Anchore 2.3 Feature Series – GitHub Security Advisories

With the release of Anchore Enterprise 2.3 (built upon Anchore Engine v0.7.1), we are happy to announce a new feed provider: GitHub Security Advisories (GHSA).

GHSAs are another source of data that Anchore uses to match vulnerabilities to packages within a container. In this post, we will look into what GHSAs include, describe how Anchore use them, and walk through an example GitHub Action using Anchore to identify vulnerabilities from GHSAs.

GHSA Explained

As described in About GitHub Security Advisories, GHSAs allow code maintainers to privately discuss and fix security issues in their projects, and upon completion of a fix, publish the advisory to the project’s community. In turn, by publishing security advisories, maintainers make it easier for their communities to update affected packages and further investigate the impact of the vulnerability.

GHSA Under the Hood

GitHub is an authorized CVE Numbering Authority (CNA) and GHSAs created can optionally include an existing CVE reference or request that one be assigned through GitHub. When a new advisory is filed with GitHub, it is reviewed and pushed to the GitHub Advisory Database. Anchore uses this database as an upstream feed data source, allowing us to match vulnerabilities with the most up-to-date vulnerability data available.

For more information on CVEs, check out the blog by Anchore’s very own Hayden Smith on Why We Care About CVEs.

GHSA as an Anchore Feed Provider

Anchore uses GHSAs to match potential vulnerabilities for the following supported language types:

• Java
• Python
• Ruby
• Gem

GHSAs also give us a preview of NuGet (.NET) vulnerabilities, allowing Anchore to discover NuGet packages as part of the image analysis process. Including language packages during image inspection makes Anchore more than just a tool to identify CVEs, it allows fine-grained control over what is included in an image through policies as well.

Enabling the GitHub Feed Driver for Anchore Enterprise

GHSA is a publicly available feed source with an open API that requires that users generate a Personal Access Token (PAT) from their GitHub account. While GHSA is a feed source included in the open source Anchore Engine version, enabling the GHSA feed driver within Anchore Enterprise requires the PAT to be configured in the on-premise Enterprise Feeds Service; no other special permission or scoping is required.

For a full overview and instructions on how to generate and enable the GHSA Feed Driver within Anchore, please refer to Anchore Enterprise Feed Driver Configuration to begin using GHSA feeds in your deployment.

GitHub Scan Action with Anchore and GHSA

A seamless way to integrate Anchore with GHSA feeds is to use the Github Scan Action. Check out Anchore's GitHub Scan Action for more information on using Anchore within GitHub’s CI/CD.

We begin by creating a Dockerfile that installs a package with a known GHSA vulnerability:

FROM docker.io/python:3.8.0a3

RUN pip install aubio-0.4.8

CMD echo "This is just a test"

Then we add it to a GitHub repository with the following Scan Action defined:

name: Docker Image CI
on: [push]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v1
    - name: Build the Docker image
      run: docker build . --file Dockerfile --tag localbuild/testimage:latest
    - uses: anchore/scan-action@master
      with:
        image-reference: "localbuild/testimage:latest"
        dockerfile-path: "./Dockerfile"
        fail-build: true
    - name: anchore inline scan JSON results
      run: for j in `ls ./anchore-reports/*.json`; do echo "---- ${j} ----"; cat ${j}; echo; done

We are able to see that the Anchore Scan Action identifies multiple vulnerabilities. Let’s drill down on a known vulnerability identified as `GHSA-grmf-4fq6-2r79`:

From the scan results, we can see that GHSA is flagging a Mercurial Python package. It provides a link to the GHSA where we can see details about the vulnerability:

From here, end users can determine the best approach to remediation according to their organizational needs.

At Anchore, we strive to provide comprehensive, actionable vulnerability identification that enables development without compromising security. The addition of GHSA as a feed data provider allows users to find vulnerabilities more quickly, highlighting the value of shifting security further to the left.