In my first three months here at Anchore, I’ve experienced firsthand the highs and lows of working with new technologies. The adoption of any new tool comes with a learning curve that includes the process of trial and error. In this post, I’d like to share some tips relating to common issues that I’ve seen new users of Anchore Engine and Enterprise encounter in the hope to ease this process for future users.
1. Make Sure to Add Registries to Anchore Before Attempting to Scan Images
By default, Anchore will attempt to download images from a registry without further configuration. However, if your registry requires authentication, then registry credentials will need to be defined. If you forget to add your registry before you attempt to scan an image, you will receive a Skopeo error stating “cannot fetch image digest/manifest from registry”.
To add a registry via the Anchore CLI:
anchore-cli registry add REGISTRY USERNAME PASSWORD
See here for more information about configuring registries.
2. Use the API Reference on SwaggerHub and the CLI Debug Flag
One of the many great capabilities of Anchore is the ability to interact through a CLI, UI (Enterprise only), or RESTful API. This allows dev, devops, and secops teams to use Anchore however they prefer. If you are having trouble connecting to the API, you could have the username, password, or URL set incorrectly. You can see what each CLI command is doing by passing the --debug flag:
anchore-cli --debug system feeds sync
See here for more information about configuring the CLI.
3. Be Careful When Adding Repositories
When adding a repository, Anchore Engine will automatically add the discovered tags to the list of subscribed tags. By default, repositories added to Anchore Engine are also automatically watched. There have been times when new users have accidentally added a repository with a large number of tags and then froze their system that could not handle the workload. To prevent this from happening, try:
anchore-cli repo add repo.example.com/apps --noautosubscribe
anchore-cli repo unwatch repo.example.com/myrepo
See here for more information about using repositories.
4. Use a Policy Bundle That Fits Your Company’s Security Needs
Anchore Engine includes a default policy configured at installation that performs basic CVE and Dockerfile checks. This default policy was not intended to be used in production. You could, however, use the default policy as a building block for your own policy. There are many different ways to customize policies with Anchore to meet security and compliance requirements. For more information, see:
5. Make Sure Ingress is Set Up Correctly if You’re Using Cloud Platforms and CI/CD Tools
This last tip is rather basic but still relates to a common issue nonetheless. If you’re running Anchore, for example, on a cloud machine, make sure your ingress rules are set up correctly so that your CI/CD tools (e.g. Jenkins, GitLab CI, etc.) are able to access Anchore Engine. A simple check on your inbound rules could present the reason why your pipeline job is “timing out” or “refusing connection” to Anchore. By default, the Anchore service is configured on port 8228; make sure any third-party tools you’re using can access that port.