What is Anchore?

Anchore provides you with insight and control over the contents of your containers from the start of development all the way to production.

What is Anchore?

Anchore provides you with insight and control over the contents of your containers.

 What’s Inside Your Container Images?

With Docker and containers it’s never been easier to deploy and run any application.  Developers now have access to thousands of applications ready to run right “off the shelf” and the ability to quickly build and publish their own images.

 In addition to the application, the container image may contain hundreds of packages and thousands of files including binaries, shared libraries, configuration files, and 3rd party modules. Any one of these components may contain a security vulnerability, an outdated software module, a misconfigured configuration file or simply fail to comply with your operational or security best practices.

The Tip of the Iceberg

Image scanning solutions focus on scanning the operating system image for known vulnerabilities (CVEs). While this is a critical check to perform it is just the first step. An image may contain no operating system packages with known vulnerabilities but may still be insecure, mis-configured or in some other way out of compliance.

BELOW THE SURFACE

Packages

Analysis and reporting on operating system packages: required packages, blacklisted packages, non-official packages, required package versions, available updates that address non-security bugs.

Blacklist

Artifacts that should not be present in your image such as source code, secrets (API keys, passwords, etc)
m

Libraries

Images may contain many 3rd party components not provided by the operating system vendor such as Node.js NPM, Ruby GEMs, Python PIP, PERL CPAN, Java Archives. All of these artifacts should undergo the same level of scrutiny as the operating system packages.
f

Configuration

Configuration files for the operating system, middleware and application components should meet operational best practices and comply with your security and compliance guidelines.
i

Image Configuration

Image configuration such as the Dockerfile should be validated to ensure that it complies with best practices and your corporate standards.
q

Other

Any element in the image can be checked including file permissions, presence of unpackaged files that are not part of standard packages or libraries.

 

Have Confidence in Your Container Deployments

Analyze Container Images

Anchore analysis tools inspect your container image and generate a detailed manifest of the image, a virtual ‘bill of materials’ that includes official operating system packages, unofficial packages, configuration files and language modules and artifacts such as NPM, PiP, GEM, and Java archives.

Define Policies

Using Anchore tools policies can be defined that specify rules to govern security vulnerabilities, package whitelists and blacklists, configuration file contents, presence of credentials in image, manifest changes, exposed ports or any user defined checks. These policies can be deployed site wide or customized for specific  images or categories of applications.

Manage Your Workflow

Anchore can be run at any point in the development pipeline to produce reports or to evaluate policies allowing policy violations to be caught and fixed early in the development lifecycle.

.

 

Have Confidence in Your Container Deployments

Analyzing Containers

Anchore analysis tools inspect your container image and generate a detailed manifest of the image, a virtual ‘bill of materials’ that includes official operating system packages, unofficial packages, configuration files and language modules and artifacts such as NPM, PiP, GEM, and Java archives.

Define Policies

Using Anchore tools policies can be defined that specify rules to govern security vulnerabilities, package whitelists and blacklists, configuration file contents, presence of credentials in image, manifest changes, exposed ports or any user defined checks. These policies can be deployed site wide or customized for specific images or categories of applications.

Manage Your Workflow

Anchore can be run at any point in the development pipeline to produce reports or to evaluate policies allowing policy violations to be caught and fixed early in the development lifecycle.

Download Our Technical Overview

 

Anchore in the CI/CD Pipeline

Anchore is designed to seamlessly integrate into your existing Continuous Integration & Continuous Delivery infrastructure allowing image inspection, analysis and policy compliance to be evaluated as part of every build and at each stage of the CI/CD pipeline.

9

PUSH

Developer pushes code into source code repository
o

BUILD

Which triggers the CI/CD system to build a new container image based off the latest code

ANALYZE

As part of the build pipeline Anchore analyzes the image storing detailed analysis data that can be queried at a later date

EVALUATE

Policy evaluation is performed with the results returned to the CI/CD platform.

REPORT

Policy violations can cause the build to fail. Passing policy checks allows the image to continue to the next stage of the build pipeline.

 

Integration with Leading Tools, Platforms, and Registries

Anchore works with leading CI/CD platforms, with public and private registries and with the leading container runtime platforms with out of the box integrations including: