With the recent release of version 2.3, Anchore Enterprise now supports scanning of Windows container images and the addition of a new feed source for identifying Windows vulnerabilities: Microsoft Security Response Center (MSRC).
MSRC
Microsoft Security Response Center maintains reports of security vulnerabilities affecting Windows systems in its Security Update Guide. In addition to publishing this data publicly on its website, Microsoft provides programmatic access to retrieve security update details in the Common Vulnerability Reporting Format via its Microsoft Security Update API. In order to access the API, users must obtain an API key using their Microsoft TechNet account.
Enabling the MSRC Feed Driver for Anchore Enterprise
In order to configure the feed source for use with Anchore Enterprise, the on-premise Enterprise Feeds Service must be enabled with the obtained API key. For instructions on how to obtain an API key from Microsoft, visit Anchore Enterprise Feed Driver Configuration.
Note: If you are upgrading an existing deployment via docker-compose, you will need to bring down the deployment WITHOUT deleting existing volume configurations (This can be completed by omitting the ‘-v’ flag via docker-compose). For Kubernetes deployments using Helm, the upgrade can be performed using the helm upgrade command.
To enable the on-premise feeds service and configure the MSRC driver on deployments using docker-compose, edit the following section of the compose template:
services:
...
feeds:
...
environment:
...
- ANCHORE_ENTERPRISE_FEEDS_MSRC_DRIVER_ENABLED=true
- ANCHORE_ENTERPRISE_FEEDS_MSRC_DRIVER_API_KEY=
*For deployments using the config.yaml configuration file, update the following sections:
services:
...
feeds:
...
drivers:
msrc:
enabled: true
api_key:
To enable the feeds service and the MSRC driver for Kubernetes deployments, update the following section of your custom values file:
anchore-feeds-db:
enabled: true
...
anchoreEnterpriseFeeds:
enabled: true
...
# Enable microsoft feeds
msrcDriverEnabled: true
msrcApiKey:
...
(For new deployments on Kubernetes using the stable/anchore-engine Helm chart, refer to the installation guide for instructions on deploying Anchore in your cluster).
Verify New Feed is Enabled
After bringing up the deployment, it may take a while for the feed sync to complete depending on whether or not this is a new deployment or existing upgrade. For details on checking the status of the feeds synchronization, refer to our enterprise docs.
Once the feeds have finished synchronizing, verify the MSRC feeds is included in the list:
- via Enterprise UI -
- or via API -
Adding Windows Images
Just as with Linux containers, you can analyze a Windows container repository or tag by providing the image registry/repository/tag in the UI or via the API: anchore-cli image add
Viewing Compliance and Vulnerabilities
Once the image analysis has completed, Anchore provides a detailed view of the image contents, vulnerability findings and compliance reports driven through policy.
To produce security information for Windows images, Anchore compares the difference between the latest version (or patch set) of the base image and the image version you are scanning to generate a list of all the vulnerabilities that the image may be exposed to as disclosed by the Microsoft Research Center. In the example below, we can see the vulnerabilities Anchore identified in the image with further details on the severity of the CVE, package name and type and a link to Microsoft’s Security Update Guide for more details on the finding.
With the addition of support for Windows container image scanning, you can integrate Anchore into your container-based workflows for your Windows images and leverage our policy engine to enforce compliance.
