The Anchore Cloud delivers a free service to let anyone discover and analyze images on public container registries such as DockerHub. Anchore’s SaaS service regularly polls public container registries and performs analysis on hundreds of public images – both official and non-official. Anchore collects and stores detailed data about these images including historic information such as how often an image has been updated and the history of image tags.
Today all official repos are scanned along with many popular non-official repos. Logged in users have the ability to request other public images to be scanned.
Once a repo has been selected users can select an image from a sortable list of tags which shows the the tag name, last update, update frequency and size of an image. Selecting an image allows a user to view detailed information about in image including information that is typically not available from public registries including Image digest, operating system, and labels. The
Anchore Coud allows users to perform a deep inspection of the image to see all the operating system packages, Node.JS modules, RubyGEMs, in fact every file in the image is covered in the analysis.
For images with historic information, Anchore Cloud allows details from previous versions of a Tag to be displayed along with a change log that is generated by the system to show what packages and files changed between images.
Security & Compliance
A detailed security report including Common Vulnerabilities and Exposures (CVEs) can be viewed, allowing the user to see what packages triggered vulnerability alerts and if an update is available.
In addition to listing security vulnerabilities, Anchore Cloud shows the Policy compliance of the Image using the default Anchore policy which assess an image’s compliance based on CVEs, Dockerfile contents and Package Manifest.
Graphical Policy Editor
The Anchore Cloud service also includes a graphical policy editor which allows you to create your own custom policies and define which policies are used with which images. For example you could create a different policy to apply to web facing Node.JS apps than the policy you apply to an internal database service. You start with Anchore’s default policies and can extend to add your own custom checks.
The policy editor supports CVE whitelisting – allowing a curated set of CVEs to be excluded from security analysis.
Scan Private Repositories
In addition to the free Anchore Cloud solution the Premium offering allows users to perform analysis and policy evaluation on container images stored in an organization’s private repositories stored on DockerHub or Amazon EC2 Container Registry (ECR).
The container images can be inspected using Anchore Cloud and policies can be defined using the graphical policy editor. A Jenkins CI/CD plugin can also be installed on-prem that integrates with Anchore Cloud to scan these images as they pass through the CI/CD pipeline.
Users can subscribe to receive notifications when images are updated, when new vulnerabilities are discovered or if an image moves out of compliance.