Anchore Blog
Using Open Source Tools to Create a Secure Container Based CI/CD Pipeline
Docker gives developers the ability to streamline packaging, storage, and deployment of applications at great scale. With increased use of container technologies across software development teams, securing these images become challenging. Due to the increased flexibility and agility, security checks for these images need to be woven into an automated pipeline and become part of the development lifecycle.
read moreVendorless – Security the Open Source Way
Whether you love or hate the term, ‘serverless’ is one of the hottest new trends in the cloud computing world. Despite what the name may suggest, there are certainly still servers running your code, the real innovation here is that you do not need to manage these servers you just publish your code to be run by the serverless infrastructure. This architecture can be better described as FaaS: functions as a service or BaaS: backend as a service. Amazon lead this innovation with its Lamda service and other cloud providers have followed suit, including Google with Google Cloud Functions and Microsoft with Azure Functions.
read moreIntroducing Anchore Enterprise 1.1
As an industry when we talk about DevOps we tend to lump together the terms CI and CD as if they are exactly the same thing. In this post we’ll cover the differences between them and introduce to a new cloud native CI/CD solution from a familiar project.
read moreIntegrating Anchore Scanning into Jenkins Pipeline via Jenkinsfile
As an industry when we talk about DevOps we tend to lump together the terms CI and CD as if they are exactly the same thing. In this post we’ll cover the differences between them and introduce to a new cloud native CI/CD solution from a familiar project.
read moreUpdates to the Anchore Plugin for Jenkins
As an industry when we talk about DevOps we tend to lump together the terms CI and CD as if they are exactly the same thing. In this post we’ll cover the differences between them and introduce to a new cloud native CI/CD solution from a familiar project.
read moreAnchore & Falco, End-to-End OSS Container Security Solution
While open source solutions have historically provided the core layer of infrastructure, there have been areas in which organizations would need to look at proprietary solutions. The most notable of which is security which had until recently remained the bastion of commercial vendors.
read moreHow Often are Docker Images Updated – Revisited
Almost a year ago we looked at the frequency with which some of the most popular images in the Docker registry are updated and compared the frequency of base image (alpine, debian, etc) updates with that of popular non-OS images. We found that while updates to base images came in around once a month, non-OS images updated much more frequently – up to eight to ten updates in the case of the widely used node:latest and php:latest packages.
read moreThe real difference between CI and CD: Confidence
As an industry when we talk about DevOps we tend to lump together the terms CI and CD as if they are exactly the same thing. In this post we’ll cover the differences between them and introduce to a new cloud native CI/CD solution from a familiar project.
read moreWhy CVE Scanning Still Isn’t Enough
On Thursday the Node Package Manager team removed a node package from the NPMJS.org registry. You can read more about the discovery in this bleepingcomputer article or on incident reported on the the npm blog. This package was found to have a malicious payload which provided a framework for a remote attacker to execute arbitrary code. While the module was removed from the NPM registry you may already have this module in your environment.
read moreThe Container Chronicle Volume 2
When we launched the Container Chronicle newsletter we planned on making this a monthly newsletter to make sure there was enough content to make it a worthwhile read while not making it too long. Well, two weeks later there was so much...
read moreDriving Open Source Container Security Forward
When Anchore was formed there was an obvious gap in terms of open source container security and our goal was to fill that gap with the best in breed container scanning solution that added not just reporting but policy based compliance. At the same time we were working on Anchore CoreOS released the Clair project which provided an open source vulnerability scanner. We are big fans of the work CoreOS has done in the container community so we looked into that project but saw a number of gaps:
read moreNo Excuses – Start Scanning
One of the most popular features of the Anchore Cloud service is the ability to deep dive into any container image to inspect its contents to see what files, packages and software libraries make up an image. Before I import any public image into my development environment I check out the list of security vulnerabilities in the image, if any, the policy status (does it fail basic compliance checks) and then I dig into the contents tab to see what operating system packages and libraries are in the image. I am still surprised at just how large many images are.
read moreWelcome to the Container Chronicle
Things change rapidly in the fast fluid world of Containers, sometimes it’s hard to keep up. So we’re starting a new newsletter called The Container Chronicle to help you stay on top of everything newsworthy from Cloud to Kubernetes, Docker to...
read moreSecuring Kubernetes Workloads using Anchore
Many users have already implemented Anchore to secure their CI/CD pipeline, to ensure that only images that are compliant with their security policies are pushed to their production registries. While this is a crucial process to implement on the path to implementing strong governance of container environments this only the first step.
read moreInstalling Anchore with a Single Command Using Helm
Helm is the package manager for Kubernetes, inspired by packaged managers such as homebrem, yum, npm and apt. Applications are packaged in Charts which are a collection of files that contain the definition and configuration of resources to be deployed to a Kubernetes cluster. Helm was created by Deis who donated the project to the Cloud Native Computing Foundation (CNCF).
read moreHandling False Positives
If like me you’re subscribed to receive updates for popular base images such as CentOS, then this morning you may have received an email like this from Anchore. Here, you are receiving a warning that a new, HIGH severity CVE was just found in the CentOS image. You can read more about the vulnerability in Red Hat’s security advisory RHSA-2018:0102 which covers the impact of CVE-2017-3145 on the BIND DNS package.
read moreScanning Images on Amazon Elastic Container Registry (ECR)
The Anchore Engine supports analyzing images from any Docker V2 compatible registry however when accessing an Amazon ECR registry extra steps must be taken to handle Amazon Web Services authentication.
read moreDigging into Grafeas
Google recently announced Grafeas, Greek for “scribe”, which is an open source initiative with the goal of standardizing interfaces for auditing and governance, designed for today’s modern software supply chain. I would strongly recommend that you read the blog published by Shopify which covers in detail the use case that Grafeas is designed to address.
read moreIntroducing the Anchore Changelog
There are no easy ways to perform a “diff” on Docker container images to see what has changed between versions. While there is a docker diff command this command shows what files have changed in a running container but will not show changes between container images. You could also look at the Dockerfile, however the same Dockerfile used at two different times will likely produce different images since the underlying operating system packages and application files may have been updated.
read moreHow Many CVEs?
For most users analyzing or auditing container images usually means running a CVE scan and while that is certainly required, it should be just the first step. Anchore supports creating policies that can be used to assess the compliance of your...
read moreAnchore Cloud 2.0
Today Anchore announced the release of Anchore Cloud 2.0 which builds on top of Anchore’s open source engine to provide a suite of tools to allow organizations to perform detailed analysis of container images and apply user defined policies to ensure that containers meet the organization’s security requirements and operational best practices.
read moreMore than just Security Updates
In our last blog we talked about how quickly different repos respond to updates to their base images. Any changes made by the base image will need to be implemented in the application images built on top of it, so updates to popular base images spread far and, as we saw from the last blog, quickly.
read moreTo update or not to update…
In the previous blog we presented our analysis of image update frequency for official DockerHub images and the implications for application images built on top of these base images. It was pointed out in a Reddit reply by /u/AskOnDock29 that users can update the operating system packages in the images themselves, independently of the official image and so the frequency, or infrequency, of base image updates is not a concern since this is easily manageable by end-users.
read moreA Look at How Often Docker Images are Updated
In our last blog, we reported on operating systems usage on DockerHub, focusing on official base images.
Most users do not build their container image from scratch they built on top of these base images, for example extending an image such as library/alpine:latest with their own application content.
Whenever one of these base OS images is updated, images built on top are typically rebuilt in order to inherit the fixes included in the base image. In this blog, we will be looking at the update frequency of base images: frequency of updates, changes made and how that impacts end users.
Just because they pushed doesn’t mean you need to pull
While that may sound like advice your mother gave you after you got into a fight at school we are actually talking about Docker Images.
Yesterday we started to notice a lot of activity on our worker nodes on anchore.io which were analyzing a large number of images that were updated on DockerHub.
read moreIntroducing the Anchore Engine
Today Anchore announced a new open source project that allows users to install a local copy of the powerful container analysis and policy engine that powers the Anchore Navigator service.
The Anchore Engine is an open source project that provides a centralized service for inspection, analysis and certification of container images. The Anchore engine is provide as a Docker container image that can be run standalone or on an orchestration platform such as Kubernetes, Docker Swarm, Rancher or Amazon ECS.
A Breakdown of Operating Systems of Dockerhub
While containers are thought of as “micro-services” or applications, if you open up the image you will see more than just an application – more often than not, you’ll see an an entire operating system image along with the application. If you dig into the image you will find that certain parts of the operating system are missing such as kernel and hardware specific modules and often, but sadly not always, the package list is reduced. If you are deploying a pre packaged container built by a 3rd party you may not even know what operating system has been used to build the container let alone what packages are inside.
read moreAnalyzing 20TB of Data
Hi, I’m Max de Visser and I’ve recently joined the Anchore team as a Data Analytics Intern. I am working towards a BS in computer science and a minor in statistics at nearby UC Santa Barbara. The recent growth of big data - and data science in...
read moreScanning for Malicious Content
Ivan Akulov just published a rather worrying blog entitled Malicious Packages in NPM in which he documents a recent discovery of several malicious NPM packages that were copies of existing packages with similar names which while they contained the same functionality they also included malicious code that would collect and exfiltrate environmental variables from your system in the hope of finding sensitive information such as authentication tokens.
read moreThe Case of the Missing Vulnerability
We extended one of the most popular features of the Anchore Navigator, tag notifications, in our latest beta. Previously users could subscribe to a tag and receive a notification when a new image was pushed with that tag. For example if you used...
read more