Generating a software bill of materials (SBOM) is starting to become common practice. Is your organization using them to their full potential? Here are a couple questions Anchore can help you answer with SBOMs and the power of our policy engine:

• How far off are we from meeting the security requirements that Iron Bank, NIST, CIS, and DISA put out around container images?
• How can I standardize the way our developers build container images to improve security without disrupting the development team’s output?
• How can I best prioritize this endless list of security issues for my container images?
• I’m new to containers. Where do I start on securing them?

If any of those questions still need answering at your organization and you have five minutes, you’re in the right place. Let’s dive in.

If you’re reading this you probably already know that Anchore creates developer tools to generate SBOMs, and has been since 2016. Beyond just SBOM generation, Anchore truly shines when it comes to its policy capabilities. Every company operates differently — some need to meet strict compliance standards while others are focused on refining their software development practices for enhanced security. No matter where you’re at in your container security journey today, Anchore’s policy framework can help improve your security practices.

Anchore Enterprise has a tailored approach to policy and enforcement that means whether you’re a healthcare provider abiding by stringent regulations or a startup eager to fortify its digital defenses, Anchore has got you covered. Our granular controls allow teams to craft policies that align perfectly with their security goals.

Exporting Policy Reports with Ease

Anchore also has a nifty command line tool called anchorectl that allows you to grab SBOMs and policy results related to those SBOMs. There are a lot of cool things you can do with a little bit of scripting and all the data that Anchore Enterprise stores. We are going to cover one example in this blog.

Once Anchore has created and stored an SBOM for a container image, you can quickly get policy results related to that image. The anchorectl command that will evaluate an image against the docker-cis-benchmark policy bundle:

anchorectl image details <image-id> -p docker-cis-benchmark

That command will return the policy result in a few seconds. Let’s say your organization develops 100 images and you want to meet the CIS benchmark standard. You wouldn’t want to assess each of these images individually, that sounds exhausting. 

To solve this problem, we have created a script that can iterate over any number of images, merge the results into a single policy report, and export that into a csv file. This allows you to make strategic decisions about how you can most effectively move towards compliance with the CIS benchmark (or any standard).

In this example, we ran the script against 30 images in my Anchore deployment. Now take a look holistically at how far off we are from CIS compliance. Here are a few metrics that standout:

• 26 of the 30 images are running as ‘root’
• 46.9% of our total vulnerabilities have fixes available (4978 /10611)
• ADD instructions are being used in 70% of our images
• Health checks missing in 80% of our images
• 14 secrets (all from the same application team)
• 1 malware hit (Cryptominer Casey is at it again)

As a security team member, we didn’t write any of this code myself, which means I need to work with my developer colleagues on the product/application teams to clear up these security issues. Usually this means an email that educates my colleagues on how to utilize health checks, prefer COPY instead over ADD in Dockerfiles, declaring a non-privileged user instead of root, and methods to upgrade packages with fixes available (e.g., Dependabot). Finally, we would prioritize investigating how that malware made its way into that image for myself.

This example illustrates how storing SBOMs and applying policy rules against them at scale can streamline your path to your container security goals.

Visualizing Your Aggregated Policy Reports

While this raw data is useful in and of itself, there are times when you may want to visualize the data in a way that is easier to understand.  While Anchore Enterprise does provide some dashboarding capabilities, it is not and does not aim to be a versatile dashboarding tool. This is where utilizing an observability vendor comes in handy.

In this example, I’ll be using New Relic as they provide a free tier that you can sign up for and begin using immediately. However, other providers such as Datadog and Grafana would also work quite well for this use case. 

Importing your Data

1. Download the tsv-to-json.py script
2. Save the data produced by the policy-report.py script as a TSV file
   • We use TABs as a separator because commas are used in many of the items contained in the report.
3. Run the tsv-to-json.py script against the TSV file:

python3 tsv-to-json.py aggregated_output.tsv > test.json

4. Sign-up for a New Relic account here
5. Find your New Relic Account ID and License Key
   • Your New Relic Account ID can be seen in your browser’s address bar upon logging in to New Relic, and your New Relic License Key can be found on the right hand side of the screen upon initial login to your New Relic account.
6. Use curl to push the data to New Relic:

gzip -c test.json | curl \
-X POST \
-H "Content-Type: application/json" \
-H "Api-Key: <YOUR_NEWRELIC_LICENSE_KEY>" \
-H "Content-Encoding: gzip" \
https://insights-collector.newrelic.com/v1/accounts/<YOUR_NEWRELIC_ACCOUNT_ID>/events \
--data-binary @-

Visualizing Your Data

New Relic uses the New Relic Query Language (NRQL) to perform queries and render charts based on the resulting data set.  The tsv-to-json.py script you ran earlier converted your TSV file into a JSON file compatible with New Relic’s event data type.  You can think of each collection of events as a table in a SQL database.  The tsv-to-json.py script will automatically create an event type for you, combining the string “Anchore” with a timestamp.

To create a dashboard in New Relic containing charts, you’ll need to write some NRQL queries.  Here is a quick example:

FROM Anchore1698686488 SELECT count(*) FACET severity

This query will count the total number of entries in the event type named Anchore1698686488 and group them by the associated vulnerability’s severity. You can experiment with creating your own, or start by importing a template we have created for you here.

Wrap-Up

The security data that your tools create is only as good as the insights that you are able to derive from them. In this blog post, we covered a way to help security practitioners turn a mountain of security data into actionable and prioritized security insights. That can help your organization to improve its security posture and meet compliance standards quicker. That being said this blog is dependent on you already being a customer of Anchore Enterprise.