Today, we are pleased to announce the GA of Anchore Enterprise 2.4. In keeping with previous releases in the 2.x series, version 2.4 has been heavily driven by customer requests both in terms of features and operational improvements. Without further ado, let’s go into the main enhancements.
Base Image Comparison
It is common for teams to standardize around a base OS image upon which application teams then layer their specific content. With our new base image comparison feature, application teams can see which security issues or vulnerabilities have been introduced by their code or dependencies and are therefore their responsibility versus the owner of the base image. More importantly, it also allows the base image owner to see what issues they can resolve across multiple applications by addressing issues in the base image. Given that a few judicious upgrades of libraries in a base image can resolve a huge swathe of vulnerabilities, this feature ensures that it is easy to find steps that have the most impact with the fewest number of steps.
Despite the rise of more modern malware like cryptomining trojans, traditional viruses still continue to affect software via the software supply chain. Anchore will now scan for viruses in binaries against a database of known signatures as part of our deep image inspection. A rule can be created in our policy engine that generates a “warn” or “stop” if a virus is detected. This allows you to do your virus scans as part of CI/CD as well for scanning existing content in a registry.
When Anchore analyzes an image, it looks at package indexes, names of files and other metadata to generate matches with vulnerability information. Sometimes this information is not discoverable, either because it is missing or not discoverable. A good example is with Go, the popular programming language, where libraries are compiled in. Using a hint file, which is detected within the image itself, developers can explicitly enumerate dependencies they have used which Anchore will use to generate vulnerabilities. This feature is best used where the creation of the hint file is formalized as part of the development process. In addition, we have added Go as a type (in both the API and UI) in the Anchore system so vulnerabilities can be explicitly related to the language.
As long term admins of Anchore will be aware, every now and then a user will add a repository that contains 1000s of tags, each containing hundreds of images. Previously, our queuing system worked on a first-in-first-out (FIFO) basis which meant that when a large repo was added, it could block other users with more urgent requests. With the new fair queueing algorithm in 2.4, the system will ensure that each account or tenant in the system gets equal processing time, with one image being processed for each account at a time in a round-robin fashion.
Bulk Image Deletion API
It is common for the size of the Anchore database to grow over time as users add more and more repos. Many of the images that get scanned, do not need to be retained by the system as they are test or scratch images. Previously, it required an API call per image to delete them from the database with users writing scripts to iteratively call the API to delete multiple images. With the new bulk API, a user can submit a list of repos/images that should be deleted in bulk, asynchronous to the API call.
Many additional features and improvements have gone into the graphical user interface, most notably, users will now see a “What’s New” popup after their administrators have upgraded the system. This will introduce them to the new features listed above and other areas of change.
Many thanks to the customers who provided feedback and testing on our new features. We’re keen to hear feedback from prospective or existing customers on our Slack channel about this release and to receive feedback for the next one.
And finally, a huge thanks to the engineering team for keeping the momentum on our product releases even during the pandemic.
Watch the Anchore Enterprise 2.4 Video
Please bookmark our product release page to see videos on all Anchore Enterprise releases, past, current and future as we announce them.