Anchore Blog

One of the most popular features of the Anchore Cloud service is the ability to deep dive into any container image to inspect its contents to see what files, packages and software libraries make up an image. Before I import any public image into my development environment I check out the list of security vulnerabilities in the image, if any, the policy status (does it fail basic compliance checks) and then I dig into the contents tab to see what operating system packages and libraries are in the image. I am still surprised at just how large many images are.

If like me you’re subscribed to receive updates for popular base images such as CentOS, then this morning you may have received an email like this from Anchore. Here, you are receiving a warning that a new, HIGH severity CVE was just found in the CentOS image. You can read more about the vulnerability in Red Hat’s security advisory RHSA-2018:0102 which covers the impact of CVE-2017-3145 on the BIND DNS package.

There are no easy ways to perform a “diff” on Docker container images to see what has changed between versions. While there is a docker diff command this command shows what files have changed in a running container but will not show changes between container images. You could also look at the Dockerfile, however the same Dockerfile used at two different times will likely produce different images since the underlying operating system packages and application files may have been updated.

For most users analyzing or auditing container images usually means running a CVE scan and while that is certainly required, it should be just the first step. Anchore supports creating policies that can be used to assess the compliance of your...

Today Anchore announced the release of Anchore Cloud 2.0 which builds on top of Anchore’s open source engine to provide a suite of tools to allow organizations to perform detailed analysis of container images and apply user defined policies to ensure that containers meet the organization’s security requirements and operational best practices.

In our last blog we talked about how quickly different repos respond to updates to their base images. Any changes made by the base image will need to be implemented in the application images built on top of it, so updates to popular base images spread far and, as we saw from the last blog, quickly.

While that may sound like advice your mother gave you after you got into a fight at school we are actually talking about Docker Images.

Yesterday we started to notice a lot of activity on our worker nodes on anchore.io which were analyzing a large number of images that were updated on DockerHub.

While containers are thought of as “micro-services” or applications, if you open up the image you will see more than just an application – more often than not, you’ll see an an entire operating system image along with the application. If you dig into the image you will find that certain parts of the operating system are missing such as kernel and hardware specific modules and often, but sadly not always, the package list is reduced. If you are deploying a pre packaged container built by a 3rd party you may not even know what operating system has been used to build the container let alone what packages are inside.

Hi, I’m Max de Visser and I’ve recently joined the Anchore team as a Data Analytics Intern. I am working towards a BS in computer science and a minor in statistics at nearby UC Santa Barbara. The recent growth of big data - and data science in...

Ivan Akulov just published a rather worrying blog entitled Malicious Packages in NPM in which he documents a recent discovery of several malicious NPM packages that were copies of existing packages with similar names which while they contained the same functionality they also included malicious code that would collect and exfiltrate environmental variables from your system in the hope of finding sensitive information such as authentication tokens.

We extended one of the most popular features of the Anchore Navigator, tag notifications, in our latest beta. Previously users could subscribe to a tag and receive a notification when a new image was pushed with that tag. For example if you used...

In October 2016 Anchore announced the launch of the Anchore Navigator a free service to allow users to discover and analyze images on public container registries. Since then thousands of users have used the Navigator to search for container...