Anchore Engine tips and tricks to analyze container security images

Anchore Engine: Tips and Tricks for New Users

Just like you, I was new to Anchore just a few short weeks ago. Here is a quick run down to make getting started just a little bit easier using the documentation for Anchore Engine.

Anchore Engine is an open source project that allows users to inspect and analyze security risks within containers. It can be used as a standalone tool, as a part of a CI/CD pipeline to scan for security vulnerabilities during a software build pipeline, or as a custom solution through integration via the REST API. It is a powerful tool with limitless possibilities, but for our purposes today, we will use Anchore Engine on its own.

Pre-installation Setup

The quickest way to get started is through Docker Compose. But before pulling the Docker image, we need to make sure that the machine we will be running Anchore on has enough resources to run smoothly. For production environments, we recommend using the Anchore Helm chart as Kubernetes allows for greater flexibility when it comes to load balancing, scalability, and performance. However, for getting started quickly, Docker is perfectly fine. You can refer to other technical specifications that are necessary for provisioning a machine to run Anchore, if needed.

Provisioning with Anchore Engine

If we want Anchore to detect non-os vulnerabilities coming from different package managers such as pip, yum, etc., we need to configure it to do so in the config.yaml file in the container. Set the nvd parameter to true to sync non-os vulnerability feeds and then restart Anchore. This will start the feed sync again with the new sources. For additional assistance, find information on enabling various feed sources.

Once you have the Anchore containers up and running, your next step is to wait. The vulnerability feeds need some time to sync. This will only take a few minutes to complete, and in the meantime, you can install the Anchore CLI. This will make executing commands faster and easier than executing them through the Anchore Engine container. To do this, ensure that Python and pip are installed on your system and run pip install --user --upgrade anchorecli. With Anchore CLI installed, you can add your first image. Additionally, Anchore Engine can be accessed through its API.  *Note. It is highly recommended that you enable Swagger UI as it allows for greater visibility into the Anchore Engine API.

The Anchore CLI is built on top of the Anchore REST API. With it installed, we can do a number of things. Once the feeds have finished syncing, we can begin scanning images with a full vulnerability library backing up our scans.

Analyzing Images

Adding an image is as simple as running the following command anchore-cli image add <repository>/library/<image_name>:<version>. This will pull the requested image and queue it for analysis as well as provide a print out of metadata discovered within the repository. Once the engine has completed its analysis, the status will be set to analyzed and the vulnerability findings can be viewed. If you want to specify a Dockerfile to be analyzed as additional metadata, this can be accomplished by running the command just like it was before, but with the addition of specifying the location of the dockerfile whose content should be passed in along with the image: anchore-cli image add<repository>/library/<image_name>:<version> --dockerfile=/path/to/Dockerfile and if we want to reanalyze an image, we will add it again with a --force tag at the end.

We can also analyze images from private repositories. By default, Anchore Engine will only pull images from TLS/SSL enabled registries. If yours is self-signed or has a certificate from an uncommon or unknown CA source, you can still scan your images. Simply run one of the two following commands to add the image. anchore-cli registry add REGISTRY USERNAME PASSWORD --insecure will skip credential validation in the case that you are sure the credentials are correct, but cannot be validated by Anchore Engine.

Once an image is analyzed, we will want to view its contents or other information associated with that image. We can do this by running anchore-cli image content INPUT_IMAGE CONTENT_TYPE.

Once an image is analyzed, we can view the vulnerabilities present in that particular image. To do so, we will run anchore-cli image vuln IMPUT_IMGAGE VULN_TYPE. The available vuln types are os which are vulnerabilities against operating system packages, non-os which are vulnerabilities against language packages such as pip, or we can display both by adding the tag all. With these commands, we will get a report of the vulnerabilities and their severity.

Conclusion

With this, we should have a good start on understanding some of the major concepts behind Anchore Engine and how it works. For more information, the documentation is a great place to look.