Wow! It is raining container security suites now! What with our last post being about Dockerscan and this is about Anchore; a robust container analysis, inspection and control system. An automated tweet went out and Scott Francis alerted me about this open source analysis system. I thought of checking it out and here we are.
What is Anchore?
Anchore is an open source container inspection and analysis system, coded in Python; that provides you with control over the contents of your containers by allowing you to run queries, produce reports and define policies that can be used in your Continuous Integration and Deployment (CI/CD) pipelines. It works with leading CI/CD platforms such as Docker, kubernetes, Jenkins, CoreOS & MESOS. It is said that today, a good over 30% of official images in Docker Hub contain high priority security vulnerabilities and tools like this is are there to thankfully reduce this number.
We all know that a container contains many shared libraries, modules and binaries in addition to the application. These modules may be outdated, contain vulnerabilities themselves or plain be misconfigured. This is where the Anchore comes into picture. It will inspect your container image and generate a detailed report of the image that includes everything – official operating system packages, unofficial packages, configuration files and language modules and artifacts such as NPM, Python PiP, Ruby GEM, and Java archives. You can then formulated your own custom policies, that can specify what is to be done with these security vulnerabilities, whitelist/blacklist packages, configure file contents, find presence of credentials in image, change manifests or ports or any other activity you might want to carry out. All this can be caught and fixed early in the development lifecycle. It basically provides you the ability to inspect and evaluate policy against containers present on the local Docker host.
Installing Anchore is simple:
pip install anchore
That is all! This open source Python project is compatible with most systems that run, well Python. But not Windows. On my Windows test machine, it installed/updated requests, args, clint, prettytable, backports.ssl-match-hostname, docker-pycreds, websocket-client, docker-py. It then errored out trying to os.path.join(os.getenv(‘HOME’). On *NIX based systems, you should then run:
anchore sync catalogue
This simply initializes the analysis system and downloads data such as CVE information, etc for local storage. Further steps are pretty easy.
If you want to check if your images have any known CVE vulnerabilities, then you simply run:
anchore query cve-scan all
As an added plus, a few months ago the people behind this awesome tool have made a nifty service – anchore.io available. This service, again open source; allows you to perform deep inspection and analysis of container images online.
You can download or check out Anchore v1.1.2 from it’s GitHub archive here.