Anchore Blog
Admission Control in Kubernetes with Anchore
Our focus at Anchore is analyzing, validating, and evaluating docker images against custom policies to give users visibility, control-of, and confidence-in their container images before they ever execute. And, its open-source. In this post, I’ll show how to use the new Anchore admission controller for kubernetes to gate execution of docker images in kubernetes according to criteria expressed in Anchore policies such as: security vulnerabilities, package manifests, image build-instructions, image source, and the other aspects of image content that Anchore Engine can expose via policy.
read moreInstalling Anchore Engine on an Azure Kubernetes Service cluster with Helm
In this post I will walkthrough deploying an AKS Cluster using the Azure CLI. Once the cluster has been deployed, Anchore Engine will be installed and run via Helm on the cluster. Following the install, I will configure Anchore to authenticate with Azure Container Registry (ACR) and analzye an image.
read moreUsing Anchore and Slack for Container Security Notifications
With Anchore you can subscribe to TAGs and Images to receive notifications when images are updated, when CVEs are added or removed and when the policy status of an image changes so you can take a proactive approach to ensuring security and compliance.
read moreAnchore Enterprise 1.2 is Available Today
We’re happy today to announce the immediate availability of Anchore Enterprise version 1.2, the latest in our journey to provide users with ability to enforce container security and best-practices with usable, flexible, cross-organization, and above all time-saving technology and techniques from Anchore. This release is based on the all new (and also available today) OSS Anchore Engine version 0.3.0).
read moreDocker Security Best Practices: Part 4 – Runtime Security
Previously, in our Docker Security Best Practices series, we took a deeper look into Docker Image security, and what best practices to follow. This post will continue the series, focusing on Docker container runtime, the challenges that come with securing them, and what countermeasures can be taken to achieve a better container runtime security stance. Left out from this discussion will be any considerations that touch on host or static image security.
read moreDocker Security Best Practices: Part 3 – Securing Container Images
Previously, in our Docker Security Best Practices series, we took a deeper look into Securing the Docker Host, and what best practices to follow. This post will continue the series, focusing on Docker images, the challenges that come with securing these artifacts, and what countermeasures can be taken to achieve a better container image security stance. Left out from this discussion will be any considerations that touch on host or runtime security.
read moreDocker Security Best Practices: Part 2 – Securing the Docker Host
A short while ago we published a blog on Docker security called Docker Security Best Practices: Part 1. We structured it by briefly discussing a comprehensive approach to security the entire container stack from top to bottom. This involves securing the underlying host operating system, the container images themselves, and the container runtime. In this post, we will discuss securing the host operating system in a bit more detail. In short, containerized applications are only as secure as the underlying host, as containers share the operating system kernel. There are some important operating system security best approaches that will strength this layer of the container stack and improve the overall security posture.
read moreIntegrating Anchore Scanning with Gitlab
This will walkthrough integrating Anchore scanning into a Gitlab container image build pipeline. During the first step, a Docker image will be built from a Dockerfile. Following this, during the second step Anchore will scan the image, and depending on the result of the policy evaluation, proceed to the final step. During the final step the built image will be published and reports will be generated.
This approach differs from previous posts where an Anchore engine service has been accessible from the build pipeline.
Integrating Anchore Scanning with CircleCI
This will walkthrough integrating Anchore scanning into a CircleCI pipeline. During the first step, a Docker image will be built from a Dockerfile. Following this, during the second step Anchore will scan the image, and depending on the result of the policy evaluation, proceed to the final step. During the final step the built image will be pushed to a Docker registry.
read moreDocker Security Best Practices: Part 1
Container security has been one of the hottest topics in the industry as of late, but what does “container security” really mean. Does it mean ensuring your images don’t have vulnerabilities in them? We think true container security involves a much more comprehensive approach including securing the entire container stack from top to bottom.
read moreAdd Container Security and Compliance Scanning to Your Codeship Pipeline
This will walkthrough integrating Anchore scanning into a Codeship pipeline. During the first step, a Docker image will be built from a Dockerfile. Following this, during the second step Anchore will scan the image, and depending on the result of the policy evaluation, proceed to the final step. During the final step the built image will be pushed to a Docker registry.
read moreIntegrating Anchore Scanning in a Codefresh Pipeline
As Docker usage has greatly increased, it has become increasingly important to gain a better understanding of how to securely configure and deploy Dockerized applications. The Center for Internet Security published 1.13 Docker Benchmark, which provides consensus based guidance by subject matter experts for users and organizations to achieve secure Docker usage and configuration.
read moreUsing Anchore Policies to Help Achieve the CIS Docker Benchmark
As Docker usage has greatly increased, it has become increasingly important to gain a better understanding of how to securely configure and deploy Dockerized applications. The Center for Internet Security published 1.13 Docker Benchmark, which provides consensus based guidance by subject matter experts for users and organizations to achieve secure Docker usage and configuration.
read moreUsing Open Source Tools to Create a Secure Container Based CI/CD Pipeline
Docker gives developers the ability to streamline packaging, storage, and deployment of applications at great scale. With increased use of container technologies across software development teams, securing these images become challenging. Due to the increased flexibility and agility, security checks for these images need to be woven into an automated pipeline and become part of the development lifecycle.
read moreVendorless – Security the Open Source Way
Whether you love or hate the term, ‘serverless’ is one of the hottest new trends in the cloud computing world. Despite what the name may suggest, there are certainly still servers running your code, the real innovation here is that you do not need to manage these servers you just publish your code to be run by the serverless infrastructure. This architecture can be better described as FaaS: functions as a service or BaaS: backend as a service. Amazon lead this innovation with its Lamda service and other cloud providers have followed suit, including Google with Google Cloud Functions and Microsoft with Azure Functions.
read moreIntroducing Anchore Enterprise 1.1
As an industry when we talk about DevOps we tend to lump together the terms CI and CD as if they are exactly the same thing. In this post we’ll cover the differences between them and introduce to a new cloud native CI/CD solution from a familiar project.
read moreIntegrating Anchore Scanning into Jenkins Pipeline via Jenkinsfile
As an industry when we talk about DevOps we tend to lump together the terms CI and CD as if they are exactly the same thing. In this post we’ll cover the differences between them and introduce to a new cloud native CI/CD solution from a familiar project.
read moreUpdates to the Anchore Plugin for Jenkins
As an industry when we talk about DevOps we tend to lump together the terms CI and CD as if they are exactly the same thing. In this post we’ll cover the differences between them and introduce to a new cloud native CI/CD solution from a familiar project.
read moreAnchore & Falco, End-to-End OSS Container Security Solution
While open source solutions have historically provided the core layer of infrastructure, there have been areas in which organizations would need to look at proprietary solutions. The most notable of which is security which had until recently remained the bastion of commercial vendors.
read moreHow Often are Docker Images Updated – Revisited
Almost a year ago we looked at the frequency with which some of the most popular images in the Docker registry are updated and compared the frequency of base image (alpine, debian, etc) updates with that of popular non-OS images. We found that while updates to base images came in around once a month, non-OS images updated much more frequently – up to eight to ten updates in the case of the widely used node:latest and php:latest packages.
read moreThe real difference between CI and CD: Confidence
As an industry when we talk about DevOps we tend to lump together the terms CI and CD as if they are exactly the same thing. In this post we’ll cover the differences between them and introduce to a new cloud native CI/CD solution from a familiar project.
read moreWhy CVE Scanning Still Isn’t Enough
On Thursday the Node Package Manager team removed a node package from the NPMJS.org registry. You can read more about the discovery in this bleepingcomputer article or on incident reported on the the npm blog. This package was found to have a malicious payload which provided a framework for a remote attacker to execute arbitrary code. While the module was removed from the NPM registry you may already have this module in your environment.
read moreThe Container Chronicle Volume 2
When we launched the Container Chronicle newsletter we planned on making this a monthly newsletter to make sure there was enough content to make it a worthwhile read while not making it too long. Well, two weeks later there was so much...
read moreDriving Open Source Container Security Forward
When Anchore was formed there was an obvious gap in terms of open source container security and our goal was to fill that gap with the best in breed container scanning solution that added not just reporting but policy based compliance. At the same time we were working on Anchore CoreOS released the Clair project which provided an open source vulnerability scanner. We are big fans of the work CoreOS has done in the container community so we looked into that project but saw a number of gaps:
read moreNo Excuses – Start Scanning
One of the most popular features of the Anchore Cloud service is the ability to deep dive into any container image to inspect its contents to see what files, packages and software libraries make up an image. Before I import any public image into my development environment I check out the list of security vulnerabilities in the image, if any, the policy status (does it fail basic compliance checks) and then I dig into the contents tab to see what operating system packages and libraries are in the image. I am still surprised at just how large many images are.
read moreWelcome to the Container Chronicle
Things change rapidly in the fast fluid world of Containers, sometimes it’s hard to keep up. So we’re starting a new newsletter called The Container Chronicle to help you stay on top of everything newsworthy from Cloud to Kubernetes, Docker to...
read moreSecuring Kubernetes Workloads using Anchore
Many users have already implemented Anchore to secure their CI/CD pipeline, to ensure that only images that are compliant with their security policies are pushed to their production registries. While this is a crucial process to implement on the path to implementing strong governance of container environments this only the first step.
read moreInstalling Anchore with a Single Command Using Helm
Helm is the package manager for Kubernetes, inspired by packaged managers such as homebrem, yum, npm and apt. Applications are packaged in Charts which are a collection of files that contain the definition and configuration of resources to be deployed to a Kubernetes cluster. Helm was created by Deis who donated the project to the Cloud Native Computing Foundation (CNCF).
read moreHandling False Positives
If like me you’re subscribed to receive updates for popular base images such as CentOS, then this morning you may have received an email like this from Anchore. Here, you are receiving a warning that a new, HIGH severity CVE was just found in the CentOS image. You can read more about the vulnerability in Red Hat’s security advisory RHSA-2018:0102 which covers the impact of CVE-2017-3145 on the BIND DNS package.
read moreScanning Images on Amazon Elastic Container Registry (ECR)
The Anchore Engine supports analyzing images from any Docker V2 compatible registry however when accessing an Amazon ECR registry extra steps must be taken to handle Amazon Web Services authentication.
read more