Wow! It is raining container security suites now! What with our last post being about Dockerscan and this is about Anchore; a robust container analysis, inspection and control system. An automated tweet went out and Scott Francis alerted me about Anchore. I thought of checking it out and here we are.
What is Anchore?
Anchore is an open source container inspection and analysis system, coded in Python; that provides you with control over the contents of your containers by allowing you to run queries, produce reports and define policies that can be used in your Continuous Integration and Deployment (CI/CD) pipelines. It works with leading CI/CD platforms such as Docker, kubernetes, Jenkins, CoreOS & MESOS.
We all know that a container contains many shared libraries, modules and binaries in addition to the application. These modules may be outdated, contain vulnerabilities themselves or plain be misconfigured. This is where the Anchore comes into picture. It will inspect your container image and generate a detailed report of the image that includes everything – official operating system packages, unofficial packages, configuration files and language modules and artifacts such as NPM, Python PiP, Ruby GEM, and Java archives. You can then formulated your own custom policies, that can specify what is to be done with these security vulnerabilities, whitelist/blacklist packages, configure file contents, find presence of credentials in image, change manifests or ports or any other activity you might want to carry out. All this can be caught and fixed early in the development lifecycle. Thanks to Anchore.
Installing Anchore is simple:
pip install anchore
That is all! This open source Python project is compatible with most systems that run, well Python. But not Windows. On my Windows test machine, it installed/updated requests, args, clint, prettytable, backports.ssl-match-hostname, docker-pycreds, websocket-client, docker-py, anchore packages. It then errored out trying to os.path.join(os.getenv(‘HOME’). On *NIX based systems, you should then run:
anchore sync catalogue
This simply initializes the analysis system and downloads data such as CVE information, etc for local storage. Further steps are pretty easy.
If you want to check if your images have any known CVE vulnerabilities, then you simply run:
anchore query cve-scan all
As an added plus, a few months ago the people behind Anchore have made anchore.io available. This service, again open source; allows you to perform deep inspection and analysis of container images online.
You can download or check out Anchore v1.1.2 from it’s GitHub archive here.