What is Anchore?
Anchore provides you with insight and control over the contents of your containers from the start of development all the way to production.
What is Anchore?
Anchore provides you with insight and control over the contents of your containers.
What’s Inside Your Container Images?
With Docker and containers it’s never been easier to deploy and run any application. Developers now have access to thousands of applications ready to run right “off the shelf” and the ability to quickly build and publish their own images.
In addition to the application, the container image may contain hundreds of packages and thousands of files including binaries, shared libraries, configuration files, and 3rd party modules. Any one of these components may contain a security vulnerability, an outdated software module, a misconfigured configuration file or simply fail to comply with your operational or security best practices.
The Tip of the Iceberg
Image scanning solutions focus on scanning the operating system image for known vulnerabilities (CVEs). While this is a critical check to perform it is just the first step. An image may contain no operating system packages with known vulnerabilities but may still be insecure, mis-configured or in some other way out of compliance.
BELOW THE SURFACE
PackagesAnalysis and reporting on operating system packages: required packages, blacklisted packages, non-official packages, required package versions, available updates that address non-security bugs.
BlacklistArtifacts that should not be present in your image such as source code, secrets (API keys, passwords, etc)
LibrariesImages may contain many 3rd party components not provided by the operating system vendor such as Node.js NPM, Ruby GEMs, Python PIP, PERL CPAN, Java Archives. All of these artifacts should undergo the same level of scrutiny as the operating system packages.
ConfigurationConfiguration files for the operating system, middleware and application components should meet operational best practices and comply with your security and compliance guidelines.
Image ConfigurationImage configuration such as the Dockerfile should be validated to ensure that it complies with best practices and your corporate standards.
OtherAny element in the image can be checked including file permissions, presence of unpackaged files that are not part of standard packages or libraries.
Analyze Container Images
Anchore analysis tools inspect your container image and generate a detailed manifest of the image, a virtual ‘bill of materials’ that includes official operating system packages, unofficial packages, configuration files and language modules and artifacts such as NPM, PiP, GEM, and Java archives.
Using Anchore tools policies can be defined that specify rules to govern security vulnerabilities, package whitelists and blacklists, configuration file contents, presence of credentials in image, manifest changes, exposed ports or any user defined checks. These policies can be deployed site wide or customized for specific images or categories of applications.
Manage Your Workflow
Anchore can be run at any point in the development pipeline to produce reports or to evaluate policies allowing policy violations to be caught and fixed early in the development lifecycle.