Driving Open Source Container Security Forward
Most organizations build their container infrastructure with open source solutions:
- Linux for the container host
- Docker for container runtime
- Jenkins for CI/CD
- Kubernetes for orchestration
- Prometheus for monitoring
When Anchore was formed there was an obvious gap in terms of open source container security and our goal was to fill that gap with the best in breed container scanning solution that added not just reporting but policy based compliance. At the same time we were working on Anchore CoreOS released the Clair project which provided an open source vulnerability scanner. We are big fans of the work CoreOS has done in the container community so we looked into that project but saw a number of gaps: firstly its focus was reporting on operating system CVEs (vulnerabilities). While CVE scanning is an important first step it is just the tip of the iceberg, a container security and compliance tool should be looking at policies that cover licensing, secrets, configuration, etc. The second challenge we saw was that Clair was focused more on the registry use case which given the Clair use in the CoreOS Quay registry made perfect sense. So we built a series of tools to address container scanning and compliance from the ground up. Since then we have been glad to see more open source container security solutions come to market such as Sysdig’s Falco runtime security project.
In building the Anchore Engine our philosophy has been to keep the core engine open source and feature complete while providing value added services on top of the engine – for example a user interface in addition to the AP and CLI, added enterprise integrations. A user should be able to secure their CI/CD pipeline with our open source engine without requiring a commercial product and without sharing their container and vulnerability data with third parties – everything should work on-premises for free. Of course we are happy to sell you an enterprise offering on top of the open source solution and if you are ever not satisfied with our enterprise offering you should be able to remove the added services and roll back to the fully functional open source engine.
Roughly every month we have released an update to the open source project and this week we are proud to announce the 0.2.0 release that adds a number of interesting new features including prometheus integration, improved Debian vulnerability reporting and a number of scalability related enhancements to allow our users to scale to handle thousands of builds a day.
Prometheus is an open source event monitoring system with a time series database inspired by Google’s internal monitoring tools (Borgmon). Prometheus has rapidly become the de facto standard for monitoring in and metrics in cloud native environments.
Anchore Engine 0.2.0 adds support for exposing metrics for consumption by Prometheus allowing collection of metrics, reporting and monitoring of Anchore Engine.
Improved Debian CVE reporting
The Anchore Engine and the Anchore Feed service have been extended to track the Debian specific no-DSA flag that indicates that while the package version is vulnerable to a given CVE the Debian build of this package, either because of build options or environment is not vulnerable. In previous versions of the Anchore Engine whitelists were used to filter these records from policy output, with Anchore Engine 0.2.0 these CVEs will not be shown on the default CVE report nor within the policy output.
Anchore Engine 0.2.0 includes a number of features to simplify scale-out deployments of Anchore Engine on Kubernetes, Amazon ECS and other large scale environments. Many features have been added to allow Anchore Engine to support thousands of builds a day and hundreds of thousands of images stored within the Anchore database
- Support for running multiple core services (catalog, API, queue and policy engine). Previous releases had supported scale-out of analyzer workers only.
- Support for storing analysis and other data in external storage systems such as Amazon S3, Swift and clustered file systems in addition to the native database support.
We are currently working on a number of exciting new features for delivery over the next couple of months including:
- Support for matching NVD vulnerabilities in software libraries including Java, Python, Ruby and Node.JS.
- Support for scanning nest Java archives. eg. Java JAR files stored in WAR files stored in EAR files.
- Layer reporting – exposing image layer data in the Anchore CLI and API
- Layer based policies – allowing policies such as “only allow images built on selected based images”.