Anchore Blog
Introduction to Amazon EKS
In June of 2018, Amazon announced the general availability of their Elastic Container Service for Kubernetes. Given that at Anchore we deliver our products as Docker container images, it came as no surprise to us that our users and customers would begin deploying our software on EKS. Since Kubernetes, Kubernetes on AWS, and Anchore on EKS adoption have all increased, I thought it best to give EKS a shot.
read moreOperational Awareness and Performance Tuning For Anchore – Part 2: Performance Tuning Tips
In this article, we’ll dive more deeply into matching metrics gathered in our first part with opportunities to tune the performance of a given Anchore deployment.
read moreGoing deeper with Anchore Policies: Using Whitelists
Anchore policy bundles are the unit of policy definition and evaluation. Anchore users may have multiple policy bundles, but for a policy evaluation, the user must specify a bundle to be evaluated or default to the bundle currently marked as active. One of the components of a policy bundle is whitelists. A whitelist is a set of exclusion rules for trigger matches found during policy evaluation.
read moreOperational Awareness and Performance Tuning For Anchore – Part 1: Architecture and Metrics
In the first set of posts in this series, I will walk through how to evaluate and tune your Anchore deployment for better image analysis performance. To do so, we’ll discuss the actions Anchore Engine takes to pull, analyze and evaluate images and how that is affected by configuration and deployment architecture. We’ll also point out how you can get metrics on each of these functions to determine what you can do to improve the performance of your deployment.
The progression of my passion about technology from the early days of my career in unix/linux operations, through development and engineering work, to joining Eucalyptus and Ansible always followed an arc of interest and curiosity. I was always looking to expand my understanding of infrastructure and platform development but also looking for environments that encouraged growth and learning. I was fortunate to have that in the past and I feel extremely fortunate to be able to continue this at Anchore.
read moreAdding Vulnerability Scanning and Policy-Compliance for Your Containers in CI/CD, No Stateful Service Required
Today we are introducing a new way to interact with anchore to get image scans, evaluations, and content reports without requiring a central anchore-engine deployment to be available. We call this new approach ‘inline scan’, to indicate that a single, one-time scan can be performed ‘inline’ against a local container image at any time, without the need for any persistent data or service state between scans.
read moreRunning Anchore Engine on Openshift
In this post, I will run through an installation of Anchore on OpenShift. I’ll also discuss in brief how to use Anchore to scan images.
read moreWhy I Joined Anchore – David Federlein
Hi, my name is David Federlein and you may remember me from such companies as Ansible/Redhat, Eucalyptus and Digital River. I am extremely excited and happy to announce I’ve joined Anchore as the Director of Customer Success.
The progression of my passion about technology from the early days of my career in unix/linux operations, through development and engineering work, to joining Eucalyptus and Ansible always followed an arc of interest and curiosity. I was always looking to expand my understanding of infrastructure and platform development but also looking for environments that encouraged growth and learning. I was fortunate to have that in the past and I feel extremely fortunate to be able to continue this at Anchore.
read moreGoing deeper with Anchore Policies: Understanding the ‘dockerfile’ policy gate
A policy is a named set of rules, represented as a JSON object within a Policy Bundle, each of which define a specific check to perform and a resulting action to emit if the check returns a match. These checks are defined as Gates that contain Triggers. In this post, I will focus on the ‘dockerfile’ gate and its triggers.
read moreAdding Container Security and Compliance Scanning to your AWS CodeBuild pipeline
This will walkthrough integrating Anchore scanning with AWS CodeBuild. During the first step, a Docker image will be built from a Dockerfile. Following this, during the second step, Anchore will scan the image, and depending on the result of the policy evaluation, proceed to the final step. During the final step the built image will be pushed to a Docker registry.
In this blog I will run through the 8 easy steps you can follow to install the Anchore Engine and start performing checks around security, compliance and operational best practices.
Docker Image Security in 5 Minutes or Less
The Anchore Engine is an open source project that provides a centralized service for deep inspection, analysis and certification of container images. It is provided as a Docker container image that can be run standalone or on an orchestration platform such as Kubernetes, Docker Swarm, or Amazon ECS. One great feature of the Open Source Anchore Engine is ease of installation. This allows anyone to get up and running with a world class Docker image analyzer in only about 5 minutes.
In this blog I will run through the 8 easy steps you can follow to install the Anchore Engine and start performing checks around security, compliance and operational best practices.
read moreIntroducing Anchore Policy Hub
The Anchore Policy Hub is a centralized repository of resources that are served and then can be loaded into/consumed by Anchore Engine, via anchore engine clients. This repository serves as the canonical store of source documents (initially, Anchore Policy Bundles), both serving as a location where pre-defined policy bundles can be easily fetched and loaded into Anchore Engine deployments to help with a starting point for creating your own bundles, as well as a location where users of Anchore can submit and share new policy bundles and, moving forward, other Anchore resources as well.
In this blog I will run through the 8 easy steps you can follow to install the Anchore Engine and start performing checks around security, compliance and operational best practices.
read moreWhat is DevSecOps?
Here at Anchore, we consistently work with our users and customers to improve the security of their container images. During these conversations, there is typically an initiative to embed container image scanning into CI/CD pipelines to meet DevSecOps goals.
Quite often, Docker images contain both application and operating system packages. However, in this particular post, I will focus on the identification of a specific vulnerable application package inside an image, walkthrough how it can be visualized within the Anchore Enterprise UI, and what might an approach be to remediate.
Dynamic Policy Mappings and Modes in the Anchore Kubernetes Admission Controller
In December, I introduced an admission controller for Kubernetes to gate pod execution based on Anchore analysis and policy evaluation of image content. It supports 3 different modes of operation allowing you to tune the tradeoff between control and intrusiveness for your environments.
read moreIdentifying Vulnerabilities with Anchore
By far one the most common challenge Anchore helps its users solve is the identification of vulnerabilities within their Docker container images. Anchore analysis tools will inspect container images and generate a detailed manifest of the image, a virtual ‘bill of materials’ that includes official operating system packages, unofficial packages, configuration files, and language modules and artifacts. Following this, Anchore will evaluate policies against the analysis result, which includes vulnerability matches on the artifacts discovered in the image.
Quite often, Docker images contain both application and operating system packages. However, in this particular post, I will focus on the identification of a specific vulnerable application package inside an image, walkthrough how it can be visualized within the Anchore Enterprise UI, and what might an approach be to remediate.
read more5 CI/CD Platforms and How They Leverage Docker Container Technology
As containers have exploded onto the IT landscape over the last few years, more and more companies are turning to Docker to provide a quick and effective means to release software at a faster pace.
This shift has caused many Continuous Integration and Continuous Delivery (CI/CD) tools and companies to strategically create and weave new container native solutions into their platforms.
In this blog we’ll take a look at some of the top CI/CD players in the game and the shifts they’ve made to support their users in this brave new world of containers.
read moreA Policy Based Approach to Container Security and Compliance
At Anchore, we take a preventative, policy-based compliance approach, specific to organizational needs. Our philosophy of scanning and evaluating Docker images against user-defined policies as early as possible in the development lifecycle, greatly reduces vulnerable, non-compliant images from making their way into trusted container registries and production environments.
But what do we mean by ‘policy based compliance’? And what are some of the best practices organizations can adopt to help achieve their own compliance needs? In this post we will first define compliance, and then cover a few steps development teams can take to help to bolster their container security.
read moreImproving Open Source Security with Anchore & Snyk
Open source software components and dependencies are increasingly making up a vast majority of software applications. Along with the increased usage of OSS comes the inherent security risks these packages present. Enterprises looking to adopt a greater open source footprint should also employ effective tooling and processes to identify, manage, and mitigate the potential risks these libraries impose.
read moreAdmission Control in Kubernetes with Anchore
Our focus at Anchore is analyzing, validating, and evaluating docker images against custom policies to give users visibility, control-of, and confidence-in their container images before they ever execute. And, its open-source. In this post, I’ll show how to use the new Anchore admission controller for kubernetes to gate execution of docker images in kubernetes according to criteria expressed in Anchore policies such as: security vulnerabilities, package manifests, image build-instructions, image source, and the other aspects of image content that Anchore Engine can expose via policy.
read moreInstalling Anchore Engine on an Azure Kubernetes Service cluster with Helm
In this post I will walkthrough deploying an AKS Cluster using the Azure CLI. Once the cluster has been deployed, Anchore Engine will be installed and run via Helm on the cluster. Following the install, I will configure Anchore to authenticate with Azure Container Registry (ACR) and analzye an image.
read moreUsing Anchore and Slack for Container Security Notifications
With Anchore you can subscribe to TAGs and Images to receive notifications when images are updated, when CVEs are added or removed and when the policy status of an image changes so you can take a proactive approach to ensuring security and compliance.
read moreAnchore Enterprise 1.2 is Available Today
We’re happy today to announce the immediate availability of Anchore Enterprise version 1.2, the latest in our journey to provide users with ability to enforce container security and best-practices with usable, flexible, cross-organization, and above all time-saving technology and techniques from Anchore. This release is based on the all new (and also available today) OSS Anchore Engine version 0.3.0).
read moreDocker Security Best Practices: Part 4 – Runtime Security
Previously, in our Docker Security Best Practices series, we took a deeper look into Docker Image security, and what best practices to follow. This post will continue the series, focusing on Docker container runtime, the challenges that come with securing them, and what countermeasures can be taken to achieve a better container runtime security stance. Left out from this discussion will be any considerations that touch on host or static image security.
read moreDocker Security Best Practices: Part 3 – Securing Container Images
Previously, in our Docker Security Best Practices series, we took a deeper look into Securing the Docker Host, and what best practices to follow. This post will continue the series, focusing on Docker images, the challenges that come with securing these artifacts, and what countermeasures can be taken to achieve a better container image security stance. Left out from this discussion will be any considerations that touch on host or runtime security.
read moreDocker Security Best Practices: Part 2 – Securing the Docker Host
A short while ago we published a blog on Docker security called Docker Security Best Practices: Part 1. We structured it by briefly discussing a comprehensive approach to security the entire container stack from top to bottom. This involves securing the underlying host operating system, the container images themselves, and the container runtime. In this post, we will discuss securing the host operating system in a bit more detail. In short, containerized applications are only as secure as the underlying host, as containers share the operating system kernel. There are some important operating system security best approaches that will strength this layer of the container stack and improve the overall security posture.
read moreIntegrating Anchore Scanning with Gitlab
This will walkthrough integrating Anchore scanning into a Gitlab container image build pipeline. During the first step, a Docker image will be built from a Dockerfile. Following this, during the second step Anchore will scan the image, and depending on the result of the policy evaluation, proceed to the final step. During the final step the built image will be published and reports will be generated.
This approach differs from previous posts where an Anchore engine service has been accessible from the build pipeline.
Integrating Anchore Scanning with CircleCI
This will walkthrough integrating Anchore scanning into a CircleCI pipeline. During the first step, a Docker image will be built from a Dockerfile. Following this, during the second step Anchore will scan the image, and depending on the result of the policy evaluation, proceed to the final step. During the final step the built image will be pushed to a Docker registry.
read moreDocker Security Best Practices: Part 1
Container security has been one of the hottest topics in the industry as of late, but what does “container security” really mean. Does it mean ensuring your images don’t have vulnerabilities in them? We think true container security involves a much more comprehensive approach including securing the entire container stack from top to bottom.
read moreAdd Container Security and Compliance Scanning to Your Codeship Pipeline
This will walkthrough integrating Anchore scanning into a Codeship pipeline. During the first step, a Docker image will be built from a Dockerfile. Following this, during the second step Anchore will scan the image, and depending on the result of the policy evaluation, proceed to the final step. During the final step the built image will be pushed to a Docker registry.
read moreIntegrating Anchore Scanning in a Codefresh Pipeline
As Docker usage has greatly increased, it has become increasingly important to gain a better understanding of how to securely configure and deploy Dockerized applications. The Center for Internet Security published 1.13 Docker Benchmark, which provides consensus based guidance by subject matter experts for users and organizations to achieve secure Docker usage and configuration.
read moreUsing Anchore Policies to Help Achieve the CIS Docker Benchmark
As Docker usage has greatly increased, it has become increasingly important to gain a better understanding of how to securely configure and deploy Dockerized applications. The Center for Internet Security published 1.13 Docker Benchmark, which provides consensus based guidance by subject matter experts for users and organizations to achieve secure Docker usage and configuration.
read more