content Policies
It is not enough to just look at the operating system packages and software packages such as NPM modules. It’s possible to have all of the latest operating system packages but still have an image that’s got security vulnerabilities or is otherwise not compliant with your operational, security or business policies. A great example of this was seen this summer when a security researcher found source code and secrets (API keys) within a Vine container image that was publicly accessible.
In this release, we have added the ability to perform detailed checks against both the names and the contents of files. While this feature enables the ability to perform a wide variety of checks one of the most interesting use cases is to scan the image for ‘secrets’. For example, search for .CER or .PEM files that may contain private keys for certificates, look for source code or inspect the contents of specific files for saved passwords or API keys.
These are just a few of the new features added in this release. We’ll cover these in more detail in the coming days. If you want to learn more please fill out the form below and our team will reach out to you.
The OCI was established to develop standards for containers, initially focusing on the runtime format specification but later adding the container image format specification.