Windows container scanning with Anchore

Anchore Scanning for Windows Container Images

With the recent release of version 2.3, Anchore Enterprise now supports scanning of Windows container images and the addition of a new feed source for identifying Windows vulnerabilities: Microsoft Security Response Center (MSRC).

MSRC

Microsoft Security Response Center maintains reports of security vulnerabilities affecting Windows systems in its Security Update Guide. In addition to publishing this data publicly on its website, Microsoft provides programmatic access to retrieve security update details in the Common Vulnerability Reporting Format via its Microsoft Security Update API. In order to access the API, users must obtain an API key using their Microsoft TechNet account.

Enabling the MSRC Feed Driver for Anchore Enterprise

In order to configure the feed source for use with Anchore Enterprise, the on-premise Enterprise Feeds Service must be enabled with the obtained API key. For instructions on how to obtain an API key from Microsoft, visit Anchore Enterprise Feed Driver Configuration.

Note: If you are upgrading an existing deployment via docker-compose, you will need to bring down the deployment WITHOUT deleting existing volume configurations (This can be completed by omitting the ‘-v’ flag via docker-compose). For Kubernetes deployments using Helm, the upgrade can be performed using the helm upgrade command.

To enable the on-premise feeds service and configure the MSRC driver on deployments using docker-compose, edit the following section of the compose template:

services:
  ...  
  feeds:
  ...
    environment:
    ...
    - ANCHORE_ENTERPRISE_FEEDS_MSRC_DRIVER_ENABLED=true
    - ANCHORE_ENTERPRISE_FEEDS_MSRC_DRIVER_API_KEY=

*For deployments using the config.yaml configuration file, update the following sections:

services:
  ...  
  feeds:
  ...
    drivers:
      msrc:
        enabled: true
        api_key: 

To enable the feeds service and the MSRC driver for Kubernetes deployments, update the following section of your custom values file:

anchore-feeds-db:
  enabled: true
  ...

anchoreEnterpriseFeeds:
  enabled: true
  ...
  # Enable microsoft feeds
  msrcDriverEnabled: true
  msrcApiKey: 
  ...

(For new deployments on Kubernetes using the stable/anchore-engine Helm chart, refer to the installation guide for instructions on deploying Anchore in your cluster).

Verify New Feed is Enabled

After bringing up the deployment, it may take a while for the feed sync to complete depending on whether or not this is a new deployment or existing upgrade. For details on checking the status of the feeds synchronization, refer to our enterprise docs.

Once the feeds have finished synchronizing, verify the MSRC feeds is included in the list:

– via Enterprise UI –
Verify new feed is enabled via Anchore UI
– or via API –
Verifying new feeds via API

Adding Windows Images

Just as with Linux containers, you can analyze a Windows container repository or tag by providing the image registry/repository/tag in the UI or via the API: anchore-cli image add

Adding Windows images in Anchore

Viewing Compliance and Vulnerabilities

Once the image analysis has completed, Anchore provides a detailed view of the image contents, vulnerability findings and compliance reports driven through policy.

Anchore vulnerability report of windows container
To produce security information for Windows images, Anchore compares the difference between the latest version (or patch set) of the base image and the image version you are scanning to generate a list of all the vulnerabilities that the image may be exposed to as disclosed by the Microsoft Research Center. In the example below, we can see the vulnerabilities Anchore identified in the image with further details on the severity of the CVE, package name and type and a link to Microsoft’s Security Update Guide for more details on the finding.

CVE analysis of windows containers

With the addition of support for Windows container image scanning, you can integrate Anchore into your container-based workflows for your Windows images and leverage our policy engine to enforce compliance.