Blog

In our last blog, we reported on operating systems usage on DockerHub, focusing on official base images.
Most users do not build their container image from scratch they built on top of these base images, for example extending an image such as library/alpine:latest with their own application content.
Whenever one of these base OS images is updated, images built on top are typically rebuilt in order to inherit the fixes included in the base image. In this blog, we will be looking at the update frequency of base images: frequency of updates, changes made and how that impacts end users.

While that may sound like advice your mother gave you after you got into a fight at school we are actually talking about Docker Images.

Yesterday we started to notice a lot of activity on our worker nodes on anchore.io which were analyzing a large number of images that were updated on DockerHub.

While containers are thought of as “micro-services” or applications, if you open up the image you will see more than just an application – more often than not, you’ll see an an entire operating system image along with the application. If you dig into the image you will find that certain parts of the operating system are missing such as kernel and hardware specific modules and often, but sadly not always, the package list is reduced. If you are deploying a pre packaged container built by a 3rd party you may not even know what operating system has been used to build the container let alone what packages are inside.

Hi, I’m Max de Visser and I’ve recently joined the Anchore team as a Data Analytics Intern. I am working towards a BS in computer science and a minor in statistics at nearby UC Santa Barbara. The recent growth of big data - and data science in...

In October 2016 Anchore announced the launch of the Anchore Navigator a free service to allow users to discover and analyze images on public container registries. Since then thousands of users have used the Navigator to search for container...

The majority of Docker users do not built their images from scratch, instead they are built on top of base images that have been created and published by others. Usually these are official images that have been created by an organization or...

In last week’s blog we covered how to create custom policies that can be used to evaluate your container images as part of your CI/CD pipeline or at any time during their lifetime. We explained that you should always perform a CVE scan of your...

Since we released Anchore’s open source project almost a year ago we’ve seen fast growing adoption by users who want to perform detailed inspection and analysis of their container images. By far the most common use case we see with our...

At the heart of Anchore’s solution is the concept of users certifying container images based on rules that they define. In the past certifications for applications typically came from operating systems vendors who defined their own standards and worked with independent software vendors (ISVs) on certification programs to give a level of assurance to end users that the application was compatible with the underlying operating system. Other organizations have created standards and certification tests to cover various forms of compliance validation, especially in the government sector or regulated industries.

At Anchore we spend a whole lot of time looking at container images to provide detailed analysis and certification. Most of the discussions we hear in the industry around image analysis focus on CVE scanning: how many CVEs are in an image,...

What’s going on in the world of Anchore’s open source platform? As you might know, Anchore has an online container image navigator that provides unique visibility into the contents of container images--our system is constantly watching...

Oracle just announced a new container image: Oracle Linux 7-Slim. Their goal was to create a more lean image and improve security in the process, since reducing the footprint of the container also reduces the attack surface. You can check out that...

Docker recently announced an exciting new release of Docker Datacenter that included Integrated Secrets Management from Docker 1.13. Many containers need access to sensitive information as part of their configuration, for example they may need the...

We started the week with an exciting announcement about the Anchore Navigator which received a significant update with many new features, the two new features that are proving to be the most popular are the ability submit an image for analysis and...

In October 2016 Anchore announced the first release of our commercial product, built on top of our open source container analysis engine. The focus of the open source project and the commercial offering is to deliver tools that perform deep…

Occam’s razor is a well known philosophical principle that’s entered mainstream culture.
While there are many ways to describe this principle the most succinct is:

“The simplest answer is most often correct.”

The lesson behind this razor is that if there are many explanations for a particular phenomena, then out of the many and often complex alternative explanations the simplest is likely the most likely to be correct.

Back on October we introduced the Anchore Navigator which provides a powerful web UI to allow users to search for repositories and then drill down into individual images to get more details including the tags for a given image, Dockerfile, digest, image layers, labels and update history.

Today we formally announced that Anchore had joined the Open Container Initiative. The OCI was established to develop standards for containers, initially focusing on the runtime format specification but later adding the container image format specification.