Just in time for the holidays, Anchore Enterprise 2.2, our latest update, is now generally available to all of our customers. For this release, we focus on third-party integrations to send notifications, and a new system dashboard to help customers view the status of their systems. This new enterprise release is based on open source Anchore Engine 0.6.0, also available now.
New Integrations with GitHub, Jira, Slack & Microsoft Teams
Anchore Enterprise is commonly used in either a CI/CD pipeline with a container registry or with a Kubernetes admission controller, to analyze and report on any container image issues. When an image fails a policy check, you typically want to notify your developers as soon as possible so they can fix the issue. With our new integrations, these notifications can now be sent to popular workflow tools (or via plain old email if you prefer), enabling the information to be used as part of existing processes.
Notifications can optionally be separated by account, by type (system or user) and by level (info, warn, error), which allows you to send alerts about security vulnerabilities to one set of users and notifications about the Anchore system itself to another.
Importantly for images, notifications are sent not only at the time of the initial scan, but also when a new vulnerability is detected in a previously scanned image, or when a policy is changed that causes an image to be marked as “out of compliance’. The notification service is a fantastic way of creating remediation workflows from the security team to the developers, or as part of an automated system. Look for upcoming Anchore integrations with other systems.
System Dashboard and Feed Sync Status
Anchore Enterprise is a distributed application consisting of many parts, including a database, a message queue, a report engine, a policy engine and so on. To help users see the status of each component, we’ve added a new system dashboard which makes it easier to troubleshoot issues and understand the roles of the various services.
The dashboard also reports which vulnerability data sources have been successfully downloaded. Anchore Enterprise downloads a complete set of vulnerability data for use locally, reducing the need to send data back and forth over the internet, and enabling air-gapped operations. This way, you are ensured that you are receiving data from all relevant sources and that the data is up to date, which is critical for securing your container images.
Looking Into 2020
We are planning one more release in the 2 series for early 2020. After that, we will focus on version 3 of the product which will significantly expand Anchore’s policy-based security capabilities by supporting all aspects of the container’s journey, from code to cloud. As more companies adopt DevSecOps practices, we hear feedback from our users that every step of the software development lifecycle should be enforced with clear policies that prevent the introduction of inadvertent or malicious flaws. We look forward to hearing feedback from our users about their experiences with Anchore Enterprise 2.2 and collaborating on the next phase of the Anchore roadmap.