Category: Blog

Many organizations have seen increased value from in house software development by adopting open source technology and containers to quickly build and package software for the cloud. Usually branded as Digital Transformation, this shift comes with trade-offs not often highlighted by vendors and boutique consulting firms selling the solutions. The reality is moving fast, can break things and without proper constraints, you can expose your organization to significant security, legal and reputational risks.

These are not entirely new revelations. Security experts have long known that supply chains are an incredibly valuable attack surface to hackers. Software supply chain attacks have been used to exfiltrate credit card data, (alleged) nation-state surveillance, and to cash out ATMs. The widespread adoption of open source projects and the use of containers and registries have given hackers new opportunities for harm.

Supply Chain Exposure Goes Beyond Security

These risks are not limited to criminal hacking and fragility in your supply chain comes in many forms. One type of risk comes from single contributors that could object morally to the use of their software, like what happened when one developer decided he didn’t like Trump’s support of ICE and pulled his package from NPM. Or unbeknownst to your legal team, you could be distributing software without proper license, as is the case with any container that uses Alpine Linux as the base image.

Fortunately, understanding these risks is not unknowable. A number of open source tools exist for scanning for CVEs, and recent projects are helping to standardize Software Bill of Materials to help make it easy to check your containers for license and security risks. Knowing is of course only half the battle – securing your supply chain is the end goal. This is where the unique capabilities of Anchore Enterprise can be applied. Creating, managing, and enforcing policy allows you to enforce the constraints that are most applicable to your organization, and allow teams to still move quickly by building on top of open source and container tooling.

Smart Contracts for your Supply Chain

Most sizable organizations have already established best practices around their software supply chain. Network security, tool mandates, and release practices all help to decrease your organization’s risk – but they all are fallible. Where humans are involved, they are sure to choose convenience over security, especially when urgency is involved.

This is the idea behind the Open Policy Agent (OPA) Kubernetes project which can prevent certain containers images from being scheduled, and even integrate with service mesh to route network traffic away from suspicious containers.

At Anchore, we believe that catching security issues at runtime is costly and focus on controlling your path to production through an independent policy engine. By defining policy, and leveraging our toolbox in your pipelines you can enforce the appropriate policy for your organization, team, and environment.

This powerful capability gives you the ability to allow development teams to use tools that are convenient to them during the creative process but enforce a more strict packaging process. For example, you might want to ensure that all production containers are pulled from a privately managed registry. This gives you greater control and less exposure, but how can you enforce this? Below is an example policy rule you can apply using Anchore Enterprise to prevent container images from being pulled from Docker Hub.

"denylisted_images": [

   {
     "id": "9b6e8f3b-3f59-44cb-83c7-378b9ba750f7",
     "image": {
       "type": "tag",
       "value": "*"
     },

     "name": "Deny use of Dockerhub Images",
     "registry": "dockerhub.io",
     "repository": "*"
   }
 ],

By adding this to a policy you can warn teams they are pulling a publicly accessible image, and allow your central IT team to be aware of the violation. This simple contract severs a building block to developing “compliance-as-code” within your Organization. This is just one example of course, you could also search for secrets, personally identifiable information (PII data), or any variety of combinations.

Supply Chain Driven Design

For CIOs and CSOs, focusing on the role of compliance when designing your software supply chain is crucial for not only managing risk, but also to improve the efficiency and productivity of your organization. Technology leaders that do this quickly will maintain distinct agility when a crisis hits, and stand out from their peers in the industry by innovating faster and more consistently. Anchore Enterprise gives you the building blocks to design your supply chain based on the trade-offs that make the most sense for your organization.

More Links & References

How one programmer broke the internet

NPM Typo Squatting attack

How a supply chain attack lead to millions of stolen credit cards

Kubecon Supply Chain Talk

Anchore Toolbox is a collection of lightweight, single-purpose, easy to use, open source DevSecOps tools that Anchore has developed for developers and DevOps teams who want to build their continuous integration/continuous development (CI/CD) pipeline.

We’re building Toolbox to support the open source DevSecOps community by providing easy-to-use just in time tools available at the command line interface (CLI). Our goal is for Toolbox to serve a fundamentally different need than Anchore Enterprise by offering DevSecOps teams single-purpose tools optimized for speed and ease of use.

The first tools to debut as part of Anchore Toolbox are Syft and Grype:

Syft

We built Syft from the ground up to be an open source analyzer that serves developers who want to “shift left” and scan their projects still in development. You can use Syft to scan a container image, but also a directory inside your development project.

Syft tells you what’s inside your super complicated project or container and builds you a detailed software bill of materials (SBOM). You can output an SBOM from Syft as a text file, table, or JavaScript Object Notation (JSON) file and includes native output support for the CycloneDX format. 

Installing Syft

We provide everything you need, including full documentation for installing Syft over on GitHub.

Grype

Grype is an open source project to scan your project or container for known vulnerabilities. Grype uses the latest information from the same Anchore feed services as Anchore Engine. You can use Grype to identify vulnerabilities in most Linux operating system packages and language artifacts, including NPM, Python, Ruby, and Java.

Grype provides output similar to Syft, including table, text, and JSON. You can use Grype on container images or just directories. 

Installing Grype

We provide everything you need, including full documentation for installing Grype over on GitHub.

Anchore’s Open Source Portfolio and DevSecOps

Open source is a building block of today’s DevSecOps toolchain and integral to the growth of the DevSecOps community’s growth at large. Anchore Toolbox is part of our strategy to contribute to both the open source and DevSecOps communities and do our part to advance container security practices.

The Anchore Open Source Portfolio also includes two other elements:

• Out-of-the-box integrations that connect Anchore open source technologies with common CI/CD platforms and developer tools with current integrations including GitHub Actions, Azure Pipelines, BitBucket Pipes, and Visual Studio Code
• Anchore Engine, a persistent service that stores SBOMs and scan results for historical analysis and API-based interaction

Learn more about Anchore Toolbox

The best way to learn about Syft and Grype is to use them! Also, stay tuned this week for a blog on Thursday, October 8, 2020, from Dan Nurmi, Anchore CTO, who tells the story behind Anchore Toolbox and offers a look forward at what we plan to do with open source as a company.

Join the Anchore Community on Slack to learn more about Toolbox developments and interact with our online community, file issues, and give feedback about your experience with these new tools.

Today, we are pleased to announce the GA of Anchore Enterprise 2.4. In keeping with previous releases in the 2.x series, version 2.4 has been heavily driven by customer requests both in terms of features and operational improvements. Without further ado, let’s go into the main enhancements.

Base Image Comparison

It is common for teams to standardize around a base OS image upon which application teams then layer their specific content. With our new base image comparison feature, application teams can see which security issues or vulnerabilities have been introduced by their code or dependencies and are therefore their responsibility versus the owner of the base image. More importantly, it also allows the base image owner to see what issues they can resolve across multiple applications by addressing issues in the base image. Given that a few judicious upgrades of libraries in a base image can resolve a huge swathe of vulnerabilities, this feature ensures that it is easy to find steps that have the most impact with the fewest number of steps. 

Malware Detection

Despite the rise of more modern malware like cryptomining trojans, traditional viruses still continue to affect software via the software supply chain. Anchore will now scan for viruses in binaries against a database of known signatures as part of our deep image inspection. A rule can be created in our policy engine that generates a “warn” or “stop” if a virus is detected. This allows you to do your virus scans as part of CI/CD as well for scanning existing content in a registry. 

Hint File

When Anchore analyzes an image, it looks at package indexes, names of files and other metadata to generate matches with vulnerability information. Sometimes this information is not discoverable, either because it is missing or not discoverable. A good example is with Go, the popular programming language, where libraries are compiled in. Using a hint file, which is detected within the image itself, developers can explicitly enumerate dependencies they have used which Anchore will use to generate vulnerabilities. This feature is best used where the creation of the hint file is formalized as part of the development process. In addition, we have added Go as a type (in both the API and UI) in the Anchore system so vulnerabilities can be explicitly related to the language. 

Fair Queuing

As long term admins of Anchore will be aware, every now and then a user will add a repository that contains 1000s of tags, each containing hundreds of images. Previously, our queuing system worked on a first-in-first-out (FIFO) basis which meant that when a large repo was added, it could block other users with more urgent requests. With the new fair queueing algorithm in 2.4, the system will ensure that each account or tenant in the system gets equal processing time, with one image being processed for each account at a time in a round-robin fashion. 

Bulk Image Deletion API

It is common for the size of the Anchore database to grow over time as users add more and more repos. Many of the images that get scanned, do not need to be retained by the system as they are test or scratch images. Previously, it required an API call per image to delete them from the database with users writing scripts to iteratively call the API to delete multiple images. With the new bulk API, a user can submit a list of repos/images that should be deleted in bulk, asynchronous to the API call. 

And Finally

Many additional features and improvements have gone into the graphical user interface, most notably, users will now see a “What’s New” popup after their administrators have upgraded the system. This will introduce them to the new features listed above and other areas of change. 

Many thanks to the customers who provided feedback and testing on our new features. We’re keen to hear feedback from prospective or existing customers on our Discourse forum about this release and to receive feedback for the next one.

And finally, a huge thanks to the engineering team for keeping the momentum on our product releases even during the pandemic. 

Watch the Anchore Enterprise 2.4 Video

Please bookmark our product release page to see videos on all Anchore Enterprise releases, past, current and future as we announce them. 

The use of containers is growing rapidly and for good reason. Compared to traditional, monolithic applications, containers offer many great benefits: faster delivery, elasticity, portability—the list goes on. In a recent press release, Gartner predicted by 2022, more than 75 percent of global organizations will be running containerized applications in production and by 2024, container management revenue will reach $944 million.

Despite this exciting growth, containers are still vulnerable to cyberattacks. According to a Tripwire survey, 60 percent of enterprises running containers suffered a container security incident in 2018. Additionally, a recent StackRox survey involving IT and security professionals found that 94 percent of respondents encountered a security incident in the past year related to containers or Kubernetes. Without proper security measures in place, your container management environment could suffer from container security incidents too. 

To minimize your attack surface, you should know the exact contents and vulnerabilities of your containerized applications before running them in production. By first identifying threats and vulnerabilities, you can begin to enforce policies and achieve the desired level of security and compliance. 

Application & Insider Threat Checks

For example, a developer has been tasked with creating a custom-built container that utilizes a popular database server. The security team has required that this database server be configured using a specific version with TLS and authentication enabled. What can be done to ensure these requirements are fulfilled?

Anchore provides users with the ability to create policy-as-code. A user can create a simple JSON policy that checks for application-level configuration such as a specific package version or a required configuration option. A policy can then be enforced by user-defined actions that could fail a pipeline stage or prevent the container from being deployed. Implementing both accidental and malicious insider threat checks is one of the first things your organization can do to mitigate container security risks.

Ports, Permissions & Private Data Checks

In addition to checking for files, packages, and software artifacts, a container security solution should also check for ports, permissions, and private data. Similar to how AWS Macie checks for personal identifiable information (PII) in an S3 bucket, container security software should provide users with automatic checks for exposed ports, insecure permissions, secrets, passwords, licenses, keys, and other metadata. Whether the information was mistakenly added or left behind during testing, checks of this nature are essential in achieving levels of compliance and preventing bad actors from acquiring privileged access or sensitive data.

Vulnerability Checks

There are many container scanning tools on the market that check for common vulnerabilities and exposures (CVE). However, scanning the same container image with two separate tools will always yield different results. With the variety of public security advisories available today, it is important your organization chooses a container scanning solution that utilizes a comprehensive set of feed sources and is able to identify every software package installed in the container. 

As a developer myself, I know that we will install any packages necessary to get a job done. Nonetheless, your security team may want to block a risky package from being used or discover that there is an upstream patch available for a package. Knowing which CVE corresponds to which package and ensuring that the minimum required packages are installed in a container is critical while your security team researches, evaluates and minimizes risk. 

In this blog, we acknowledged that the increased use of containers among global organizations requires an increased focus on cybersecurity. We’ve also seen a few reasons why Fortune 100 companies and government agencies around the world trust Anchore for their cloud-native environments. By implementing the right tools and policies, your organization can prevent threats and vulnerabilities as well as achieve desired levels of security and compliance, saving time and money prior to runtime.

When you want to sell to the government, it behooves you to pick your partners wisely—and it’s no accident that Anchore chose to work with the largest trusted government IT solutions provider, Carahsoft Technology Corporation, to distribute Anchore’s products to public sector customers.

See press release: Carahsoft and Anchore launch partnership in public sector
This is a critical time for DevSecOps in government IT. The federal government, along with state and local government agencies and higher education institutions, are looking to new technologies such as containers, Kubernetes, CI/CD pipelines and advanced development methodologies such as DevSecOps to help drive their need for speed.

Anchore is a key part of the new technology stack in DevSecOps that can help bring government agencies into the 21st century with increased velocity and agility. Moreover, modern software approaches are designed to dramatically improve services while also saving big bucks for government software factories and the digital transformation they are driving. You need look no further than the cutting edge work being done by US DoD’s DevSecOps initiatives such as the USAF’s Platform One and Iron Bank. Both of which, Anchore is a key component. That’s why we recently received a SBIR Phase II contract from the United States Air Force for our work in software container hardening.

The Importance of Partners in Selling to Government Customers

Most software vendors who do business with the government work through partners and Anchore is no exception. In fact, our public sector sales strategy is partner-centric. With our newly announced partnership with Carahsoft, nearly all of our government business will flow through Carahsoft as our master government aggregator. The Carahsoft partnership signals that Anchore is “open for business” for government, higher education and state and local customers.
Carahsoft is able to generate unique volume and velocity for its partners’ sales efforts. Its phenomenal sales organization has the resources to address virtually all RFPs and other opportunities in the public sector space and its marketing/demand-gen and operational capabilities are second to none.

The Importance of Real Solutions for Government Customers

Carahsoft has been instrumental in building successful public sector businesses for several leading software vendors, from Red Hat, Adobe, VMWare, Google, and AWS, as well as many others. From its vast portfolio of suppliers, Carahsoft is able to create the right solution to meet the needs of the mission. Carahsoft’s dedicated open source practice is a natural home for Anchore. Working with Carahsoft represents an exciting new chapter in Anchore’s channel business sales model, and we’re thrilled to be bringing our technology into Carahsoft’s solution-centric motion.
Along with Carahsoft and its ecosystem of value-added partners and suppliers, Anchor’s public sector sales team is working hard to accelerate cloud-native development efforts in the government sector. We look forward to the chance to jointly help government agencies and institutions utilize DevSecOps to deliver better outcomes for their customers—the citizens of the United States.

On May 27th, Anchore had the privilege of participating in the virtual Microsoft Azure Government DC Meetup. The rise of DevSecOps in gov software initiatives was a fantastic event with a great spread of knowledge. There were demos such as deploying OpenStack onto secure infrastructure and implementing DevSecOps at full speed.

I gave a demo showcasing Anchore integrated into Azure DevOps in a daily developers life cycle for full speed security. Utilizing a custom Anchore integration, I showcased how to quickly and easily detect security defects in containers before they are deployed. Also, I shared some common best practices and showed how Anchore can enforce them.

The event also featured a panel discussion about DevSecOps in the government sector, consisting of experienced individuals from F35 Joint Strike Fighter Program, NIST, and Azure Gov. Check out the full playlist here!

There’s an odd mix of fearlessness and fear that surrounds our constant need for innovation in modern business.

It takes courage to risk striking out in a new direction, turning your back on the perceived stability of the status quo. And yet, in many industries, the compulsion for innovation is fuelled by a very real fear of getting left behind.

Building on over 150 years of secure Swiss banking heritage, Hypothekarbank Lenzburg (HBL) feels these conflicting pressures more than most. But this hasn’t stopped its technology team from leading the Swiss banking sector in new, risk-fraught areas such as blockchain and open banking.

The recent pace of growth and innovation at HBL was fueled by bountiful new CI/CD pipelines, built on containerization and Kubernetes. However, this had also opened up very real risks for the bank’s operational security and stability:

“More and more of our software, from both internal and external developers, is now delivered as containers. This made it very hard for our traditional vulnerability management solution to keep up because it couldn’t scan containers efficiently,” explains Sascha Kaufmann, Head of IT Security at HBL, in our latest case study.

When HBL looked at solving this new challenge, it soon became clear that a conservative attitude towards IT security was actually the most dangerous approach.

Existing, tried-and-tested security vendors were unable to keep pace with the speed of container-based development. And the bold changes the organization had embraced by adopting cloud-native development, demanded a new security solution built for this new environment.

The real surprise for HBL was that in taking a new and dedicated approach to container security, the team turned an area of unacceptable risk into a pillar of strengthened security for the bank moving forward.

Discover DevSecOps at work in the banking sector with our latest case study.

With the release of Anchore Enterprise 2.3 (built upon Anchore Engine v0.7.1), we are happy to announce a new feed provider: GitHub Security Advisories (GHSA).

GHSAs are another source of data that Anchore uses to match vulnerabilities to packages within a container. In this post, we will look into what GHSAs include, describe how Anchore use them, and walk through an example GitHub Action using Anchore to identify vulnerabilities from GHSAs.

GHSA Explained

As described in About GitHub Security Advisories, GHSAs allow code maintainers to privately discuss and fix security issues in their projects, and upon completion of a fix, publish the advisory to the project’s community. In turn, by publishing security advisories, maintainers make it easier for their communities to update affected packages and further investigate the impact of the vulnerability.

GHSA Under the Hood

GitHub is an authorized CVE Numbering Authority (CNA) and GHSAs created can optionally include an existing CVE reference or request that one be assigned through GitHub. When a new advisory is filed with GitHub, it is reviewed and pushed to the GitHub Advisory Database. Anchore uses this database as an upstream feed data source, allowing us to match vulnerabilities with the most up-to-date vulnerability data available.

For more information on CVEs, check out the blog by Anchore’s very own Hayden Smith on Why We Care About CVEs.

GHSA as an Anchore Feed Provider

Anchore uses GHSAs to match potential vulnerabilities for the following supported language types:

• Java
• Python
• Ruby
• Gem

GHSAs also give us a preview of NuGet (.NET) vulnerabilities, allowing Anchore to discover NuGet packages as part of the image analysis process. Including language packages during image inspection makes Anchore more than just a tool to identify CVEs, it allows fine-grained control over what is included in an image through policies as well.

Enabling the GitHub Feed Driver for Anchore Enterprise

GHSA is a publicly available feed source with an open API that requires that users generate a Personal Access Token (PAT) from their GitHub account. While GHSA is a feed source included in the open source Anchore Engine version, enabling the GHSA feed driver within Anchore Enterprise requires the PAT to be configured in the on-premise Enterprise Feeds Service; no other special permission or scoping is required.

For a full overview and instructions on how to generate and enable the GHSA Feed Driver within Anchore, please refer to Anchore Enterprise Feed Driver Configuration to begin using GHSA feeds in your deployment.

GitHub Scan Action with Anchore and GHSA

A seamless way to integrate Anchore with GHSA feeds is to use the Github Scan Action. Check out Anchore’s GitHub Scan Action for more information on using Anchore within GitHub’s CI/CD.

We begin by creating a Dockerfile that installs a package with a known GHSA vulnerability:

FROM docker.io/python:3.8.0a3

RUN pip install aubio-0.4.8

CMD echo "This is just a test"

Then we add it to a GitHub repository with the following Scan Action defined:

name: Docker Image CI
on: [push]
jobs:
  build:
    runs-on: ubuntu-latest
    steps:
    - uses: actions/checkout@v1
    - name: Build the Docker image
      run: docker build . --file Dockerfile --tag localbuild/testimage:latest
    - uses: anchore/scan-action@master
      with:
        image-reference: "localbuild/testimage:latest"
        dockerfile-path: "./Dockerfile"
        fail-build: true
    - name: anchore inline scan JSON results
      run: for j in `ls ./anchore-reports/*.json`; do echo "---- ${j} ----"; cat ${j}; echo; done

We are able to see that the Anchore Scan Action identifies multiple vulnerabilities. Let’s drill down on a known vulnerability identified as `GHSA-grmf-4fq6-2r79`:

From the scan results, we can see that GHSA is flagging a Mercurial Python package. It provides a link to the GHSA where we can see details about the vulnerability:

From here, end users can determine the best approach to remediation according to their organizational needs.

At Anchore, we strive to provide comprehensive, actionable vulnerability identification that enables development without compromising security. The addition of GHSA as a feed data provider allows users to find vulnerabilities more quickly, highlighting the value of shifting security further to the left.

Today, we announced the availability of Anchore Enterprise 2.3 for our enterprise and federal government customers.

Keeping to a 4-month development cycle since our last release, 2.3 includes some big new features that see expanded coverage for Windows containers and .NET packages as the headline. Microsoft is the original developer-champion; combined with their acquisition of GitHub, another ecosystem we are deepening support for, they are critical to the adoption of DevSecOps that is at the heart of Anchore’s mission.

Many thanks to the folks at Microsoft and GitHub who helped us with the features in the release, and well done to the engineering team for getting out the release despite the distraction and stresses of the pandemic.

Read about this release here, or view this webinar covering all the features of 2.3.

Support for Windows Containers

While Linux containers continue to represent the lion’s share of containers on Docker Hub and in production, Microsoft has been enthusiastic supporters of containers for Windows since 2016 when they released the first Windows container. Last year, Windows officially became supported on various distributions of Kubernetes.

As of 2.3, Anchore Enterprise can now inspect, scan and enforce policies across Windows containers, the same way we support Linux containers.  We perform a deep inspection of the entire image, cataloging all the files and their metadata to produce a software bill of materials (SBOM). These can be viewed in the Files tab of our UI or via the API, just as you can browse a Linux image.

Once we have this analysis, we then perform our security assessment. Unlike Linux images, which are collections of multiple packages, each with their own version information, Windows container images are more monolithic. That means the security information for the base OS is produced slightly differently. By comparing the difference between the latest version (or patch set) of the base image and the version you are scanning, we generate a list of all the vulnerabilities that you may be exposed to as disclosed by the Microsoft Research Center. Vulnerability checks, along with all of the other policy gates available in Anchore, can be applied to Windows images.

In addition to the OS vulnerabilities, Anchore Enterprise will also report on any additional language vulnerabilities for Python, Ruby, Node or Java apps layered on top of the base image. Of course, the most common application framework used with Windows is .NET which we are also now able to offer in Tech Preview.

Vulnerability Scanning for Nuget Packages (Tech Preview)

Nuget is a popular package management system for handling .NET packages. Sponsored by Microsoft, it is run as a community project and functions identically to other language packaging systems like npm, pip or gem that provide a central repository for libraries and add-ons.

Anchore Enterprise will now scan for Nuget package indexes and map .NET package versions against disclosed vulnerabilities, both on Linux or Windows containers. A new Nuget tab can be seen via our UI and is available as an option via the API which allows you to see what packages are installed.

Unlike npm or Python, there is less curation and centralization of security issues in the Nuget community. Individual contributors are left to decide how they want to manage their security notices. For the 2.3 release, we have chosen vulnerability sources that have the highest volume of disclosures and are making this feature available as Tech Preview so we can assess the coverage this provides for customer applications. As new sources become available, we will look to include them in future releases.

GitHub Security Database and Red Hat CVE Database

Last November, GitHub made several security announcements. Most notable was their ability to create CVEs directly from within their product and the availability of a security database that aggregated these CVEs and any other advisories created by hosted projects.

Anchore Enterprise now uses the GitHub Security Database as part of our aggregated vulnerability feed alongside other open and proprietary data sources. Customers should see more vulnerabilities being reported, especially where the source code software originates on GitHub. We really like the security workflows being embedded into GitHub and hope the communities of open source projects will use them to create a high fidelity database over time.

We’ve also switched to using the Red Hat CVE database as our primary source for all things RHEL-related. Previously we were using Red Hat Security Advisories which only provided notice of resolved issues and the products affected. The CVE database provides more information about issues that Red Hat has marked as “won’t fix” and uses CVE as the primary key, making it easier to manage policies using just CVE rules.

User Interface Improvements: Scheduled Reports and Event Management

One of the key differentiators for Anchore compared to other security tools is our ability to produce highly customizable reports that allow security teams to get a clear picture of their risks. Under the hood, we use GraphQL but our UI makes the process of creating a report much easier. Until now, these reports were created ad-hoc. With 2.3, reporting templates can be created and then scheduled for automatic creation. A notification can be configured via email, Slack, MS Teams or other methods, to notify you of the report’s availability.

Finally, we have also added an event management system to help admins more easily scan the system logs, find errors and prune old entries directly from within the UI.

Looking Forward

As ever, we look forward to hearing feedback from our open source community, commercial customers and partners. Don’t forget to join our community Slack channel as we discuss features for the next release due later in the year.

Anchore Enterprise is now available through Red Hat Marketplace, an open cloud marketplace that makes it easier to discover and access certified software for container-based environments across the hybrid cloud.

Built in partnership by Red Hat and IBM, Red Hat Marketplace is designed to make it easy for developers, procurement teams and IT leaders to gain access to popular enterprise software. The software in the marketplace has all been tested and certified for Red Hat OpenShift Container Platform, so it runs anywhere OpenShift runs.

We think it’s important to know what’s inside the containers you build and ship. That’s why you should integrate deep container image inspection into every stage of the DevOps workflow. At Anchore, our mission is to make sure that’s easy. We are excited to offer Anchore Enterprise through the Red Hat Marketplace so it can be seamlessly discovered and deployed by software builders everywhere.

This has been a big week for our friendship with Red Hat! Just yesterday we released Development at Mach One, a white paper documenting our recent shared mission implementing DevSecOps with the United States Air Force. Read it to learn how powerful Anchore and Red Hat are when we work together with our customers. Then visit out our Red Hat Marketplace entry to get started with Anchore Enterprise today.

For a little over a year now, engineers at Anchore have been working alongside our friends at Red Hat on an important mission: helping the United States Department of Defense reinvent the way they consume, build, and deploy software.

The DoD, just like any major organization, builds and ships a lot of software. This software runs on all kinds of devices, from everyday smartphones to extremely specialized equipment. They have teams of developers working to maintain it all, supported by a network of vendors, consultants, and contractors. There is constant pressure to keep the pace of innovation up. But here’s where the similarities with typical organizations end: when a breach occurs, they stand to lose a whole lot more than just a customer. The DoD’s software ensures the success of critical missions, and that can mean life or death.

The answer lies in DevSecOps: the integration of security best practices into a fast-moving development process, using policy-driven automation to create a high level of confidence.

Our teams worked with the DoD to implement a flexible, container-based platform for software delivery powered by Red Hat OpenShift and Anchore Enterprise. With this platform, the DoD can maintain a streamlined, zero-trust security and compliance posture while releasing new software as frequently as mission conditions require.

To learn more about this project, download our free in depth case study.

Common Vulnerabilities and Exposures, or “CVEs”, are identifiers for specific vulnerabilities. MITRE defines its CVE list as a “dictionary of publicly disclosed cybersecurity vulnerabilities and exposures that is free to search, use, and incorporate into products and services.” The CVE list feeds into the National Vulnerability Database (NVD).

CVEs allow teams to track vulnerabilities that directly impact their system. In modern DevSecOps environments, it is common for CVE’s to be discovered during both build and runtime. A CVE matters because it provides traceability for each vulnerability that adversely impacts software. It is a way to describe and manage a discrete vulnerability. The name of a CVE simply provides the year each vulnerability was detected, which is useful. But the truly impactful part of each CVE as it matters to our everyday users come from the data and various scoring methods associated with each one. The scoring, description, and intelligence associated with each CVE are far more important than the CVE identifier itself.

Anchore includes CVEs in our report generation as they are the primary way our customers trace the impact of a vulnerability on their images. In many popular attacks against container images, attackers focus on the software supply chain (such as storing malicious images in container registries, typosquatting attacks on packages/images, etc.) rather than probing an existing system for a specifically available exploit in a running image. That being said, beyond their value in identifying and tracking specific vulnerabilities, they lack the information required for a security team to take action.

So Now What?

But how does Anchore incorporate the importance of a CVE into their product? What can your team do to be more proactive with container security?

Your security team can definitely help prevent typosquatting (see a good story at The New Stack about typosquatting and the dangers associated) and the downloading of malicious (accidentally, hopefully) images by your developers. Anchore can both help with supply chain oriented attacks in addition to taking the information we know about CVEs and using that as actionable data in our scanning policy.

Whitelist/Blacklist Your Images and Packages

To prevent this, Anchore easily provides the ability to blacklist images that may be suspicious, malicious, or simply up to no good in a public container registry. Navigate to your “policy tab”, select Edit Policy, then navigate to the whitelisted blacklisting images tab here:

Under blacklisted images, you can select “let’s add one.” You will see the screen below that allows you to add an image based on name (providing the registry, repo, and tag), by image ID, or by SHA digest. Blacklisting assumes you already know what is malicious and what is not. A more proactive approach would be whitelisting ONLY the images you want to use so that any other images, malicious or otherwise, are flagged for review in Anchore before they hit production. You also have the option to take this a step further and whitelist/blacklist specific packages for your organization to prevent typosquatting attacks.

Similarly, typosquatting attacks can happen on URLs, images, and even individual packages as was the case here where python packages contained legitimate code but had a setup.py script that would gather hostname and user information that would be sent back to another system. To prevent these unfortunate events from occurring in your container workloads, Anchore provides the ability to inspect your packages and blacklist specific package contents. You can view package contents here to understand the complete packages and files within your image to hunt for potentially malicious packages that wouldn’t be identified by a CVE.

Anchore allows you to make user-defined policy so you can easily blacklist malicious packages that are independently discovered by your security team or a part of any threat intelligence you are acting upon.  You can do this by navigating to policy checks and either adding to an existing policy or creating a new one. For this example, I will create a specific policy called “Typosquatting Checks” here:

I will then tailor this policy for specific known malicious packages that may be impersonating legitimate packages, and create a stop action in Anchore for any image that contains a malicious/fake package as seen here where we blacklist urlib3 (malicious package) that is impersonating urllib3 (legitimate package).

Don’t Boil the CVE Ocean: Incorporate CVSS Scoring into Scanning

Another more proactive way to tackle the management of CVEs in your environment, albeit not perfect given some flaws of scoring, is to integrate scoring into your scanning policy. The Common Vulnerability Scoring System (CVSS) is “an open framework for communicating the characteristics and severity of software vulnerabilities.” A way of explaining this is depicted below:

At a high level, you can correlate a CVE with its CVSS score to determine which CVEs have the greatest impact on your system by looking at two things:

1. Exploitability
2. Impact

The higher the score on either of these factors, the more concern it should have for your security team. If a CVE has a very high exploitation score of a 9.5, but has a very low impact with a score of 2.0 then maybe it shouldn’t be a high priority. The same is true if you have a high impact score, but low exploitation score, which can commonly be the case if an attack vector isn’t widely available or if certain privileges are required in order to execute the attack and actually exploit the vulnerability. There are many other things that should be looked at when assessing vulnerability exploitation such as attack vectors, associated privileges, and attack complexity.

We put the power in the hands of the security teams to define the terms of policy enforcement for their container images. One way to make an intuitive policy using Anchore is to click “Add New Policy.”

There are 10+ selectors you can use to create your policy, such as CVSS base score, exploitability score, impact score, and fix availability.

This way, you aren’t scanning “just to scan” and check the compliance box for your next audit. You are scanning proactively, using a collection of user-defined acceptance rule checks to generate an actionable list of vulnerability and compliance findings immediately addressable by your security team.  By taking these steps, your teams can gain more security insight about the containers they are using instead of routinely gathering the CVE’s and attempting to solve your security woes by boiling the entire “CVE ocean.”

GitHub gets a lot of love from most developers, and the team here at Anchore are no exception.

Deemed worthy of its own top-level tab in every repo, Actions is GitHub’s newest tool for automating your software workflows with world-class CI/CD. Users get DevOps pipelines with the ability to build, test, and deploy code directly from GitHub.

Add in Anchore to this already heady cocktail, and GitHub Actions can now deliver a practical DevSecOps workflow – straight from the repo.

This ensures that, when your container is ready to deploy into any environment, it has had a rigorous security scan. You deploy the code you intend to and nothing else; your dependencies are scanned, and any potentially nasty surprises made visible.

If we already have your undivided attention at this point, feel free to jump right into our tutorial, which shows you how, with very little code, you can add robust security scanning, alerting and reporting to your existing GitHub projects.

Meanwhile, if you are interested in more of the theory and reasoning behind Anchore, keep reading on…

Why Shift Left Using GitHub

Software development is now one of the most collaborative of all human endeavors. The web page you are reading right now is almost certainly the sum total of work from thousands of individual developers. Most of these people have never met each other, but they leverage each other’s work to create the technology that now underpins almost every facet of our daily lives.

This collaboration extends widely; almost every ‘smart’ device, from your TV right through to your car makes use of software written by developers from almost every part of the globe. It is a modern-day wonder that powers a dizzying pace of innovation.

And for many developers, GitHub has become the focus of much of this collaboration. It is more than just a place to store code, it is a vast, well-connected collaboration platform. Within GitHub, developers can share, review, reuse and work together on code, regardless of background or geographic location.

However, maintaining security is challenging in this new collaborative world. It is now almost impossible to manually apply any form of effective security. So, like the Operations teams before, security now has to team up with developers: DevOps is becoming DevSecOps. And like its predecessor, DevSecOps is all about embracing automation, fast feedback loops and, of course, collaboration.

Collectively, this trend is now widely referred to as ‘shifting left’.

Ok. So… why Shift Left Using GitHub?

1. The fast feedback loop

Security has long been seen as a final, irritating inconvenience in the development process. Preventing developers from moving on to the next task. Security considerations appeared as late-stage scrutiny, putting developers through the wringer of fixing issues, only to find another bug has popped-up, after yet another manual or late security intervention.

By marrying GitHub Actions and Anchore, developers get security feedback right alongside their existing unit tests. Fix, iterate, and fix again. Once your tests are clean, it’s ready to go. Security becomes part of the same workflow developers know and love.

2. Easy to set up, easy to use

GitHub is built for collaboration, and Actions are no exception. Anchor has done all the hard work for you, meaning you just need to include our Action and a handful of code. We’ve done the rest, giving you security and peace-of-mind without you having to tear your hair out managing complexity to get there.

3. One place to look

GitHub is where developers go to work. It is a tool they interact with throughout the day, using it to store, test and collaborate on code. By making security front and center in their favorite tool, it means they have one place to look. Put the information somewhere else, and after the first rush of curiosity, it’ll gather dust, unloved and uninspected. Anchore and GitHub Actions keep the security picture front and center.

4. Comprehensive and complete

The Anchore engine is a powerful, Open Source container security scanning tool that the GitHub action makes use of. You get almost the same level of scrutiny, and peace of mind that you would get from running it on your desktop. It’s the perfect mashup of automation and power. To make Anchore engine fit with the ethos of GitHub actions we’ve chosen defaults that offer fast, concise and actionable reports based on the container contents. However, if you want a slower, but more detailed scan that includes application packages, you can enable it by using the include-app-packages option found in the GitHub Action docs.

5. Policy as code

Because it’s the full Anchore Engine, it means you can define your security policy as code and make use of it in the Action. This is the perfect blend of a fast feedback loop for developers, based on a security practitioner’s insight. It’s like having your security team checking every element of your artifacts, 24/7, and letting the real practitioners drop the grunt work and focus on more valuable endeavors.

If this has whetted your appetite, then check out our tutorial on GitHub Actions, which will show you how to integrate some of Anchore’s open source peace-of-mind into your pipeline, with just a handful of code.

Open source software can produce surprising results. Once you create a project or application that solves real problems – and make it available under a license that enables it to be distributed throughout the world – it won’t be long before it turns up in all sorts of interesting projects and organizations.

This has certainly been true for Anchore Engine. Since the formation of the project in 2016, we’ve seen over 30,000 separate installations and broad adoption of both Anchore’s open source tools and our enterprise products. So whilst not totally unexpected, in early 2019 we were happy to learn that Anchore had been adopted by the US Department of Defense as part of its software development pipeline.

Throughout 2019, the DoD rolled out an aggressive modernization initiative, DoD Enterprises DevSecOps, championed by the USAF Chief Software Officer, Nicolas Chaillan. One of its key objectives is to introduce automated software tools, services, and standards to programs throughout the DoD. Enabling programs to create and deploy software applications in a secure, flexible, and interoperable manner is a mission that resonates strongly with the team here at Anchore.

Over the last 12 months, our team has been working extensively with key Air Force stakeholders to meet these challenges, resulting in Anchore being one of the very few tools to be mandated as part of the DoD’s DevSecOps reference design. Our software is uniquely designed to identify and understand the exact composition of software containers and can enforce user-defined acceptance policies based on any DoD compliance standards. Our engineering teams continue to work alongside resources from the DoD and partner organizations to secure and harden software containers held within the DoD’s Centralized Artifact Repository.

Based on the lessons we’ve learned so far, and the insight we continue to build, we’re pleased to announce the availability of Anchore Federal. Built on top of Anchore Enterprise, Anchore Federal adds a collection of out-of-the-box policy rules to validate compliance with the rigid security requirements of the DoD program. It also provides access, via support arrangements, to the engineering resources at the very forefront of the project to ensure partners and programs are implementing best practices. As adoption of the platform grows, Anchore engineering teams will continue to update the included policies to reflect the changing security and regulatory landscape.

The team here at Anchore are excited about our ongoing participation with the program and are fully aligned behind the mission objectives. With the introduction of Anchore Federal, we look forward to enhancing the security of federal agencies’ application development lifecycles and drive cost savings through automation and shared best practice.

Today marks a major milestone in the Anchore journey.

Just a little over 3 years since we opened our doors, we have secured a substantial $20M round of funding that will allow us to address the next wave of container users around the world. I am utterly pleased and totally blown away by what a team of a little less than 20 has achieved in such a short period of time. Like I experienced in the early days of Ansible, just a thousand lines of code and few pages of documentation – built to address an existing gap in the market by smart, capable engineers – can drive ubiquitous adoption in a very short period of time.

While building the Ansible brand a few years back, I had an opportunity to speak to customers and partners and see how containers, and Kubernetes, were transforming the way companies innovate. I quickly became convinced that the next generation compute platform would heavily leverage containers, and security would become key. Today, Gartner predicts that more than 75% of global companies will deploy containers in some capacity by 2022, and the total addressable market is estimated to be $2.1B by the year 2024 by MarketsandMarkets.

Dan Nurmi, Anchore co-founder, and I knew there was a tremendous opportunity. Needing to better understand the security and compliance needs around containers, we decided to build a SaaS platform to test our assumptions. Thousands of users quickly adopted the platform, providing us critical directional feedback on the challenges users and organizations were facing. We have since used that experience to deliver what is now called Anchore Enterprise, our flagship product that is currently in use at large scale by many Fortune 1000 companies including Cisco and eBay, and is even considered a mandatory part of the United States Department of Defense DevSecOps reference architecture.

Anchore’s mission is to empower developers to secure their container workflows in a manner that does not disrupt, distract or encumber them, allowing them to innovate at their own pace. Until now, software workload security has largely been addressed at runtime, but more and more we’re seeing that the majority of issues can be caught more easily during the software development lifecycle. That’s why we want to help organizations shift security left, ensuring that issues are found earlier through seamless integration with all major CICD platforms – whether deployed on-premises, in the public cloud, or through integration with GitHub Actions.

But Anchore is more than just the technology we build. An internal company mandate has been to build both our products and our team with the same core principles that guided Ansible: kindness and accountability. Our goal was never to get from A to B in the shortest possible time; instead, to allow our longer-term vision to be realized while truly enjoying the journey of working with others. I am, once again, thrilled by the fact that those same principles led to another great outcome.

Finally, in the journey to build a global brand, we’ve embarked on hiring great talent with strong open source and enterprise IT expertise. Our office locations already span both coasts, with team members in many US states and soon Europe. We are a fairly distributed team and we’re expecting aggressive growth in the many months to come.

Just in time for the holidays, Anchore Enterprise 2.2, our latest update, is now generally available to all of our customers. For this release, we focus on third-party integrations to send notifications, and a new system dashboard to help customers view the status of their systems. This new enterprise release is based on open source Anchore Engine 0.6.0, also available now.

New Integrations with GitHub, Jira, Slack & Microsoft Teams

Anchore Enterprise is commonly used in either a CI/CD pipeline with a container registry or with a Kubernetes admission controller, to analyze and report on any container image issues. When an image fails a policy check, you typically want to notify your developers as soon as possible so they can fix the issue. With our new integrations, these notifications can now be sent to popular workflow tools (or via plain old email if you prefer), enabling the information to be used as part of existing processes.

Notifications can optionally be separated by account, by type (system or user) and by level (info, warn, error), which allows you to send alerts about security vulnerabilities to one set of users and notifications about the Anchore system itself to another.

Importantly for images, notifications are sent not only at the time of the initial scan, but also when a new vulnerability is detected in a previously scanned image, or when a policy is changed that causes an image to be marked as “out of compliance’. The notification service is a fantastic way of creating remediation workflows from the security team to the developers, or as part of an automated system. Look for upcoming Anchore integrations with other systems.

System Dashboard and Feed Sync Status

Anchore Enterprise is a distributed application consisting of many parts, including a database, a message queue, a report engine, a policy engine and so on. To help users see the status of each component, we’ve added a new system dashboard which makes it easier to troubleshoot issues and understand the roles of the various services.

The dashboard also reports which vulnerability data sources have been successfully downloaded. Anchore Enterprise downloads a complete set of vulnerability data for use locally, reducing the need to send data back and forth over the internet, and enabling air-gapped operations. This way, you are ensured that you are receiving data from all relevant sources and that the data is up to date, which is critical for securing your container images.

Looking Into 2020

We are planning one more release in the 2 series for early 2020. After that, we will focus on version 3 of the product which will significantly expand Anchore’s policy-based security capabilities by supporting all aspects of the container’s journey, from code to cloud. As more companies adopt DevSecOps practices, we hear feedback from our users that every step of the software development lifecycle should be enforced with clear policies that prevent the introduction of inadvertent or malicious flaws. We look forward to hearing feedback from our users about their experiences with Anchore Enterprise 2.2 and collaborating on the next phase of the Anchore roadmap.

Today at Github Universe, we are announcing the availability of the Anchore Container Scan action for GitHub. Actions allow developers to automate CI/CD workflows, easily integrating tools like Anchore into their build processes. This new action was designed for teams looking to introduce security into their development processes. You can find the action in the GitHub Marketplace. 

At Anchore, our mission is to enable secure container-based workflows without compromising velocity. By adding Anchore Container Scan into their build process, development teams can gain deep visibility into the contents of their images and create custom policies that ensure compliance. That means discovering and remediating vulnerabilities before publishing images…without adding manual steps that slow everything down.

If you want to learn more about the Anchore Container Scan action, watch our latest webinar where Zach Hill, Chief Architect at Anchore, provides a quick overview and demonstration.

Last week, the team at Delivery Hero posted the first in a series of articles about bolstering container security and compliance in their DevOps container orchestration model using Anchore Engine. We think they did a fantastic job explaining their goals and sharing the progress they have made. Their article is a great read for those who are grappling with the same challenges.

We believe it’s important to incorporate security best practices early in the development process, and the Restaurant Partner Solutions team at DeliveryHero has done so with Anchore Engine while keeping up with over one million daily orders. So if you haven’t yet read about their project, please take a look at the full article.

We are pleased to announce the immediate availability of Anchore Engine in the Azure marketplace.

Microsoft has grown its cloud native development and DevOps offerings significantly in the past two years. The Azure offerings available today such as Azure Container Instances (ACI), Azure Kubernetes Service (AKS), and Azure Pipelines give enterprises and agencies the tools they need to build scalable, cloud native applications. With Azure, Microsoft helps organizations innovate and grow while saving time and money, enabling business transformation and increased competitiveness.

At Anchore, we have a similar mission. We want organizations to innovate quickly with containers but be confident that the software they ship is safe. Our comprehensive container image inspection and analysis solution is a perfect fit for the kind of innovative enterprises and agencies that use Azure. That is why we are proud to make it available through the Azure Marketplace.

Give it a try! If you don’t already have an Azure account, you can get one for free. Then, check out our marketplace page to get started.

Anchore is on a mission: to enable our customers to deploy software containers with confidence. We allow them to enjoy the benefits of cloud-native application development, safe in the knowledge that the containers they deploy into production are secure and compliant. With that confidence, they can continue to develop and ship software at breakneck speeds.

But that’s not all. We are also on a mission to create the defining technology company in one of today’s hottest technology spaces. As a start-up, we are looking for people who are as passionate about DevSecOps as we are and want to spend their days helping customers and users modernize their software development pipelines.

We’re always hiring across the team for all positions, but we urgently need DevSecOps Engineers to help our growing customer base adopt Anchore and develop best practices for container hardening and security. We’re looking for people who care passionately about creating something unique and want to have a visible impact on the success of Anchore and our customers.

If you’re interested in learning more please contact us at [email protected]. We’d love to meet you.

Container adoption is soaring in enterprises and the public sector, making services such as Amazon Elastic Kubernetes Service extremely valuable for DevOps teams that want to run containerized workloads in Kubernetes easily and efficiently. For organizations that are already deploying, scaling and managing containerized applications with Kubernetes, Amazon EKS spreads your workload across availability zones to ensure a robust implementation of your Kubernetes control plane.

Announcing Anchore Engine in the AWS Marketplace

We are very excited to announce the availability of Anchore Engine in the AWS Marketplace. Anchore Engine allows users to bring industry-leading open source container security and compliance to their container landscape in EKS. Deployment is done using the Anchore Engine Helm Chart, which can be found in GitHub. So if you are already running an EKS cluster with Helm configured, you can now deploy Anchore Engine directly from the AWS marketplace to tighten up your Container security posture.

With our unique approach to static scanning, DevOps teams can seamlessly integrate Anchore into their CI/CD pipeline to ensure that images are analyzed thoroughly for known vulnerabilities before deploying them into production. This will not only avoid the pain of finding and remediating vulnerabilities at runtime but also allow the end-user to define and enforce custom security policies to meet their specific company’s internal policies and any applicable regulatory security standards.

Getting Started

To get started, take a look at the Anchore Engine documentation to familiarize yourself with the basics. Then, once you have EKS set up, visit the Anchore Engine AWS Marketplace page to take the next steps. 

Earlier this week Red Hat announced an exciting new offering for developers, technology partners, and users: the Red Hat Universal Base Image (UBI). Anchore is excited to announce that as of Anchore Enterprise 2.0 (including the OSS Anchore Engine), core Anchore container images will now be based on the Red Hat UBI.

As an organization that develops software that is primarily distributed to end-users as a collection of container images, we have derived great value and agility through the isolation and encapsulation that comes with developing on, building, testing, and distributing software using containers.

The Anchore services themselves are applications that utilize underlying libraries, dependencies and utilities that are typically provided by most Linux OS distributions, and as such our container images have historically been based on either CentOS or Ubuntu base images.

It is a testament to the effectiveness of container isolation that even though Anchore has changed which OS base image we’ve used, the user experience of running/upgrading Anchore across these changes has remained largely unchanged. However, there have been users who have asked for more from the underlying OS that Anchore services are built upon – specifically the ability to match the supported container and underlying OS infrastructure, and access to support options from the OS vendor for container-based service deployments. Up until now, we have not been able to provide crystal clear recommendations around these topics to our users.

“Red Hat is pleased to welcome Anchore as one of the first partners to adopt the Universal Base Image” said Lars Herrmann, senior director, Ecosystem Program, Red Hat. “We believe the availability of more freely redistributable, well-curated base images can simplify the development process for our partners and enhance the support experience of our mutual customers.”

The Red Hat Universal Base Image is derived directly from Red Hat Enterprise Linux, and is freely available and redistributable, enabling technology partners and application developers such as ourselves to build and distribute our container-based applications, all based on a familiar and trusted Red Hat based OS.

As an application developer, the availability of the UBI short-circuits complications that can arise from users and customers of ours, who are asking for OS-level support for our application, and many other use cases where a supported container OS environment is required (in particular, within large enterprises and regulated industries). In addition, UBI has made the Red Hat OSS software ecosystem fully accessible, when it comes to delivering end-to-end (from development, through build, to distribution) container-based software. Anchore users can now utilize familiarity with Red Hat software for system diagnosis/deep inspection within the Anchore containers (based on UBI), and most importantly can now “turn on” official Red Hat support for any base OS concerns when running on Red Hat Enterprise Linux or Red Hat OpenShift, in addition to the specialized support available from Anchore for our own services.

We’re excited to be an early adopter of the UBI offering from Red Hat, and believe that moving to UBI as our base container image clearly and immediately improves the options available to ourselves (as application developers) and to all users of Anchore, across the board.

For more information on the Anchore Enterprise 2.0 launch, as well as the Red Hat Universal Base Image announcements and material, please refer to the following links.

Learn More About the Red Hat Universal Base Image

Learn More About Anchore Enterprise 2.0

We’re truly excited today to announce the immediate availability of Anchore Enterprise version 2.0, the latest OSS and Enterprise software from Anchore that provides users with the tools and techniques needed to enforce container security, compliance and best-practices requirements with usable, flexible, cross-organization, and above all time-saving technology from Anchore. This release is based on the all-new (and also available today) OSS Anchore Engine version 0.4.0).

New Features of Enterprise 2.0

Building on top of the existing Anchore Enterprise 1,2 release, Anchore Enterprise version 2.0 adds major new features and architectural updates that collectively represent the technical expression of discussions, experiences, and feedback from customers and users of Anchore over the last several years. As we continue to gain in-depth insight into the challenges that Dev/Ops and Sec/Ops groups face, we’re observing container-based deployments becoming more of the norm rather than the exception (for production workloads).

As a consequence, the size, responsiveness, information retrieval and reporting breadth, and operational needs demanded of Anchore in its role as an essential piece of policy-based security and compliance infrastructure have grown in kind.

The overarching purpose of the new features and design of the 2.0 version of Anchore Enterprise is to directly address the challenges of continued growth and scale by extending the enterprise integration capabilities of Anchore, establishing an architecture that grows alongside our users’ demanding throughput and scale requirements, and offering even more insight into users’ container image environments through rich new APIs and reporting capabilities, all in addition to the rich set of enforcement capabilities included with Anchore Enterprise’s flexible policy engine.

The major new features and resources launched as part of Anchore Enterprise 2.0 include:

• GUI Dashboard: new configurable landing page for users of the Enterprise UI, presenting complex information summaries and metrics time series for deep insight into the collective status of your container image environment.
• Enterprise Reporting Service: entirely new service that runs alongside existing Anchore Enterprise services that exposes the full corpus of container image information available to Anchore Engine via a flexible GraphQL interface
• LDAP Integration: Anchore Enterprise can now be configured to integrate with your organization’s LDAP/AD identity management system, with flexible mappings of LDAP information to Anchore Enterprise’s RBAC account and user subsystem.
• Red Hat Universal Base Image: all Anchore Enterprise container images have been re-platformed atop the recently announced Red Hat Universal Base Image, bringing more enterprise-grade software and support options to users deploying Anchore Enterprise in Red Hat environments.
• Anchore Engine 0.4.0: Anchore Enterprise is built on top of the OSS Anchore Engine, which has received many new features and updates as well (see below for details).
• New Documentation and Resources: Alongside the release of Anchore Engine 0.4.0, we’ve launched a brand new documentation site that provides a more flexible structure, versioned documentation sets, and greatly enhanced feedback and contribution capabilities.
• New Support Portal: customers of Anchore Enterprise 2.0 are now provided with full access to a new support portal for better ticket tracking and feature request submissions.

Anchore Engine OSS

Anchore Enterprise 2.0 is built on top of Anchore Engine version 0.4.0 – a new version of the fully functional core services that drive all Anchore deployments. Anchore Engine has received a number of new features and other new project updates:

• Automated Data Management: new automation capabilities and rules allow simplified management of the volume of analysis data while still supporting audit capabilities. New data tiers support flexible management of Anchore data resources as your deployment grows and scales over time.
• Policy Hub: centralized repository of Anchore policies, accessible by all Anchore users, where pre-canned policies are available either to be used directly or as a starting point for your own policy definitions.
• Rootless Analyzers: new implementation of the core image analysis capabilities of Anchore which no longer require any special access to handle the high variability found within container images, while still providing the deep inspection needed for powerful security and compliance enforcement.
• Red Hat Universal Base Image: all Anchore Engine container images have been re-platformed atop the recently announced and freely available Red Hat Universal Base Image, bringing more enterprise-grade software and support options to users deploying Anchore Engine in Red Hat environments.

For a full description of new features, improvements and fixes available in Anchore Engine OSS, click here.

Once again, we would like to sincerely thank all of our open-source users, customers and contributors for all of the spirited discussion, feedback, and code contributions that are all part of this latest release of Anchore Engine OSS! If you’re new to Anchore, we would like nothing more than to have you join our community!

Anchore Enterprise 2.0 Available Now

With Anchore Enterprise 2.0, available immediately, our goal has been to include a brand new set of large scale and enterprise-focused updates for all Anchore users that can be utilized immediately by upgrading existing deployments of Anchore Enterprise or Anchore Engine OSS.

For users looking for comprehensive solutions to the unique challenges of securing and enforcing best-practices and compliance to existing CI/CD, container monitoring and control frameworks, and other container-native pipelines, we sincerely hope you enjoy our latest release of Anchore software and other resources – we look forward to working with you!

For more information on requesting a trial, or getting started with Anchore Enterprise 2.0, please direct your browser to the Anchore Enterprise.