Docker Image Security in 5 Minutes or Less

Docker Image Security in 5 Minutes or Less

Updated post as of  September 24, 2020

The adoption of software containers has been spreading like wildfire in the last few years, reaching new industries and changing the structure and pace at which we consume and produce software. At the same time, container adoption opens new doors for vulnerabilities in the era of software reuse. With developers now using building blocks (software containers) to create programs, applications, and services, visibility into those building blocks is paramount to avoid data breaches.

Securing a software stack can take many forms, and most commonly and historically came in the form of runtime security. These security measures would find real time vulnerabilities only after a door was opened that shouldn’t have been, leaving a security or development team in a reactionary position.

On the other hand, Anchore’s approach to container security begins at the earliest stages in the development process, making sure that every piece of code sourced for a project is put through a series of tests before it gets committed to a project. The Anchore Engine is an open source project that provides a centralized service for deep inspection, analysis and certification of container images. This Docker container image can be run standalone or on an orchestration platform such as Kubernetes, Docker Swarm, Amazon ECS, and more. A great feature of the open source project is the ease of installation, allowing anyone to get up and running with a world-class Docker image analyzer in about five minutes.

In this blog, we are going to run through five easy steps you can follow to install the Anchore Engine and start performing checks around security, compliance and operational best practices.

Anchore Installation

This follows the quickstart guide available in the documentation.

Step 1: Download the docker-compose.yaml file

# mkdir quickstart
# cd quickstart
# curl https://docs.anchore.com/current/docs/engine/quickstart/docker-compose.yaml > docker-compose.yaml

Step 2: Start Anchore Engine

Note: This command should be run from the directory containing docker-compose.yaml

# docker-compose up -d

Step 3: Verify that your DB and service containers are up and then run an anchore-cli command to verify system status

# docker-compose ps
                Name                               Command                        State           Ports
-------------------------------------------------------------------------------------------------------
anchorequickstart_anchore-db_1                   docker-entrypoint.sh postgres    Up      5432/tcp
anchorequickstart_analyzer_1              /docker-entrypoint.sh anch ...   Up      8228/tcp
anchorequickstart_api_1                   /docker-entrypoint.sh anch ...   Up      0.0.0.0:8228->8228/tcp
anchorequickstart_catalog_1               /docker-entrypoint.sh anch ...   Up      8228/tcp
anchorequickstart_policy-engine_1         /docker-entrypoint.sh anch ...   Up      8228/tcp
anchorequickstart_simpleq_1               /docker-entrypoint.sh anch ...   Up      8228/tcp

You can run a command to get the status of the Anchore Engine Services

# docker-compose exec api anchore-cli system status
Service policy_engine (anchore-quickstart, http://engine-policy-engine:8228): up
Service simplequeue (anchore-quickstart, http://engine-simpleq:8228): up
Service catalog (anchore-quickstart, http://engine-catalog:8228): up
Service analyzer (anchore-quickstart, http://engine-analyzer:8228): up
Service apiext (anchore-quickstart, http://engine-api:8228): up

Engine DB Version: 0.0.13
Engine Code Version: 0.7.1

Step 4: Sync Anchore Vulnerability Feeds

The first time you run anchore-engine, it will take some time to perform its initial data feed sync (vulnerability data download). Subsequently, anchore-engine will only sync data changes and thus you will only have to wait the very first time you start the engine. You can watch the status of your feed sync with anchore-cli command to verify system status:

# docker-compose exec api anchore-cli system feeds list
Feed                   Group                  LastSync                          RecordCount        
vulnerabilities        alpine:3.10            2020-04-27T19:49:45.186409        1725               
vulnerabilities        alpine:3.11            2020-04-27T19:49:59.993730        1904               
vulnerabilities        alpine:3.3             2020-04-27T19:50:16.213013        457                
vulnerabilities        alpine:3.4             2020-04-27T19:50:20.128136        681                
vulnerabilities        alpine:3.5             2020-04-27T19:50:25.876762        875                
vulnerabilities        alpine:3.6             2020-04-27T19:50:33.361682        1051               
vulnerabilities        alpine:3.7             2020-04-27T19:50:42.354798        1395               
vulnerabilities        alpine:3.8             2020-04-27T19:50:54.311199        1486               
vulnerabilities        alpine:3.9             2020-04-27T19:51:07.340326        1558               
vulnerabilities        amzn:2                 2020-04-27T19:51:20.726861        327                
vulnerabilities        centos:5               2020-04-27T19:51:31.586422        1347               
vulnerabilities        centos:6               2020-04-27T19:51:57.345700        1403               
vulnerabilities        centos:7               2020-04-27T19:52:26.350592        1063               
vulnerabilities        centos:8               2020-04-27T19:52:59.187517        215                
vulnerabilities        debian:10              2020-04-27T19:53:08.194067        22580              
vulnerabilities        debian:11              2020-04-27T19:56:03.833415        19681              
vulnerabilities        debian:7               2020-04-27T19:58:44.907852        20455              
vulnerabilities        debian:8               pending                           12500              
vulnerabilities        debian:9               pending                           None               
vulnerabilities        debian:unstable        pending                           None               
vulnerabilities        ol:5                   pending                           None               
vulnerabilities        ol:6                   pending                           None               
vulnerabilities        ol:7                   pending                           None               
vulnerabilities        ol:8                   pending                           None               
vulnerabilities        rhel:5                 pending                           None               
vulnerabilities        rhel:6                 pending                           None               
vulnerabilities        rhel:7                 pending                           None               
vulnerabilities        rhel:8                 pending                           None               
vulnerabilities        ubuntu:12.04           pending                           None               
vulnerabilities        ubuntu:12.10           pending                           None               
vulnerabilities        ubuntu:13.04           pending                           None               
vulnerabilities        ubuntu:14.04           pending                           None               
vulnerabilities        ubuntu:14.10           pending                           None               
vulnerabilities        ubuntu:15.04           pending                           None               
vulnerabilities        ubuntu:15.10           pending                           None               
vulnerabilities        ubuntu:16.04           pending                           None               
vulnerabilities        ubuntu:16.10           pending                           None               
vulnerabilities        ubuntu:17.04           pending                           None               
vulnerabilities        ubuntu:17.10           pending                           None               
vulnerabilities        ubuntu:18.04           pending                           None               
vulnerabilities        ubuntu:18.10           pending                           None               
vulnerabilities        ubuntu:19.04           pending                           None               
vulnerabilities        ubuntu:19.10           pending                           None               
vulnerabilities        ubuntu:20.04           pending                           None

As soon as all the feeds show a non-zero RecordCount, then the feeds are all synced and the system is ready to generate vulnerability reports. You can add images right away, but you will not see any vulnerability scan results until the vulnerability data feeds are synced.

Start Using the Anchore Engine Service to Analyze Images

docker.io/library/debian:7

# docker-compose exec api anchore-cli --u admin --p foobar image get docker.io/library/debian:7 | grep 'Analysis Status'
Analysis Status: analyzing

# docker-compose exec api anchore-cli --u admin --p foobar image get docker.io/library/debian:7 | grep 'Analysis Status'
Analysis Status: analyzing

# docker-compose exec api anchore-cli --u admin --p foobar image get docker.io/library/debian:7 | grep 'Analysis Status'
Analysis Status: analyzed

# docker-compose exec api anchore-cli --u admin --p foobar image vuln docker.io/library/debian:7 all
Vulnerability ID Package Severity Fix Vulnerability URL
CVE-2005-2541 tar-1.26+dfsg-0.1+deb7u1 Negligible None https://security-tracker.debian.org/tracker/CVE-2005-2541
CVE-2007-5686 login-1:4.1.5.1-1+deb7u1 Negligible None https://security-tracker.debian.org/tracker/CVE-2007-5686
CVE-2007-5686 passwd-1:4.1.5.1-1+deb7u1 Negligible None https://security-tracker.debian.org/tracker/CVE-2007-5686
CVE-2007-6755 libssl1.0.0-1.0.1t-1+deb7u4 Negligible None https://security-tracker.debian.org/tracker/CVE-2007-6755
...
...
...

# docker-compose exec api anchore-cli --u admin --p foobar evaluate check docker.io/library/debian:7
Image Digest: sha256:92d507d81bd3b0459b121215f6f9d8249bb154c8b65e041942745dcc6309a7b5
Full Tag: docker.io/library/debian:7
Status: pass
Last Eval: 2018-11-06T22:51:47Z
Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060

Conclusion

It is critically important for developers to know exactly what is inside a software container before being used, and to enforce company-wide policy and compliance regulations throughout the build process. When used responsibly, static image security tools can prevent many of the vulnerabilities seen in runtime situations, and they allow developers to quickly build great products and services. By using Anchore Engine, you can know more about the building blocks sourced for your projects and stay on top of policy and compliance requirements.