Helm is the package manager for Kubernetes, inspired by packaged managers such as homebrem, yum, npm and apt. Applications are packaged in Charts which are a collection of files that contain the definition and configuration of resources to be deployed to a Kubernetes cluster. Helm was created by Deis who donated the project to the Cloud Native Computing Foundation (CNCF).read more
If like me you’re subscribed to receive updates for popular base images such as CentOS, then this morning you may have received an email like this from Anchore. Here, you are receiving a warning that a new, HIGH severity CVE was just found in the CentOS image. You can read more about the vulnerability in Red Hat’s security advisory RHSA-2018:0102 which covers the impact of CVE-2017-3145 on the BIND DNS package.read more
The Anchore Engine supports analyzing images from any Docker V2 compatible registry however when accessing an Amazon ECR registry extra steps must be taken to handle Amazon Web Services authentication.read more
Google recently announced Grafeas, Greek for “scribe”, which is an open source initiative with the goal of standardizing interfaces for auditing and governance, designed for today’s modern software supply chain. I would strongly recommend that you read the blog published by Shopify which covers in detail the use case that Grafeas is designed to address.read more
There are no easy ways to perform a “diff” on Docker container images to see what has changed between versions. While there is a docker diff command this command shows what files have changed in a running container but will not show changes between container images. You could also look at the Dockerfile, however the same Dockerfile used at two different times will likely produce different images since the underlying operating system packages and application files may have been updated.read more
For most users analyzing or auditing container images usually means running a CVE scan and while that is certainly required, it should be just the first step. Anchore supports creating policies that can be used to assess the compliance of your...read more
Today Anchore announced the release of Anchore Cloud 2.0 which builds on top of Anchore’s open source engine to provide a suite of tools to allow organizations to perform detailed analysis of container images and apply user defined policies to ensure that containers meet the organization’s security requirements and operational best practices.read more
In our last blog we talked about how quickly different repos respond to updates to their base images. Any changes made by the base image will need to be implemented in the application images built on top of it, so updates to popular base images spread far and, as we saw from the last blog, quickly.read more
In the previous blog we presented our analysis of image update frequency for official DockerHub images and the implications for application images built on top of these base images. It was pointed out in a Reddit reply by /u/AskOnDock29 that users can update the operating system packages in the images themselves, independently of the official image and so the frequency, or infrequency, of base image updates is not a concern since this is easily manageable by end-users.read more
In our last blog, we reported on operating systems usage on DockerHub, focusing on official base images.
Most users do not build their container image from scratch they built on top of these base images, for example extending an image such as library/alpine:latest with their own application content.
Whenever one of these base OS images is updated, images built on top are typically rebuilt in order to inherit the fixes included in the base image. In this blog, we will be looking at the update frequency of base images: frequency of updates, changes made and how that impacts end users.
While that may sound like advice your mother gave you after you got into a fight at school we are actually talking about Docker Images.
Yesterday we started to notice a lot of activity on our worker nodes on anchore.io which were analyzing a large number of images that were updated on DockerHub.read more
Today Anchore announced a new open source project that allows users to install a local copy of the powerful container analysis and policy engine that powers the Anchore Navigator service.
The Anchore Engine is an open source project that provides a centralized service for inspection, analysis and certification of container images. The Anchore engine is provide as a Docker container image that can be run standalone or on an orchestration platform such as Kubernetes, Docker Swarm, Rancher or Amazon ECS.
While containers are thought of as “micro-services” or applications, if you open up the image you will see more than just an application – more often than not, you’ll see an an entire operating system image along with the application. If you dig into the image you will find that certain parts of the operating system are missing such as kernel and hardware specific modules and often, but sadly not always, the package list is reduced. If you are deploying a pre packaged container built by a 3rd party you may not even know what operating system has been used to build the container let alone what packages are inside.read more
Hi, I’m Max de Visser and I’ve recently joined the Anchore team as a Data Analytics Intern. I am working towards a BS in computer science and a minor in statistics at nearby UC Santa Barbara. The recent growth of big data - and data science in...read more
Ivan Akulov just published a rather worrying blog entitled Malicious Packages in NPM in which he documents a recent discovery of several malicious NPM packages that were copies of existing packages with similar names which while they contained the same functionality they also included malicious code that would collect and exfiltrate environmental variables from your system in the hope of finding sensitive information such as authentication tokens.read more
We extended one of the most popular features of the Anchore Navigator, tag notifications, in our latest beta. Previously users could subscribe to a tag and receive a notification when a new image was pushed with that tag. For example if you used...read more
In October 2016 Anchore announced the launch of the Anchore Navigator a free service to allow users to discover and analyze images on public container registries. Since then thousands of users have used the Navigator to search for container...read more
Today Red Hat announced a new certification program for container images. Key to this announcement is the concept of a container health index that is used to grade a container which is “determined by Red Hat’s evaluation of the level of critical or important security errata that is missing from an image”.read more
The majority of Docker users do not built their images from scratch, instead they are built on top of base images that have been created and published by others. Usually these are official images that have been created by an organization or...read more
Over the last 2 months we ran a short survey to collect information about Container usage. The survey was slightly shorter than the one we performed in conjunction with DevOps.com and Redmonk 6 months ago, but provides deep insight into how the container ecosystem has shifted and continued to evolve over a short period of time. Running multiple surveys gives us ability to see trends develop and as we review the results of each survey we think of new questions to ask in the next survey to dig deeper.read more
We often mention CVEs in our blogs but we usually skip over the topic, explaining that while CVE checking is important, it is just the tip of the iceberg and that you need to look deeper into the image to check configuration files, non-packaged...read more
In last week’s blog we covered how to create custom policies that can be used to evaluate your container images as part of your CI/CD pipeline or at any time during their lifetime. We explained that you should always perform a CVE scan of your...read more
Since we released Anchore’s open source project almost a year ago we’ve seen fast growing adoption by users who want to perform detailed inspection and analysis of their container images. By far the most common use case we see with our...read more
At the heart of Anchore’s solution is the concept of users certifying container images based on rules that they define. In the past certifications for applications typically came from operating systems vendors who defined their own standards and worked with independent software vendors (ISVs) on certification programs to give a level of assurance to end users that the application was compatible with the underlying operating system. Other organizations have created standards and certification tests to cover various forms of compliance validation, especially in the government sector or regulated industries.read more
At Anchore we spend a whole lot of time looking at container images to provide detailed analysis and certification. Most of the discussions we hear in the industry around image analysis focus on CVE scanning: how many CVEs are in an image,...read more
Today we have released an update to our popular open source Jenkins plugin adding a number of powerful new features.
Using Anchore’s freely available and open source Jenkins plugin you can secure your Jenkins pipeline in less than 30 minutes adding image scanning including not just CVE based security scans but policy based scans that can include checks around security, compliance and operational best practices.
What’s going on in the world of Anchore’s open source platform? As you might know, Anchore has an online container image navigator that provides unique visibility into the contents of container images--our system is constantly watching...read more
Oracle just announced a new container image: Oracle Linux 7-Slim. Their goal was to create a more lean image and improve security in the process, since reducing the footprint of the container also reduces the attack surface. You can check out that...read more
Docker recently announced an exciting new release of Docker Datacenter that included Integrated Secrets Management from Docker 1.13. Many containers need access to sensitive information as part of their configuration, for example they may need the...read more
We started the week with an exciting announcement about the Anchore Navigator which received a significant update with many new features, the two new features that are proving to be the most popular are the ability submit an image for analysis and...read more