Introducing Anchore Enterprise 2.3

Today, we announced the availability of Anchore Enterprise 2.3 for our enterprise and federal government customers.

Keeping to a 4 month development cycle since our last release, 2.3 includes some big new features that sees expanded coverage for Windows containers and .NET packages as the headline. Microsoft is the original developer-champion; combined with their acquisition of GitHub, another ecosystem we are deepening support for, they are critical to the adoption of DevSecOps that is at the heart of Anchore’s mission.

Many thanks to the folks at Microsoft and GitHub who helped us with the features in the release, and well done to the engineering team for getting out the release despite the distraction and stresses of the pandemic.

Read about this release here, or view this webinar covering all the features of 2.3.

Support for Windows containers

While Linux containers continue to represent the lion’s share of containers on Docker Hub and in production, Microsoft have been enthusiastic supporters of containers for Windows since 2016 when they released the first Windows container. Last year, Windows officially became supported on various distributions of Kubernetes.

As of 2.3, Anchore Enterprise can now inspect, scan and enforce policies across Windows containers, the same way we support Linux containers.  We perform a deep inspection of the entire image, cataloging all the files and their metadata to produce a software bill of materials (SBOM). These can be viewed in the Files tab of our UI or via the API, just as you can browse a Linux image.

Once we have this analysis, we then perform our security assessment. Unlike Linux images, which are collections of multiple packages, each with their own version information, Windows container images are more monolithic. That means the security information for the base OS is produced slightly differently. By comparing the difference between the latest version (or patch set) of the base image and the version you are scanning, we generate a list of all the vulnerabilities that you may be exposed to as disclosed by the Microsoft Research Center. Vulnerability checks, along with all of the other policy gates available in Anchore, can be applied to Windows images.

In addition to the OS vulnerabilities, Anchore Enterprise will also report on any additional language vulnerabilities for Python, Ruby, Node or Java apps layered on top of the base image. Of course, the most common application framework used with Windows is .NET which we are also now able to offer in Tech Preview.

Vulnerability scanning for Nuget packages (Tech Preview)

Nuget is a popular package management system for handling .NET packages. Sponsored by Microsoft, it is run as a community project and functions identically to other language packaging systems like npm, pip or gem that provide a central repository for libraries and add-ons.

Anchore Enterprise will now scan for Nuget package indexes and map .NET package versions against disclosed vulnerabilities, both on Linux or Windows containers. A new Nuget tab can be seen via our UI and is available as an option via the API which allows you to see what packages are installed.

Unlike npm or Python, there is less curation and centralization of security issues in the Nuget community. Individual contributors are left to decide how they want to manage their security notices. For the 2.3 release, we have chosen vulnerability sources which have the highest volume of disclosures and are making this feature available as Tech Preview so we can assess the coverage this provides for customer applications. As new sources become available, we will look to include them in future releases.

GitHub Security Database and Red Hat CVE Database

Last November, GitHub made several security announcements. Most notable was their ability to create CVEs directly from within their product and the availability of a security database that aggregated these CVEs and any other advisories created by hosted projects.

Anchore Enterprise now uses the GitHub Security Database as part of our aggregated vulnerability feed alongside other open and proprietary data sources. Customers should see more vulnerabilities being reported, especially where the source code software originates on GitHub. We really like the security workflows being embedded into GitHub and hope the communities of open source projects will use them to create a high fidelity database over time.

We’ve also switched to using the Red Hat CVE database as our primary source for all things RHEL-related. Previously we were using Red Hat Security Advisories which only provided notice of resolved issues and the products affected. The CVE database provides more information about issues that Red Hat have marked as “won’t fix” and uses CVE as the primary key, making it easier to manage policies using just CVE rules.

User interface improvements: Scheduled Reports and Event Management

One of the key differentiators for Anchore compared to other security tools is our ability to produce highly customizable reports that allow security teams to get a clear picture of their risks. Under the hood, we use GraphQL but our UI makes the process of creating a report much easier. Until now, these reports were created ad-hoc. With 2.3, reporting templates can be created and then scheduled for automatic creation. A notification can be configured via email, Slack, MS Teams or other methods, to notify you of the report’s availability.

Finally, we have also added an event management system to help admins more easily scan the system logs, find errors and prune old entries directly from within the UI.

Looking forward

As ever, we look forward to hearing feedback from our open source community, commercial customers and partners. Don’t forget to join our community Slack channel as we discuss features for the next release due later in the year.