How to Install and use Anchore Container Image Security Scanner?

The Anchore Engine is an open-source tool for scanning and analyzing container images for security vulnerabilities and policy issues. It is available as a Docker container image that can run within an orchestration platform, or as a standalone installation.

This is a useful security tool that enables developers and QA teams to test, identify, and address vulnerabilities in the images they are using to create applications.

In this article, we will look at how to install and use the Anchore image vulnerability scanner. Generally, there are are several implementation methods. However, I will focus on the following two,

• Using the AnchoreCLI command-line option
• GUI based Jenkins Anchore Container Image Scanner plugin.

We will show you how to install, configure, and start the engine, configure and use the AnchoreCLI command-line tool as well as the Jenkins plugin. For each of the two methods, you will learn how to add the images to scan, perform the scan, and view reports.

At the end of the article, you will learn the following three things.

• Installing and configuring the Anchore Engine
• Installing, configuring and using AnchoreCLI
• Configuring and using Anchore Container Image Scanner Plugin in Jenkins

Prerequisites

The following are the requirements for this tutorial;

• A local or virtual machine with Ubuntu 18.04 and the following;
• Docker
• Docker-compose
• Jenkins Installed and running
• sudo user

Step 1:— Setup the working directories and download the configuration files.

Create a working directory for your Anchore files. Within that directory, you’ll create two subdirectories, one for the configuration, and one for the database.

Create a home directory for the Anchore files

mkdir anchore

Go to the new directory and create the configuration and database subdirectories.

cd anchore

mkdir config

mkdir db

Download the configuration files

Once the directories are ready, we will download two configuration files (docker-compose.yaml and config.yaml) from the Github project.

To download the docker-compose.yaml

Go to the anchore home directory and use the command

curl https://raw.githubusercontent.com/anchore/anchore-engine/master/scripts/docker-compose/docker-compose.yaml > docker-compose.yaml

Then download the config.yaml to the ~/anchore/config directory

curl https://raw.githubusercontent.com/anchore/anchore-engine/master/scripts/docker-compose/config.yaml -o ~/anchore/config/config.yaml

The config.yaml file is a configuration file with the basic settings that the anchore engine service requires to run. It has several parameters, including includes the default, log level, listening port, username, password, and others that you can adjust to meet specific requirements.

It is a good security practice to change the password, and you can do this by editing the config.yaml file. However, in this tutorial, we will use the default settings.

To continue with the default credentials, (username – admin and password – foobar), proceed to step 2.

Changing Anchore Engine credentials (optional)

From the anchore directory use the command

nano ~/anchore/config/config.yaml

Locate the username (admin) and password (foobar) and change to your preferred values.

Press CTRL + X, then Y to save and exit.

With the working directories and configuration files in place, the system is ready for the installation of the Anchore Engine.

Step 2: — Install and start the Anchore Engine

You will use the Docker compose to install and start the Anchore Engine and database.

From the anchore home directory, run.

docker-compose up -d

This will automatically pull the Anchore image and then create the Anchore engine and database in the home and ~/anchore/database/ directories respectively. Upon completion, the command will start the Anchore engine.

After successfully installing and starting the anchore engine, you can now scan the images using the anchore command line AnchoreCLI. However, you need first to install the AnchoreCLI command-line utility, as shown below.

Installing, configuring AnchoreCLI

In this step, you will learn how to install and configure the AnchoreCLI command-line tool.

Step 3: — Install AnchoreCLI

In this tutorial, we will first install the python-pip utility, which will then use to install the AnchoreCLI from the source.

To install Python pip. For to the Anchore home directory and run

sudo apt-get update
sudo apt-get install python-pip
sudo pip install --upgrade setuptools

Install the AnchoreCLI using python-pip

pip install anchorecli

This command will download and install the files for the AnchoreCLI. After installation, we now need to source our .profile file to using the command

source ~/.profile

To verify if the installation is successful and version of the Anchorecli, use the command

anchore-cli --version

To check anchore-CLI system status, use the command

anchore-cli --url http://localhost:8228/v1 --u admin --p foobar system status

Please note that you must pass the Anchore engine URL, username, and password.

Define Anchore Engine parameters

By default, the AnchoreCLI will attempt to access the Anchore Engine without authentication. However, this will not work, and you need to provide the Anchore Engine credentials with every command.

This involves passing the username, password, and URL parameters with every Anchore CLI command. Instead of providing these every time, the alternative is to define them as environmental variables in the following format.

To pass the URL, run

ANCHORE_CLI_URL=http://localhost:8228/v1

This defines the Anchore Engine URL together with the port 8228, which it uses.

Set the username and password using the default values; otherwise, replace them with the new values you set in Step 1.

ANCHORE_CLI_USER=admin

ANCHORE_CLI_PASS=foobar

The above sets the parameters only for the current shell. To set the current shell and other processes that start from it, we use the export command

export ANCHORE_CLI_URL

export ANCHORE_CLI_USER

export ANCHORE_CLI_PASS

With the parameters defined, the AchoreCLI setup is complete, and you’ are ready to scan images.

Step 4: — Adding and analyzing images

Now that we have the Anchore Engine running and CLI configured, you will learn how to add and analyze the images for security issues. In this tutorial, we will analyze two images. -openjdk:8-jre-alpine with vulnerabilities and debian:latest without .

Analyzing images

To proceed, we need first to add the images to the engine. To add the images

anchore-cli image add openjdk:8-jre-alpine

Add stable image debian:latest

anchore-cli image add docker.io/library/debian:latest

Add more images

anchore-cli image add openjdk:10-jdk

anchore-cli image add openjdk:11-jdk

After adding an image to the Anchore Engine, the analysis starts immediately. If there are several loaded images, they are put in a queue and analyzed one at a time. You can check the progress and see the list of loaded images together with their analysis status.

To see the list, run the command

anchore-cli image list  

Output

user1@Imagescan:~/anchore$ anchore-cli image list
Full Tag                   Image Digest                Analysis Status
docker.io/openjdk:10-jdk     sha256:923d074ef1f4f0dceef68d9bad8be19c918d9ca8180a26b037e00576f24c2cb4analyzed
docker.io/openjdk:11-jdk sha256:9923c0853475007397ed5c91438c12262476d99372d4cd4d7d44d05e9af5c077analyzed
docker.io/openjdk:8-jre-alpine   sha256:b2ad93b079b1495488cc01375de799c402d45086015a120c105ea00e1be0fd52analyzed

Depending on the number of images, size, and time elapsed after adding them, you will get analyzed for those complete, analyzing for those in progress and not analyzed for the queued images.

Step 5: — Retrieve and view analysis results

Once the analysis is complete, you can check the results and see the results for the vulnerability scans, policy checks, and other issues the engine has identified.

To check results for the vulnerability scan on openjdk:8-jre-alpine vulnerable image

Run

anchore-cli image vuln openjdk:8-jre-alpine all

Output

user1@Imagescan:~/anchore$ anchore-cli image vuln openjdk:8-jre-alpine all
Vulnerability    IDPackage             Severity  Fix        CVE Refs Vulnerability URL
CVE-2018-1000654 libtasn1-4.13-r0        High    4.14-r0      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-1000654
CVE-2019-12900   libbz2-1.0.6-r6         High    1.0.6-r7     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-12900
CVE-2019-14697   musl-1.1.20-r4          High    1.1.20-r5    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697
CVE-2019-14697   musl-utils-1.1.20-r4    High    1.1.20-r5    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-14697
CVE-2019-8457    sqlite-libs-3.26.0-r3   High    3.28.0-r0    http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-8457
CVE-2018-14498   libjpeg-turbo-1.5.3-r4  Medium  1.5.3-r5     http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-14498

The report shows the CVE identifier, the vulnerable package, severity, and whether there is a fix or not. For our image openjdk:8-jre-alpine, the analysis shows that it has five high vulnerabilities and quite a number of medium and negligible vulnerabilities. (some not shown above).

To view vulnerabilities results for a stable image debian:latest

Run the command

anchore-cli image vuln docker.io/library/debian:latest all

Output

user1@Imagescan:~/anchore$ anchore-cli image vuln debian:latest all
Vulnerability  IDPackage         Severity   Fix   CVE RefsVulnerability URL
CVE-2005-2541   tar-1.30+dfsg-6  Negligible None  https://security-tracker.debian.org/tracker/CVE-2005-2541
CVE-2019-1010022libc-bin-2.28-10 Negligible None  https://security-tracker.debian.org/tracker/CVE-2019-1010022
CVE-2019-1010022libc6-2.28-10    Negligible None  https://security-tracker.debian.org/tracker/CVE-2019-1010022
CVE-2019-1010023libc-bin-2.28-10 Negligible None  https://security-tracker.debian.org/tracker/CVE-2019-1010023
CVE-2019-1010023libc6-2.28-10    Negligible None  https://security-tracker.debian.org/tracker/CVE-2019-1010023
CVE-2019-1010024libc-bin-2.28-10 Negligible None  https://security-tracker.debian.org/tracker/CVE-2019-1010024

As can be seen from the report, the image debian:latest has negligible vulnerabilities and no fixes.

To see the policy evaluation results for the unstable image openjdk:8-jre-alpine

run

anchore-cli evaluate check openjdk:8-jre-alpine

Output – The results show a fail

user1@Imagescan:~/anchore$ anchore-cli evaluate check openjdk:8-jre-alpine
Image Digest: sha256:b2ad93b079b1495488cc01375de799c402d45086015a120c105ea00e1be0fd52
Full Tag: docker.io/openjdk:8-jre-alpine
Status: fail
Last Eval: 2019-09-20T12:03:32Z
Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060

The image openjdk:8-jre-alpine violates the specified policy ID (Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060) and therefore returns a Fail status.

Now that we have seen how the Anchore Engine responds after detecting a policy violation, it is time to check if how it behaves with our stable image debian:latest.

Policy check for debian:latest stable image

anchore-cli evaluate check docker.io/library/debian:latest --detail

user1@Imagescan:~/anchore$ anchore-cli evaluate check docker.io/library/debian:latest --detail
Image Digest: sha256:d3351d5bb795302c8207de4db9e0b6eb23bcbfd9cae5a90b89ca01f49d0f792d
Full Tag: docker.io/library/debian:latest
Image ID: c2c03a296d2329a4f3ab72a7bf38b78a8a80108204d326b0139d6af700e152d1
Status: pass
Last Eval: 2019-09-20T12:00:06Z
Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060
Final Action: warn
Final Action Reason: policy_evaluation
Gate  TriggerDetail Status
dockerfileinstructionDockerfile directive 'HEALTHCHECK' not found, matching condition 'not_exists' checkwarn

The results show a Pass status and a Final Action of Warn because of information mismatch with a Dockerfile directive. This does not fail but may require checking and addressing the issue.

Configuring and using Anchore Container Image Scanner Plugin in Jenkins

Step 6:— Add and configure the Anchore Container Image Scanner Plugin in Jenkins

In this step, we will integrate the Anchor Engine with the Jenkins server. Jenkins is a java based, open-source server for automating a wide range of repetitive tasks in the software development cycle.

The Anchore plugin is available in Jenkins but not installed by default.

Log in to Jenkins using a web browser

http://your_server_ip_or_domain:8080

Enter the username and password.

Go to Jenkins menu

Locate and select Manage Jenkins

Go to Manage Plugins

On the Available tab, scroll down to Build Tools and select the Anchore Container Image Scanner

Click the Install without restart option.

After the successful installation of the Anchore Container Image Scanner plugin, the next step is to configure the credentials.

Go to the Jenkins menu and select the Manage Jenkins tab.

Open Configure system.

Locate the Anchore configuration.

Select Engine Mode

Enter the Anchore Engine details (the engine URL, username and password, and port 8228 – the default port for the engine).

URL – http://your_server_IP:8228/v1

Enter the username = admin
Enter the Password = foobar or new password if you changed it in Step 3 (above)

Click Save

Configure Anchore Plugin

Step 8:— Adding and scanning images

Click New Item at the Jenkins Dashboard on the top left menu

This will open a screen with several options.
Type the desired name for your test project in the Enter the item name field.

In this project, we will use the Pipeline build.
Select the Pipeline and click Ok.

You are now ready to scan the images. In our case, we will use images already in the docker registry that is accessible by the Anchore Engine.

To do this, you will add the pipeline script that will specify the image to scan.

Step 9:— Add pipeline script

Scroll down to the Pipeline section and add the script to specify the image to scan. We will start with the openjdk:8-jre-alpine which contains some vulnerabilities.

node {
def imageLine = 'openjdk:8-jre-alpine'`
writeFile file: 'anchore_images', text: imageLine`
anchore name: 'anchore_images'`
}

Click Save

Step 10:— Run the build and review the scan reports

From the Jenkins menu

Click Build Now

This will start the build process, which takes a few minutes depending on the image size. After completion, a number and a colored button will appear under the Build History. This will have a red color for Fail or Blue for Pass. Clicking the button will display more results.

Step 11:— Review Results

Click on Build # to view more details
This opens a Console Output window indicating a failure – Anchore Report (FAIL)

The detailed reports indicate whether the analysis was a Fail or a Pass and provide several reports showing the vulnerabilities, warnings, and others based on the configuration. By default, the plugin is configured to fail a build (Stop) whenever there are vulnerabilities. Below are the screenshots for the Policy and Security reports.

Anchore Policy Evaluation summary

Below is a screenshot of the Security results for the vulnerable image.

Common Vulnerabilities and Exposures (CVE) List

If we now scan a stable image, debian:latest, with no vulnerabilities, we get the results below.

Anchore Policy Evaluation summary (Pass)

Common Vulnerabilities and Exposures (CVE) List Pass 

Conclusion

The Anchore Container Image Scanner is a powerful image analysis tool that identifies a wide range of vulnerabilities and policy issues in Docker images. It has many customization options and can be configured on how to respond upon detecting issues during the analysis. One of these is to break the build when the engine encounters a severe vulnerability.

If you are looking to build your career in DevSecOps, then check out this Udemy course.