The Anchore Engine is an open-source tool for scanning and analyzing container images for security vulnerabilities and policy issues. It is available as a Docker container image that can run within an orchestration platform, or as a standalone installation.
This is a useful security tool that enables developers and QA teams to test, identify, and address vulnerabilities in the images they are using to create applications.
In this article, we will look at how to install and use the Anchore image vulnerability scanner. Generally, there are are several implementation methods. However, I will focus on the following two,
- Using the AnchoreCLI command-line option
- GUI based Jenkins Anchore Container Image Scanner plugin.
We will show you how to install, configure, and start the engine, configure and use the AnchoreCLI command-line tool as well as the Jenkins plugin. For each of the two methods, you will learn how to add the images to scan, perform the scan, and view reports.
At the end of the article, you will learn the following three things.
- Installing and configuring the Anchore Engine
- Installing, configuring and using AnchoreCLI
- Configuring and using Anchore Container Image Scanner Plugin in Jenkins
Prerequisites
The following are the requirements for this tutorial;
- A local or virtual machine with Ubuntu 18.04 and the following;
- Docker
- Docker-compose
- Jenkins Installed and running
- sudo user
Step 1:— Setup the working directories and download the configuration files.
Create a working directory for your Anchore files. Within that directory, you’ll create two subdirectories, one for the configuration, and one for the database.
Create a home directory for the Anchore files
mkdir anchore
Go to the new directory and create the configuration and database subdirectories.
cd anchore
mkdir config
mkdir db
Download the configuration files
Once the directories are ready, we will download two configuration files (docker-compose.yaml
and config.yaml
) from the Github project.
To download the docker-compose.yaml
Go to the anchore home directory and use the command
curl https://raw.githubusercontent.com/anchore/anchore-engine/master/scripts/docker-compose/docker-compose.yaml > docker-compose.yaml
Then download the config.yaml to the ~/anchore/config
directory
curl https://raw.githubusercontent.com/anchore/anchore-engine/master/scripts/docker-compose/config.yaml -o ~/anchore/config/config.yaml
The config.yaml
file is a configuration file with the basic settings that the anchore engine service requires to run. It has several parameters, including includes the default, log level, listening port, username, password, and others that you can adjust to meet specific requirements.
It is a good security practice to change the password, and you can do this by editing the config.yaml
file. However, in this tutorial, we will use the default settings.
To continue with the default credentials, (username
– admin and password
– foobar), proceed to step 2.
Changing Anchore Engine credentials (optional)
From the anchore directory use the command
nano ~/anchore/config/config.yaml
Locate the username (admin) and password (foobar) and change to your preferred values.
Press CTRL + X, then Y to save and exit.
With the working directories and configuration files in place, the system is ready for the installation of the Anchore Engine.
Step 2: — Install and start the Anchore Engine
You will use the Docker compose to install and start the Anchore Engine and database.
From the anchore home directory, run.
docker-compose up -d
This will automatically pull the Anchore image and then create the Anchore engine and database in the home and ~/anchore/database/ directories respectively. Upon completion, the command will start the Anchore engine.
After successfully installing and starting the anchore engine, you can now scan the images using the anchore command line AnchoreCLI. However, you need first to install the AnchoreCLI command-line utility, as shown below.
Installing, configuring AnchoreCLI
In this step, you will learn how to install and configure the AnchoreCLI command-line tool.
Step 3: — Install AnchoreCLI
In this tutorial, we will first install the python-pip utility, which will then use to install the AnchoreCLI from the source.
To install Python pip. For to the Anchore home directory and run
sudo apt-get update
sudo apt-get install python-pip
sudo pip install --upgrade setuptools
Install the AnchoreCLI using python-pip
pip install anchorecli
This command will download and install the files for the AnchoreCLI. After installation, we now need to source our .profile file to using the command
source ~/.profile
To verify if the installation is successful and version of the Anchorecli
, use the command
anchore-cli --version
To check anchore-CLI system status, use the command
anchore-cli --url http://localhost:8228/v1 --u admin --p foobar system status
Please note that you must pass the Anchore engine URL, username, and password.
Define Anchore Engine parameters
By default, the AnchoreCLI will attempt to access the Anchore Engine without authentication. However, this will not work, and you need to provide the Anchore Engine credentials with every command.
This involves passing the username, password, and URL parameters with every Anchore CLI command. Instead of providing these every time, the alternative is to define them as environmental variables in the following format.
To pass the URL, run
ANCHORE_CLI_URL=http://localhost:8228/v1
This defines the Anchore Engine URL together with the port 8228, which it uses.
Set the username and password using the default values; otherwise, replace them with the new values you set in Step 1.
ANCHORE_CLI_USER=admin
ANCHORE_CLI_PASS=foobar
The above sets the parameters only for the current shell. To set the current shell and other processes that start from it, we use the export command
export ANCHORE_CLI_URL
export ANCHORE_CLI_USER
export ANCHORE_CLI_PASS
With the parameters defined, the AchoreCLI setup is complete, and you’ are ready to scan images.
Step 4: — Adding and analyzing images
Now that we have the Anchore Engine running and CLI configured, you will learn how to add and analyze the images for security issues. In this tutorial, we will analyze two images. -openjdk:8-jre-alpine
with vulnerabilities and debian:latest without
.
Analyzing images
To proceed, we need first to add the images to the engine. To add the images
anchore-cli image add openjdk:8-jre-alpine
Add stable image debian:latest
anchore-cli image add docker.io/library/debian:latest
Add more images
anchore-cli image add openjdk:10-jdk
anchore-cli image add openjdk:11-jdk
After adding an image to the Anchore Engine, the analysis starts immediately. If there are several loaded images, they are put in a queue and analyzed one at a time. You can check the progress and see the list of loaded images together with their analysis status.
To see the list, run the command
anchore-cli image list
Output
user1@Imagescan:~/anchore$ anchore-cli image list
Full Tag Image Digest Analysis Status
docker.io/openjdk:10-jdk sha256:923d074ef1f4f0dceef68d9bad8be19c918d9ca8180a26b037e00576f24c2cb4analyzed
docker.io/openjdk:11-jdk sha256:9923c0853475007397ed5c91438c12262476d99372d4cd4d7d44d05e9af5c077analyzed
docker.io/openjdk:8-jre-alpine sha256:b2ad93b079b1495488cc01375de799c402d45086015a120c105ea00e1be0fd52analyzed
Depending on the number of images, size, and time elapsed after adding them, you will get analyzed for those complete, analyzing for those in progress and not analyzed for the queued images.
Step 5: — Retrieve and view analysis results
Once the analysis is complete, you can check the results and see the results for the vulnerability scans, policy checks, and other issues the engine has identified.
To check results for the vulnerability scan on openjdk:8-jre-alpine
vulnerable image
Run
anchore-cli image vuln openjdk:8-jre-alpine all
Output
user1@Imagescan:~/anchore$ anchore-cli image vuln openjdk:8-jre-alpine all
Vulnerability IDPackage Severity Fix CVE Refs Vulnerability URL
CVE-2018-1000654 libtasn1-4.13-r0 High 4.14-r0 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000654
CVE-2019-12900 libbz2-1.0.6-r6 High 1.0.6-r7 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900
CVE-2019-14697 musl-1.1.20-r4 High 1.1.20-r5 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697
CVE-2019-14697 musl-utils-1.1.20-r4 High 1.1.20-r5 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697
CVE-2019-8457 sqlite-libs-3.26.0-r3 High 3.28.0-r0 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457
CVE-2018-14498 libjpeg-turbo-1.5.3-r4 Medium 1.5.3-r5 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14498
The report shows the CVE identifier, the vulnerable package, severity, and whether there is a fix or not. For our image openjdk:8-jre-alpine, the analysis shows that it has five high vulnerabilities and quite a number of medium and negligible vulnerabilities. (some not shown above).
To view vulnerabilities results for a stable image debian:latest
Run the command
anchore-cli image vuln docker.io/library/debian:latest all
Output
user1@Imagescan:~/anchore$ anchore-cli image vuln debian:latest all
Vulnerability IDPackage Severity Fix CVE RefsVulnerability URL
CVE-2005-2541 tar-1.30+dfsg-6 Negligible None https://security-tracker.debian.org/tracker/CVE-2005-2541
CVE-2019-1010022libc-bin-2.28-10 Negligible None https://security-tracker.debian.org/tracker/CVE-2019-1010022
CVE-2019-1010022libc6-2.28-10 Negligible None https://security-tracker.debian.org/tracker/CVE-2019-1010022
CVE-2019-1010023libc-bin-2.28-10 Negligible None https://security-tracker.debian.org/tracker/CVE-2019-1010023
CVE-2019-1010023libc6-2.28-10 Negligible None https://security-tracker.debian.org/tracker/CVE-2019-1010023
CVE-2019-1010024libc-bin-2.28-10 Negligible None https://security-tracker.debian.org/tracker/CVE-2019-1010024
As can be seen from the report, the image debian:latest has negligible vulnerabilities and no fixes.
To see the policy evaluation results for the unstable image openjdk:8-jre-alpine
run
anchore-cli evaluate check openjdk:8-jre-alpine
Output – The results show a fail
user1@Imagescan:~/anchore$ anchore-cli evaluate check openjdk:8-jre-alpine
Image Digest: sha256:b2ad93b079b1495488cc01375de799c402d45086015a120c105ea00e1be0fd52
Full Tag: docker.io/openjdk:8-jre-alpine
Status: fail
Last Eval: 2019-09-20T12:03:32Z
Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060
The image openjdk:8-jre-alpine violates the specified policy ID (Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060
) and therefore returns a Fail status.
Now that we have seen how the Anchore Engine responds after detecting a policy violation, it is time to check if how it behaves with our stable image debian:latest.
Policy check for debian:latest
stable image
anchore-cli evaluate check docker.io/library/debian:latest --detail
user1@Imagescan:~/anchore$ anchore-cli evaluate check docker.io/library/debian:latest --detail
Image Digest: sha256:d3351d5bb795302c8207de4db9e0b6eb23bcbfd9cae5a90b89ca01f49d0f792d
Full Tag: docker.io/library/debian:latest
Image ID: c2c03a296d2329a4f3ab72a7bf38b78a8a80108204d326b0139d6af700e152d1
Status: pass
Last Eval: 2019-09-20T12:00:06Z
Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060
Final Action: warn
Final Action Reason: policy_evaluation
Gate TriggerDetail Status
dockerfileinstructionDockerfile directive 'HEALTHCHECK' not found, matching condition 'not_exists' checkwarn
The results show a Pass
status and a Final Action of Warn
because of information mismatch with a Dockerfile directive. This does not fail but may require checking and addressing the issue.
Configuring and using Anchore Container Image Scanner Plugin in Jenkins
Step 6:— Add and configure the Anchore Container Image Scanner Plugin in Jenkins
In this step, we will integrate the Anchor Engine with the Jenkins server. Jenkins is a java based, open-source server for automating a wide range of repetitive tasks in the software development cycle.
The Anchore plugin is available in Jenkins but not installed by default.
Log in to Jenkins using a web browser
http://your_server_ip_or_domain:8080
Enter the username
and password
.
Go to Jenkins menu
Locate and select Manage Jenkins
Go to Manage Plugins
On the Available tab, scroll down to Build Tools and select the Anchore Container Image Scanner
Click the Install without restart option.
After the successful installation of the Anchore Container Image Scanner plugin, the next step is to configure the credentials.
Go to the Jenkins menu and select the Manage Jenkins tab.
Open Configure system.
Locate the Anchore configuration.
Select Engine Mode
Enter the Anchore Engine details (the engine URL
, username
and password
, and port 8228
– the default port for the engine).
URL – http://your_server_IP:8228/v1
Enter the username
= admin
Enter the Password
= foobar or new password if you changed it in Step 3 (above)
Click Save
Configure Anchore Plugin
Step 8:— Adding and scanning images
Click New Item at the Jenkins Dashboard on the top left menu
This will open a screen with several options.
Type the desired name for your test project in the Enter the item name field.
In this project, we will use the Pipeline build.
Select the Pipeline and click Ok.
You are now ready to scan the images. In our case, we will use images already in the docker registry that is accessible by the Anchore Engine.
To do this, you will add the pipeline script that will specify the image to scan.
Step 9:— Add pipeline script
Scroll down to the Pipeline section and add the script to specify the image to scan. We will start with the openjdk:8-jre-alpine
which contains some vulnerabilities.
node {
def imageLine = 'openjdk:8-jre-alpine'`
writeFile file: 'anchore_images', text: imageLine`
anchore name: 'anchore_images'`
}
Click Save
Step 10:— Run the build and review the scan reports
From the Jenkins menu
Click Build Now
This will start the build process, which takes a few minutes depending on the image size. After completion, a number and a colored button will appear under the Build History. This will have a red color for Fail or Blue for Pass. Clicking the button will display more results.
Step 11:— Review Results
Click on Build # to view more details
This opens a Console Output window indicating a failure – Anchore Report (FAIL)
The detailed reports indicate whether the analysis was a Fail or a Pass and provide several reports showing the vulnerabilities, warnings, and others based on the configuration. By default, the plugin is configured to fail a build (Stop) whenever there are vulnerabilities. Below are the screenshots for the Policy and Security reports.
Anchore Policy Evaluation summary
Below is a screenshot of the Security results for the vulnerable image.
Common Vulnerabilities and Exposures (CVE) List
If we now scan a stable image, debian:latest
, with no vulnerabilities, we get the results below.
Anchore Policy Evaluation summary (Pass)
Common Vulnerabilities and Exposures (CVE) List Pass
Conclusion
The Anchore Container Image Scanner is a powerful image analysis tool that identifies a wide range of vulnerabilities and policy issues in Docker images. It has many customization options and can be configured on how to respond upon detecting issues during the analysis. One of these is to break the build when the engine encounters a severe vulnerability.
If you are looking to build your career in DevSecOps, then check out this Udemy course.