We just released the first version of the open-source Anchore command-line tools and we’re excited for the container community to take a look at what we’ve done and provide feedback. This blog post will outline a couple of basic use cases for some of the queries you can run using the tools, and hopefully, give you some ideas for integrating Anchore into your container image management workflow.
Anchore scans container images and records a great deal of information about them: package and file lists, image hierarchies and family trees to track provenance and changes, and maps known security vulnerabilities to the packages installed on your container images. The command-line tools provide a number of ways to query this data.
If you haven’t already installed Anchore and begun scanning your container images, take a look at our installation and quick-start guides.
Once you’re set-up, let’s run a couple of basic package queries. Maybe you want to confirm that a certain library of a specific version is installed across all of your images, for consistency–there’s nothing worse than the dependency hell of a couple of mismatched libraries causing issues throughout your infrastructure. Or maybe your organizational policies require that a certain monitoring package be installed consistently on all of your production containers. These are questions that Anchore can quickly and easily answer.
Here’s an example command that searches a file containing a list of image ids for the “curl” package, and reports the version found:
+--------------+-----------------------+------------+---------+----------------------+
| ImageID | Repo/Tag | QueryParam | Package | Version |
+--------------+-----------------------+------------+---------+----------------------+
| 6a77ab6655b9 | centos:6 | curl | curl | 7.19.7-52.el6 |
| 20c80ee30a09 | ryguyrg/neo4j-panama- | curl | curl | 7.38.0-4+deb8u3 |
| | papers:latest | | | |
| 8fe6580be3ef | slackbridge:latest | curl | curl | 7.43.0-1ubuntu2.1 |
| db688f102aeb | devbad:latest | curl | curl | 7.29.0-25.el7.centos |
+--------------+-----------------------+------------+---------+----------------------+
We just released the first version of the open-source Anchore command-line tools and we’re excited for the container community to take a look at what we’ve done and provide feedback. This blog post will outline a couple of basic use cases for that's pretty simple. How about something a little bit more interesting? Since Anchore has the ability to correlate information about all of your container images together, it can make useful suggestions based on not just the contents of one image, but on all of your images. For example, the “base-image” query will show you if a particular image is up to date relative to its base image:
# anchore explore --imagefile ~/myimages.txt query base-status all
+--------------+-----------------------+---------------+-----------------------+------------+--------------+--------------------+
| InputImageId | InputRepo/Tag | CurrentBaseId | CurrentBaseRepo/Tag | Status | LatestBaseId | LatestBaseRepo/Tag |
+--------------+-----------------------+---------------+-----------------------+------------+--------------+--------------------+
| db688f102aeb | devbad:latest | db688f102aeb | devbad:latest | up-to-date | N/A | N/A |
| 20c80ee30a09 | ryguyrg/neo4j-panama- | 20c80ee30a09 | ryguyrg/neo4j-panama- | up-to-date | N/A | N/A |
| | papers:latest | | papers:latest | | | |
| 8fe6580be3ef | slackbridge:latest | 0b4516a442e7 | ubuntu:wily | up-to-date | N/A | N/A |
| 89fbcb00e7a2 | devgood:latest | 2fa927b5cdd3 | ubuntu:latest | up-to-date | N/A | N/A |
| 6a77ab6655b9 | centos:6 | 6a77ab6655b9 | centos:6 | up-to-date | N/A | N/A |
+--------------+-----------------------+---------------+-----------------------+------------+--------------+--------------------+
If the status is ‘up-to-date’, it means that the container image the input image was initially built from (e.g. what was specified in the input image’s FROM line in its Dockerfile) is the same currently as it was when originally built. The status is ‘out-of-date’, meaning that if you were to rebuild the input image with the same Dockerfile, it would result in a different final image since the base has since been updated (indicated by the LatestBaseId column). This query can be used to determine how ‘fresh’ the analyzed container images are with respect to their base images and could trigger an action to rebuild and redeploy the application containers if they are getting too far out of date from their bases.
Anchore’s query and analysis infrastructure are pluggable, so you can write your own! Stay tuned for more interesting and useful ways to use the data that we collect: with Anchore’s help, your container infrastructure will be slim, up-to-date, and secure.
