On Premise Container Security and Compliance
The Anchore Engine is an open source project that provides a centralized service for performing detailed analysis on container images, running queries, producing reports and defining policies that can be used in CI/CD pipelines.
Syncronize Feed Data from Anchore Cloud
The Anchore feed service downloads feed data from Anchore’s cloud which includes CVE data from operating system distributions as well as package data from popular software repositories such as the Node.JS NPM registry and the Ruby Gems registry. This feed data is stored in the Postgres database and automatically updated at a user defined interval to ensure that the latest vulnerability and package data is used.
Deep Image Analysis
The Engine downloads container images from Docker V2 compatible registries and performs a detailed inspection using a set of extensible analysis modules and generates a detailed manifest of the image, a virtual ‘bill of materials’ that includes official operating system packages, unofficial packages, configuration files, language modules and artifacts such as NPM, PiP, GEM, and Java archives.
In addition to providing information about an image, the Anchore Engine will perform an evaluation of the image based on policies defined by the user. A policy is made up from a set of rules that are used to perform an evaluation a container image. These rules can include checks on security vulnerabilities, package whitelists, blacklists, configuration file contents, presence of credentials in image, manifest changes, exposed ports or other user defined checks. These policies can applied globally or customized for specific images or categories of applications.
How to Get Started
Get started by heading over to the Anchore Engine github repo or read more about the Engine in the project wiki.