• Get application security done the right way! Detect, Protect, Monitor, Accelerate, and more…
  • The Anchore Engine is an open-source tool for scanning and analyzing container images for security vulnerabilities and policy issues. It is available as a Docker container image that can run within an orchestration platform, or as a standalone installation.

    This is a useful security tool that enables developers and QA teams to test, identify, and address vulnerabilities in the images they are using to create applications.

    In this article, we will look at how to install and use the Anchore image vulnerability scanner. Generally, there are are several implementation methods. However, I will focus on the following two,

    • Using the AnchoreCLI command-line option
    • GUI based Jenkins Anchore Container Image Scanner plugin.

    We will show you how to install, configure, and start the engine, configure and use the AnchoreCLI command-line tool as well as the Jenkins plugin. For each of the two methods, you will learn how to add the images to scan, perform the scan, and view reports.

    At the end of the article, you will learn the following three things.

    • Installing and configuring the Anchore Engine
    • Installing, configuring and using AnchoreCLI
    • Configuring and using Anchore Container Image Scanner Plugin in Jenkins

    Prerequisites

    The following are the requirements for this tutorial;

    • A local or virtual machine with Ubuntu 18.04 and the following;
    • Docker
    • Docker-compose
    • Jenkins Installed and running
    • sudo user

    Step 1:— Setup the working directories and download the configuration files.

    Create a working directory for your Anchore files. Within that directory, you’ll create two subdirectories, one for the configuration, and one for the database.

    Create a home directory for the Anchore files

    mkdir anchore

    Go to the new directory and create the configuration and database subdirectories.

    cd anchore
    
    mkdir config
    
    mkdir db

    Download the configuration files

    Once the directories are ready, we will download two configuration files (docker-compose.yaml and config.yaml) from the Github project.

    To download the docker-compose.yaml

    Go to the anchore home directory and use the command

    curl https://raw.githubusercontent.com/anchore/anchore-engine/master/scripts/docker-compose/docker-compose.yaml > docker-compose.yaml

    Then download the config.yaml to the ~/anchore/config directory

    curl https://raw.githubusercontent.com/anchore/anchore-engine/master/scripts/docker-compose/config.yaml -o ~/anchore/config/config.yaml

    The config.yaml file is a configuration file with the basic settings that the anchore engine service requires to run. It has several parameters, including includes the default, log level, listening port, username, password, and others that you can adjust to meet specific requirements.

    It is a good security practice to change the password, and you can do this by editing the config.yaml file. However, in this tutorial, we will use the default settings.

    To continue with the default credentials, (username – admin and password – foobar), proceed to step 2.

    Changing Anchore Engine credentials (optional)

    From the anchore directory use the command

    nano ~/anchore/config/config.yaml

    Locate the username (admin) and password (foobar) and change to your preferred values.

    Press CTRL + X, then Y to save and exit.

    With the working directories and configuration files in place, the system is ready for the installation of the Anchore Engine.

    Step 2: — Install and start the Anchore Engine

    You will use the Docker compose to install and start the Anchore Engine and database.

    From the anchore home directory, run.

    docker-compose up -d

    This will automatically pull the Anchore image and then create the Anchore engine and database in the home and ~/anchore/database/ directories respectively. Upon completion, the command will start the Anchore engine.

    After successfully installing and starting the anchore engine, you can now scan the images using the anchore command line AnchoreCLI. However, you need first to install the AnchoreCLI command-line utility, as shown below.

    Installing, configuring AnchoreCLI

    In this step, you will learn how to install and configure the AnchoreCLI command-line tool.

    Step 3: — Install AnchoreCLI

    In this tutorial, we will first install the python-pip utility, which will then use to install the AnchoreCLI from the source.

    To install Python pip. For to the Anchore home directory and run

    sudo apt-get update
    sudo apt-get install python-pip
    sudo pip install --upgrade setuptools

    Install the AnchoreCLI using python-pip

    pip install anchorecli

    This command will download and install the files for the AnchoreCLI. After installation, we now need to source our .profile file to using the command

    source ~/.profile

    To verify if the installation is successful and version of the Anchorecli, use the command

    anchore-cli --version

    To check anchore-CLI system status, use the command

    anchore-cli --url http://localhost:8228/v1 --u admin --p foobar system status

    Please note that you must pass the Anchore engine URL, username, and password.

    Define Anchore Engine parameters

    By default, the AnchoreCLI will attempt to access the Anchore Engine without authentication. However, this will not work, and you need to provide the Anchore Engine credentials with every command.

    This involves passing the username, password, and URL parameters with every Anchore CLI command. Instead of providing these every time, the alternative is to define them as environmental variables in the following format.

    To pass the URL, run

    ANCHORE_CLI_URL=http://localhost:8228/v1

    This defines the Anchore Engine URL together with the port 8228, which it uses.

    Set the username and password using the default values; otherwise, replace them with the new values you set in Step 1.

    ANCHORE_CLI_USER=admin
    
    ANCHORE_CLI_PASS=foobar

    The above sets the parameters only for the current shell. To set the current shell and other processes that start from it, we use the export command

    export ANCHORE_CLI_URL
    
    export ANCHORE_CLI_USER
    
    export ANCHORE_CLI_PASS

    With the parameters defined, the AchoreCLI setup is complete, and you’ are ready to scan images.

    Step 4: — Adding and analyzing images

    Now that we have the Anchore Engine running and CLI configured, you will learn how to add and analyze the images for security issues. In this tutorial, we will analyze two images. -openjdk:8-jre-alpine with vulnerabilities and debian:latest without .

    Analyzing images

    To proceed, we need first to add the images to the engine. To add the images

    anchore-cli image add openjdk:8-jre-alpine

    Add stable image debian:latest

    anchore-cli image add docker.io/library/debian:latest

    Add more images

    anchore-cli image add openjdk:10-jdk
    
    anchore-cli image add openjdk:11-jdk

    After adding an image to the Anchore Engine, the analysis starts immediately. If there are several loaded images, they are put in a queue and analyzed one at a time. You can check the progress and see the list of loaded images together with their analysis status.

    To see the list, run the command

    anchore-cli image list  

    Output

    [email protected]:~/anchore$ anchore-cli image list
    Full Tag                   Image Digest                Analysis Status
    docker.io/openjdk:10-jdk     sha256:923d074ef1f4f0dceef68d9bad8be19c918d9ca8180a26b037e00576f24c2cb4analyzed
    docker.io/openjdk:11-jdk sha256:9923c0853475007397ed5c91438c12262476d99372d4cd4d7d44d05e9af5c077analyzed
    docker.io/openjdk:8-jre-alpine   sha256:b2ad93b079b1495488cc01375de799c402d45086015a120c105ea00e1be0fd52analyzed

    Depending on the number of images, size, and time elapsed after adding them, you will get analyzed for those complete, analyzing for those in progress and not analyzed for the queued images.

    Step 5: — Retrieve and view analysis results

    Once the analysis is complete, you can check the results and see the results for the vulnerability scans, policy checks, and other issues the engine has identified.

    To check results for the vulnerability scan on openjdk:8-jre-alpine vulnerable image

    Run

    anchore-cli image vuln openjdk:8-jre-alpine all

    Output

    [email protected]:~/anchore$ anchore-cli image vuln openjdk:8-jre-alpine all
    Vulnerability    IDPackage             Severity  Fix        CVE Refs Vulnerability URL
    CVE-2018-1000654 libtasn1-4.13-r0        High    4.14-r0      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000654
    CVE-2019-12900   libbz2-1.0.6-r6         High    1.0.6-r7     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900
    CVE-2019-14697   musl-1.1.20-r4          High    1.1.20-r5    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697
    CVE-2019-14697   musl-utils-1.1.20-r4    High    1.1.20-r5    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697
    CVE-2019-8457    sqlite-libs-3.26.0-r3   High    3.28.0-r0    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457
    CVE-2018-14498   libjpeg-turbo-1.5.3-r4  Medium  1.5.3-r5     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14498

    The report shows the CVE identifier, the vulnerable package, severity, and whether there is a fix or not. For our image openjdk:8-jre-alpine, the analysis shows that it has five high vulnerabilities and quite a number of medium and negligible vulnerabilities. (some not shown above).

    To view vulnerabilities results for a stable image debian:latest

    Run the command

    anchore-cli image vuln docker.io/library/debian:latest all

    Output

    [email protected]:~/anchore$ anchore-cli image vuln debian:latest all
    Vulnerability  IDPackage         Severity   Fix   CVE RefsVulnerability URL
    CVE-2005-2541   tar-1.30+dfsg-6  Negligible None  https://security-tracker.debian.org/tracker/CVE-2005-2541
    CVE-2019-1010022libc-bin-2.28-10 Negligible None  https://security-tracker.debian.org/tracker/CVE-2019-1010022
    CVE-2019-1010022libc6-2.28-10    Negligible None  https://security-tracker.debian.org/tracker/CVE-2019-1010022
    CVE-2019-1010023libc-bin-2.28-10 Negligible None  https://security-tracker.debian.org/tracker/CVE-2019-1010023
    CVE-2019-1010023libc6-2.28-10    Negligible None  https://security-tracker.debian.org/tracker/CVE-2019-1010023
    CVE-2019-1010024libc-bin-2.28-10 Negligible None  https://security-tracker.debian.org/tracker/CVE-2019-1010024

    As can be seen from the report, the image debian:latest has negligible vulnerabilities and no fixes.

    To see the policy evaluation results for the unstable image openjdk:8-jre-alpine

    run

    anchore-cli evaluate check openjdk:8-jre-alpine

    Output – The results show a fail

    [email protected]:~/anchore$ anchore-cli evaluate check openjdk:8-jre-alpine
    Image Digest: sha256:b2ad93b079b1495488cc01375de799c402d45086015a120c105ea00e1be0fd52
    Full Tag: docker.io/openjdk:8-jre-alpine
    Status: fail
    Last Eval: 2019-09-20T12:03:32Z
    Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060

    The image openjdk:8-jre-alpine violates the specified policy ID (Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060) and therefore returns a Fail status.

    Now that we have seen how the Anchore Engine responds after detecting a policy violation, it is time to check if how it behaves with our stable image debian:latest.

    Policy check for debian:latest stable image

    anchore-cli evaluate check docker.io/library/debian:latest --detail
    
    [email protected]:~/anchore$ anchore-cli evaluate check docker.io/library/debian:latest --detail
    Image Digest: sha256:d3351d5bb795302c8207de4db9e0b6eb23bcbfd9cae5a90b89ca01f49d0f792d
    Full Tag: docker.io/library/debian:latest
    Image ID: c2c03a296d2329a4f3ab72a7bf38b78a8a80108204d326b0139d6af700e152d1
    Status: pass
    Last Eval: 2019-09-20T12:00:06Z
    Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060
    Final Action: warn
    Final Action Reason: policy_evaluation
    Gate  TriggerDetail Status
    dockerfileinstructionDockerfile directive 'HEALTHCHECK' not found, matching condition 'not_exists' checkwarn

    The results show a Pass status and a Final Action of Warn because of information mismatch with a Dockerfile directive. This does not fail but may require checking and addressing the issue.

    Configuring and using Anchore Container Image Scanner Plugin in Jenkins

    Step 6:— Add and configure the Anchore Container Image Scanner Plugin in Jenkins

    In this step, we will integrate the Anchor Engine with the Jenkins server. Jenkins is a java based, open-source server for automating a wide range of repetitive tasks in the software development cycle.

    The Anchore plugin is available in Jenkins but not installed by default.

    Log in to Jenkins using a web browser

    http://your_server_ip_or_domain:8080

    Enter the username and password.

    Go to Jenkins menu

    Locate and select Manage Jenkins

    Go to Manage Plugins

    On the Available tab, scroll down to Build Tools and select the Anchore Container Image Scanner

    Click the Install without restart option.

    After the successful installation of the Anchore Container Image Scanner plugin, the next step is to configure the credentials.

     

     

    Go to the Jenkins menu and select the Manage Jenkins tab.

    Open Configure system.

    Locate the Anchore configuration.

    Select Engine Mode

    Enter the Anchore Engine details (the engine URL, username and password, and port 8228 – the default port for the engine).

    URL – http://your_server_IP:8228/v1

    Enter the username = admin
    Enter the Password = foobar or new password if you changed it in Step 3 (above)

    Click Save

    Configure Anchore Plugin

    Step 8:— Adding and scanning images

    Click New Item at the Jenkins Dashboard on the top left menu

    This will open a screen with several options.
    Type the desired name for your test project in the Enter the item name field.

    In this project, we will use the Pipeline build.
    Select the Pipeline and click Ok.

     

    You are now ready to scan the images. In our case, we will use images already in the docker registry that is accessible by the Anchore Engine.

    To do this, you will add the pipeline script that will specify the image to scan.

    Step 9:— Add pipeline script

    Scroll down to the Pipeline section and add the script to specify the image to scan. We will start with the openjdk:8-jre-alpine which contains some vulnerabilities.

    node {
    def imageLine = 'openjdk:8-jre-alpine'`
    writeFile file: 'anchore_images', text: imageLine`
    anchore name: 'anchore_images'`
    }

    Click Save

    Step 10:— Run the build and review the scan reports

    From the Jenkins menu

    Click Build Now

    This will start the build process, which takes a few minutes depending on the image size. After completion, a number and a colored button will appear under the Build History. This will have a red color for Fail or Blue for Pass. Clicking the button will display more results.

    Step 11:— Review Results

    Click on Build # to view more details
    This opens a Console Output window indicating a failure – Anchore Report (FAIL)

    The detailed reports indicate whether the analysis was a Fail or a Pass and provide several reports showing the vulnerabilities, warnings, and others based on the configuration. By default, the plugin is configured to fail a build (Stop) whenever there are vulnerabilities. Below are the screenshots for the Policy and Security reports.

     

    Anchore Policy Evaluation summary

    Below is a screenshot of the Security results for the vulnerable image.

    Common Vulnerabilities and Exposures (CVE) List

    If we now scan a stable image, debian:latest, with no vulnerabilities, we get the results below.

    Anchore Policy Evaluation summary (Pass)

     

    Common Vulnerabilities and Exposures (CVE) List Pass 

    Conclusion

    The Anchore Container Image Scanner is a powerful image analysis tool that identifies a wide range of vulnerabilities and policy issues in Docker images. It has many customization options and can be configured on how to respond upon detecting issues during the analysis. One of these is to break the build when the engine encounters a severe vulnerability.

    If you are looking to build your career in DevSecOps, then check out this Udemy course.