The adoption of software containers has been spreading like wildfire in the last few years, reaching new industries and changing the structure and pace at which we consume and produce software. At the same time, container adoption opens new doors for vulnerabilities in the era of software reuse. With developers now using building blocks (software containers) to create programs, applications, and services, visibility into those building blocks is paramount to avoid data breaches.
Securing a software stack can take many forms, and most commonly and historically came in the form of runtime security. These security measures would find real time vulnerabilities only after a door was opened that shouldn’t have been, leaving a security or development team in a reactionary position.
On the other hand, Anchore’s approach to container security begins at the earliest stages in the development process, making sure that every piece of code sourced for a project is put through a series of tests before it gets committed to a project. The Anchore Engine is an open source project that provides a centralized service for deep inspection, analysis and certification of container images. This Docker container image can be run standalone or on an orchestration platform such as Kubernetes, Docker Swarm, Amazon ECS, and more. A great feature of the open source project is the ease of installation, allowing anyone to get up and running with a world-class Docker image analyzer in about five minutes.
In this blog, we are going to run through five easy steps you can follow to install the Anchore Engine and start performing checks around security, compliance and operational best practices.
This follows the quickstart guide available in the documentation.
Step 1: Download the docker-compose.yaml file
# mkdir quickstart # cd quickstart # curl https://docs.anchore.com/current/docs/engine/quickstart/docker-compose.yaml > docker-compose.yaml
Step 2: Start Anchore Engine
Note: This command should be run from the directory containing docker-compose.yaml
# docker-compose up -d
Step 3: Verify that your DB and service containers are up and then run an anchore-cli command to verify system status
# docker-compose ps Name Command State Ports ------------------------------------------------------------------------------------------------------- anchorequickstart_anchore-db_1 docker-entrypoint.sh postgres Up 5432/tcp anchorequickstart_analyzer_1 /docker-entrypoint.sh anch ... Up 8228/tcp anchorequickstart_api_1 /docker-entrypoint.sh anch ... Up 0.0.0.0:8228->8228/tcp anchorequickstart_catalog_1 /docker-entrypoint.sh anch ... Up 8228/tcp anchorequickstart_policy-engine_1 /docker-entrypoint.sh anch ... Up 8228/tcp anchorequickstart_simpleq_1 /docker-entrypoint.sh anch ... Up 8228/tcp
You can run a command to get the status of the Anchore Engine Services
# docker-compose exec api anchore-cli system status Service policy_engine (anchore-quickstart, http://engine-policy-engine:8228): up Service simplequeue (anchore-quickstart, http://engine-simpleq:8228): up Service catalog (anchore-quickstart, http://engine-catalog:8228): up Service analyzer (anchore-quickstart, http://engine-analyzer:8228): up Service apiext (anchore-quickstart, http://engine-api:8228): up Engine DB Version: 0.0.13 Engine Code Version: 0.7.1
Step 4: Sync Anchore Vulnerability Feeds
The first time you run anchore-engine, it will take some time to perform its initial data feed sync (vulnerability data download). Subsequently, anchore-engine will only sync data changes and thus you will only have to wait the very first time you start the engine. You can watch the status of your feed sync with anchore-cli command to verify system status:
# docker-compose exec api anchore-cli system feeds list Feed Group LastSync RecordCount vulnerabilities alpine:3.10 2020-04-27T19:49:45.186409 1725 vulnerabilities alpine:3.11 2020-04-27T19:49:59.993730 1904 vulnerabilities alpine:3.3 2020-04-27T19:50:16.213013 457 vulnerabilities alpine:3.4 2020-04-27T19:50:20.128136 681 vulnerabilities alpine:3.5 2020-04-27T19:50:25.876762 875 vulnerabilities alpine:3.6 2020-04-27T19:50:33.361682 1051 vulnerabilities alpine:3.7 2020-04-27T19:50:42.354798 1395 vulnerabilities alpine:3.8 2020-04-27T19:50:54.311199 1486 vulnerabilities alpine:3.9 2020-04-27T19:51:07.340326 1558 vulnerabilities amzn:2 2020-04-27T19:51:20.726861 327 vulnerabilities centos:5 2020-04-27T19:51:31.586422 1347 vulnerabilities centos:6 2020-04-27T19:51:57.345700 1403 vulnerabilities centos:7 2020-04-27T19:52:26.350592 1063 vulnerabilities centos:8 2020-04-27T19:52:59.187517 215 vulnerabilities debian:10 2020-04-27T19:53:08.194067 22580 vulnerabilities debian:11 2020-04-27T19:56:03.833415 19681 vulnerabilities debian:7 2020-04-27T19:58:44.907852 20455 vulnerabilities debian:8 pending 12500 vulnerabilities debian:9 pending None vulnerabilities debian:unstable pending None vulnerabilities ol:5 pending None vulnerabilities ol:6 pending None vulnerabilities ol:7 pending None vulnerabilities ol:8 pending None vulnerabilities rhel:5 pending None vulnerabilities rhel:6 pending None vulnerabilities rhel:7 pending None vulnerabilities rhel:8 pending None vulnerabilities ubuntu:12.04 pending None vulnerabilities ubuntu:12.10 pending None vulnerabilities ubuntu:13.04 pending None vulnerabilities ubuntu:14.04 pending None vulnerabilities ubuntu:14.10 pending None vulnerabilities ubuntu:15.04 pending None vulnerabilities ubuntu:15.10 pending None vulnerabilities ubuntu:16.04 pending None vulnerabilities ubuntu:16.10 pending None vulnerabilities ubuntu:17.04 pending None vulnerabilities ubuntu:17.10 pending None vulnerabilities ubuntu:18.04 pending None vulnerabilities ubuntu:18.10 pending None vulnerabilities ubuntu:19.04 pending None vulnerabilities ubuntu:19.10 pending None vulnerabilities ubuntu:20.04 pending None
As soon as all the feeds show a non-zero RecordCount, then the feeds are all synced and the system is ready to generate vulnerability reports. You can add images right away, but you will not see any vulnerability scan results until the vulnerability data feeds are synced.
Start Using the Anchore Engine Service to Analyze Images
docker.io/library/debian:7 # docker-compose exec api anchore-cli --u admin --p foobar image get docker.io/library/debian:7 | grep 'Analysis Status' Analysis Status: analyzing # docker-compose exec api anchore-cli --u admin --p foobar image get docker.io/library/debian:7 | grep 'Analysis Status' Analysis Status: analyzing # docker-compose exec api anchore-cli --u admin --p foobar image get docker.io/library/debian:7 | grep 'Analysis Status' Analysis Status: analyzed # docker-compose exec api anchore-cli --u admin --p foobar image vuln docker.io/library/debian:7 all Vulnerability ID Package Severity Fix Vulnerability URL CVE-2005-2541 tar-1.26+dfsg-0.1+deb7u1 Negligible None https://security-tracker.debian.org/tracker/CVE-2005-2541 CVE-2007-5686 login-1:188.8.131.52-1+deb7u1 Negligible None https://security-tracker.debian.org/tracker/CVE-2007-5686 CVE-2007-5686 passwd-1:184.108.40.206-1+deb7u1 Negligible None https://security-tracker.debian.org/tracker/CVE-2007-5686 CVE-2007-6755 libssl1.0.0-1.0.1t-1+deb7u4 Negligible None https://security-tracker.debian.org/tracker/CVE-2007-6755 ... ... ... # docker-compose exec api anchore-cli --u admin --p foobar evaluate check docker.io/library/debian:7 Image Digest: sha256:92d507d81bd3b0459b121215f6f9d8249bb154c8b65e041942745dcc6309a7b5 Full Tag: docker.io/library/debian:7 Status: pass Last Eval: 2018-11-06T22:51:47Z Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060
It is critically important for developers to know exactly what is inside a software container before being used, and to enforce company-wide policy and compliance regulations throughout the build process. When used responsibly, static image security tools can prevent many of the vulnerabilities seen in runtime situations, and they allow developers to quickly build great products and services. By using Anchore Engine, you can know more about the building blocks sourced for your projects and stay on top of policy and compliance requirements.
[Note: This article was updated in May, 2020.]