preloder

Anchore Blog

Introduction to Amazon EKS

In June of 2018, Amazon announced the general availability of their Elastic Container Service for Kubernetes. Given that at Anchore we deliver our products as Docker container images, it came as no surprise to us that our users and customers would begin deploying our software on EKS. Since Kubernetes, Kubernetes on AWS, and Anchore on EKS adoption have all increased, I thought it best to give EKS a shot.

read more

Going deeper with Anchore Policies: Using Whitelists

Anchore policy bundles are the unit of policy definition and evaluation. Anchore users may have multiple policy bundles, but for a policy evaluation, the user must specify a bundle to be evaluated or default to the bundle currently marked as active. One of the components of a policy bundle is whitelists. A whitelist is a set of exclusion rules for trigger matches found during policy evaluation.

read more

Operational Awareness and Performance Tuning For Anchore – Part 1: Architecture and Metrics

In the first set of posts in this series, I will walk through how to evaluate and tune your Anchore deployment for better image analysis performance. To do so, we’ll discuss the actions Anchore Engine takes to pull, analyze and evaluate images and how that is affected by configuration and deployment architecture. We’ll also point out how you can get metrics on each of these functions to determine what you can do to improve the performance of your deployment.

The progression of my passion about technology from the early days of my career in unix/linux operations, through development and engineering work, to joining Eucalyptus and Ansible always followed an arc of interest and curiosity. I was always looking to expand my understanding of infrastructure and platform development but also looking for environments that encouraged growth and learning. I was fortunate to have that in the past and I feel extremely fortunate to be able to continue this at Anchore.

read more

Adding Vulnerability Scanning and Policy-Compliance for Your Containers in CI/CD, No Stateful Service Required

Today we are introducing a new way to interact with anchore to get image scans, evaluations, and content reports without requiring a central anchore-engine deployment to be available. We call this new approach ‘inline scan’, to indicate that a single, one-time scan can be performed ‘inline’ against a local container image at any time, without the need for any persistent data or service state between scans.

read more

Why I Joined Anchore – David Federlein

Hi, my name is David Federlein and you may remember me from such companies as Ansible/Redhat, Eucalyptus and Digital River. I am extremely excited and happy to announce I’ve joined Anchore as the Director of Customer Success.

The progression of my passion about technology from the early days of my career in unix/linux operations, through development and engineering work, to joining Eucalyptus and Ansible always followed an arc of interest and curiosity. I was always looking to expand my understanding of infrastructure and platform development but also looking for environments that encouraged growth and learning. I was fortunate to have that in the past and I feel extremely fortunate to be able to continue this at Anchore.

read more

Adding Container Security and Compliance Scanning to your AWS CodeBuild pipeline

This will walkthrough integrating Anchore scanning with AWS CodeBuild. During the first step, a Docker image will be built from a Dockerfile. Following this, during the second step, Anchore will scan the image, and depending on the result of the policy evaluation, proceed to the final step. During the final step the built image will be pushed to a Docker registry.
In this blog I will run through the 8 easy steps you can follow to install the Anchore Engine and start performing checks around security, compliance and operational best practices.

read more

Docker Image Security in 5 Minutes or Less

The Anchore Engine is an open source project that provides a centralized service for deep inspection, analysis and certification of container images. It is provided as a Docker container image that can be run standalone or on an orchestration platform such as Kubernetes, Docker Swarm, or Amazon ECS. One great feature of the Open Source Anchore Engine is ease of installation. This allows anyone to get up and running with a world class Docker image analyzer in only about 5 minutes.

In this blog I will run through the 8 easy steps you can follow to install the Anchore Engine and start performing checks around security, compliance and operational best practices.

read more

Introducing Anchore Policy Hub

The Anchore Policy Hub is a centralized repository of resources that are served and then can be loaded into/consumed by Anchore Engine, via anchore engine clients. This repository serves as the canonical store of source documents (initially, Anchore Policy Bundles), both serving as a location where pre-defined policy bundles can be easily fetched and loaded into Anchore Engine deployments to help with a starting point for creating your own bundles, as well as a location where users of Anchore can submit and share new policy bundles and, moving forward, other Anchore resources as well.

In this blog I will run through the 8 easy steps you can follow to install the Anchore Engine and start performing checks around security, compliance and operational best practices.

read more

What is DevSecOps?

Here at Anchore, we consistently work with our users and customers to improve the security of their container images. During these conversations, there is typically an initiative to embed container image scanning into CI/CD pipelines to meet DevSecOps goals.
Quite often, Docker images contain both application and operating system packages. However, in this particular post, I will focus on the identification of a specific vulnerable application package inside an image, walkthrough how it can be visualized within the Anchore Enterprise UI, and what might an approach be to remediate.

read more

Identifying Vulnerabilities with Anchore

By far one the most common challenge Anchore helps its users solve is the identification of vulnerabilities within their Docker container images. Anchore analysis tools will inspect container images and generate a detailed manifest of the image, a virtual ‘bill of materials’ that includes official operating system packages, unofficial packages, configuration files, and language modules and artifacts. Following this, Anchore will evaluate policies against the analysis result, which includes vulnerability matches on the artifacts discovered in the image.

Quite often, Docker images contain both application and operating system packages. However, in this particular post, I will focus on the identification of a specific vulnerable application package inside an image, walkthrough how it can be visualized within the Anchore Enterprise UI, and what might an approach be to remediate.

read more

5 CI/CD Platforms and How They Leverage Docker Container Technology

As containers have exploded onto the IT landscape over the last few years, more and more companies are turning to Docker to provide a quick and effective means to release software at a faster pace.

This shift has caused many Continuous Integration and Continuous Delivery (CI/CD) tools and companies to strategically create and weave new container native solutions into their platforms.

In this blog we’ll take a look at some of the top CI/CD players in the game and the shifts they’ve made to support their users in this brave new world of containers.

read more

A Policy Based Approach to Container Security and Compliance

At Anchore, we take a preventative, policy-based compliance approach, specific to organizational needs. Our philosophy of scanning and evaluating Docker images against user-defined policies as early as possible in the development lifecycle, greatly reduces vulnerable, non-compliant images from making their way into trusted container registries and production environments.

But what do we mean by ‘policy based compliance’? And what are some of the best practices organizations can adopt to help achieve their own compliance needs? In this post we will first define compliance, and then cover a few steps development teams can take to help to bolster their container security.

read more

Improving Open Source Security with Anchore & Snyk

Open source software components and dependencies are increasingly making up a vast majority of software applications. Along with the increased usage of OSS comes the inherent security risks these packages present. Enterprises looking to adopt a greater open source footprint should also employ effective tooling and processes to identify, manage, and mitigate the potential risks these libraries impose.

read more

Admission Control in Kubernetes with Anchore

Our focus at Anchore is analyzing, validating, and evaluating docker images against custom policies to give users visibility, control-of, and confidence-in their container images before they ever execute. And, its open-source. In this post, I’ll show how to use the new Anchore admission controller for kubernetes to gate execution of docker images in kubernetes according to criteria expressed in Anchore policies such as: security vulnerabilities, package manifests, image build-instructions, image source, and the other aspects of image content that Anchore Engine can expose via policy.

read more

Anchore Enterprise 1.2 is Available Today

We’re happy today to announce the immediate availability of Anchore Enterprise version 1.2, the latest in our journey to provide users with ability to enforce container security and best-practices with usable, flexible, cross-organization, and above all time-saving technology and techniques from Anchore. This release is based on the all new (and also available today) OSS Anchore Engine version 0.3.0).

read more

Docker Security Best Practices: Part 4 – Runtime Security

Previously, in our Docker Security Best Practices series, we took a deeper look into Docker Image security, and what best practices to follow. This post will continue the series, focusing on Docker container runtime, the challenges that come with securing them, and what countermeasures can be taken to achieve a better container runtime security stance. Left out from this discussion will be any considerations that touch on host or static image security.

read more

Docker Security Best Practices: Part 3 – Securing Container Images

Previously, in our Docker Security Best Practices series, we took a deeper look into Securing the Docker Host, and what best practices to follow. This post will continue the series, focusing on Docker images, the challenges that come with securing these artifacts, and what countermeasures can be taken to achieve a better container image security stance. Left out from this discussion will be any considerations that touch on host or runtime security.

read more

Docker Security Best Practices: Part 2 – Securing the Docker Host

A short while ago we published a blog on Docker security called Docker Security Best Practices: Part 1. We structured it by briefly discussing a comprehensive approach to security the entire container stack from top to bottom. This involves securing the underlying host operating system, the container images themselves, and the container runtime. In this post, we will discuss securing the host operating system in a bit more detail. In short, containerized applications are only as secure as the underlying host, as containers share the operating system kernel. There are some important operating system security best approaches that will strength this layer of the container stack and improve the overall security posture.

read more

Integrating Anchore Scanning with Gitlab

This will walkthrough integrating Anchore scanning into a Gitlab container image build pipeline. During the first step, a Docker image will be built from a Dockerfile. Following this, during the second step Anchore will scan the image, and depending on the result of the policy evaluation, proceed to the final step. During the final step the built image will be published and reports will be generated.
This approach differs from previous posts where an Anchore engine service has been accessible from the build pipeline.

read more

Integrating Anchore Scanning with CircleCI

This will walkthrough integrating Anchore scanning into a CircleCI pipeline. During the first step, a Docker image will be built from a Dockerfile. Following this, during the second step Anchore will scan the image, and depending on the result of the policy evaluation, proceed to the final step. During the final step the built image will be pushed to a Docker registry.

read more

Docker Security Best Practices: Part 1

Container security has been one of the hottest topics in the industry as of late, but what does “container security” really mean. Does it mean ensuring your images don’t have vulnerabilities in them? We think true container security involves a much more comprehensive approach including securing the entire container stack from top to bottom.

read more

Add Container Security and Compliance Scanning to Your Codeship Pipeline

This will walkthrough integrating Anchore scanning into a Codeship pipeline. During the first step, a Docker image will be built from a Dockerfile. Following this, during the second step Anchore will scan the image, and depending on the result of the policy evaluation, proceed to the final step. During the final step the built image will be pushed to a Docker registry.

read more

Integrating Anchore Scanning in a Codefresh Pipeline

As Docker usage has greatly increased, it has become increasingly important to gain a better understanding of how to securely configure and deploy Dockerized applications. The Center for Internet Security published 1.13 Docker Benchmark, which provides consensus based guidance by subject matter experts for users and organizations to achieve secure Docker usage and configuration.

read more

Using Anchore Policies to Help Achieve the CIS Docker Benchmark

As Docker usage has greatly increased, it has become increasingly important to gain a better understanding of how to securely configure and deploy Dockerized applications. The Center for Internet Security published 1.13 Docker Benchmark, which provides consensus based guidance by subject matter experts for users and organizations to achieve secure Docker usage and configuration.

read more