{"id":365018,"date":"2021-11-10T16:00:03","date_gmt":"2021-11-10T13:00:03","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/how-to-security-scan-docker-images-with-anchore-cloudsavvy-it\/"},"modified":"2021-11-10T16:00:03","modified_gmt":"2021-11-10T13:00:03","slug":"how-to-security-scan-docker-images-with-anchore-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/how-to-security-scan-docker-images-with-anchore-cloudsavvy-it\/","title":{"rendered":"#How to Security Scan Docker Images With Anchore \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a2e1c994b1cd\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a2e1c994b1cd\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-security-scan-docker-images-with-anchore-cloudsavvy-it\/#Anchores_Architecture\" >Anchore\u2019s Architecture<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-security-scan-docker-images-with-anchore-cloudsavvy-it\/#Running_the_Inline_Script\" >Running the Inline Script<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-security-scan-docker-images-with-anchore-cloudsavvy-it\/#Scan_Results\" >Scan Results<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-security-scan-docker-images-with-anchore-cloudsavvy-it\/#Generating_Report_Files\" >Generating Report Files<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-security-scan-docker-images-with-anchore-cloudsavvy-it\/#Scanning_Saved_Image_Archives\" >Scanning Saved Image Archives<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-security-scan-docker-images-with-anchore-cloudsavvy-it\/#Supplying_The_Images_Dockerfile\" >Supplying The Image\u2019s Dockerfile<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-security-scan-docker-images-with-anchore-cloudsavvy-it\/#Using_Custom_Policies\" >Using Custom Policies<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/buradabiliyorum.com\/en\/how-to-security-scan-docker-images-with-anchore-cloudsavvy-it\/#Conclusion\" >Conclusion<\/a><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#How to Security Scan Docker Images With Anchore \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<figure style=\"width: 1200px\" class=\"wp-caption aligncenter\"><img loading=\"lazy\" decoding=\"async\" class=\"type:primaryImage size-full wp-image-14545\" srcset=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/10\/1239c52c.png?width=398&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 400w, https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/10\/1239c52c.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1 1200w\" sizes=\"auto, 400w, 1200w\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/10\/1239c52c.png?width=1198&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"Graphic photo showing a finger pointing at a padlock symbol\" width=\"1200\" height=\"675\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"type:primaryImage imagecredit\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-photo\/cyber-security-information-privacy-data-protection-1362102515\">Wright Studio\/Shutterstock.com<\/a><\/span><\/figcaption><\/figure>\n<p>Anchore Engine is an open-source scanning tool that assesses the security of your Docker images. An Anchore report gives you insights into outdated package versions and lurking vulnerabilities in dependencies.<\/p>\n<p>You\u2019ll need to build your Docker image and push it to a registry before you can scan it. Anchore uses Dockerfiles when available to identify possible configuration issues but relies on scanning built images when compiling vulnerability lists.<\/p>\n<h2 id=\"anchores-architecture\"><span class=\"ez-toc-section\" id=\"Anchores_Architecture\"><\/span>Anchore\u2019s Architecture<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Setting up Anchore historically required a dedicated installation of Anchore Engine that operated independently of your image build environment. A separate CLI let you interact with the Engine.<\/p>\n<p>This model requires use of a sequence of CLI commands to register an image with Anchore, start a scan, and access the results. The steps progress Anchore through pulling your image from your registry, generating a report, and making it available for consumption.<\/p>\n<p>Anchore now offers inline scans too. These give you a single command to scan an image and get the results in your terminal. We\u2019ll focus on this capability within this article.<\/p>\n<h2 id=\"running-the-inline-script\"><span class=\"ez-toc-section\" id=\"Running_the_Inline_Script\"><\/span>Running the Inline Script<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Inline scans are provided by a Bash script hosted on Anchore\u2019s server. <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">Download<\/a> the script to your machine and make it executable:<\/p>\n<pre>curl -s https:\/\/ci-tools.anchore.io\/inline_scan-latest -o anchore.sh&#13;\nchmod +x anchore.sh<\/pre>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-14547\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/10\/530c00fe.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"739\" height=\"672\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Now you can use the inline script to start a scan of a container image:<\/p>\n<pre>.\/anchore.sh -r alpine:latest<\/pre>\n<p>The first scan may take a while. The script will pull the Anchore Engine Docker image, start a new Anchore instance, and configure PostgreSQL and a Docker registry instance. It\u2019ll then wait for Anchore Engine to start.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-14548\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/10\/839d6914.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"705\" height=\"335\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>\u00a0<\/p>\n<p>Once the engine\u2019s running, the target Docker image will be pulled and analyzed. You\u2019ll then see the security report displayed in your terminal. The script will finish by cleaning up the environment and stopping the Anchore Engine Docker container.<\/p>\n<h2 id=\"scan-results\"><span class=\"ez-toc-section\" id=\"Scan_Results\"><\/span>Scan Results<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Scan results include metadata about the image followed by a table of found issues. Anchore analyzes the image against its configured policies. The default set looks for known vulnerabilities in software packages and potential problems with the Dockerfile used to build the image.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-14549\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/10\/59470456.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"1819\" height=\"389\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>The overall scan result is shown in the <code>Status<\/code> line above the vulnerabilities table. If you see <code>pass<\/code>, Anchore is satisfied your image is secure and ready for production use. A <code>fail<\/code> means you should review the faults and remedy them where possible.<\/p>\n<p>Each found vulnerability includes a rating of its severity from <code>LOW<\/code> to <code>CRITICAL<\/code>. Issues with a CVE ID include a link to view the details on the MITRE website.<\/p>\n<h2 id=\"generating-report-files\"><span class=\"ez-toc-section\" id=\"Generating_Report_Files\"><\/span>Generating Report Files<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>While the default output table works well for human consumption, Anchore can also produce JSON report files which you can archive or feed into other tools. Add the <code>-r<\/code> flag when you run the scan script to enable this feature.<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"aligncenter size-full wp-image-14550\" src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/10\/e936d408.png?trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"840\" height=\"724\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><\/p>\n<p>Anchore will write reports into <code>anchore-reports<\/code> within your working directory. Each scan produces a set of JSON files pertaining to different sections of the report, such as vulnerabilities, OS packages, and policy requirements.<\/p>\n<p>Inspecting the files gives you detailed information about each finding, providing much more data than the terminal output offers. This extends to CVSS scores, precise package versions, and the vendor\u2019s indication of whether a fix will be produced.<\/p>\n<h2 id=\"scanning-saved-image-archives\"><span class=\"ez-toc-section\" id=\"Scanning_Saved_Image_Archives\"><\/span>Scanning Saved Image Archives<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Anchore can scan directories of saved Docker image archives as well as actual images residing in registries. Export a set of Docker images using <code>docker save<\/code>, place them in a directory, then use the <code>-v<\/code> argument to make the Anchore script scan those archives:<\/p>\n<pre>docker save my-image:latest -o docker-images\/my-image&#13;\n.\/anchore -v docker-images<\/pre>\n<h2 id=\"supplying-the-images-dockerfile\"><span class=\"ez-toc-section\" id=\"Supplying_The_Images_Dockerfile\"><\/span>Supplying The Image\u2019s Dockerfile<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>The inline script accepts a <code>-d<\/code> argument which lets you provide the path to a local Dockerfile. Anchore will check the built image and the Dockerfile, enabling identification of build time issues which could affect the image\u2019s security posture.<\/p>\n<pre>.\/anchore.sh my-image:latest -d \/dockerfiles\/my-image<\/pre>\n<h2 id=\"using-custom-policies\"><span class=\"ez-toc-section\" id=\"Using_Custom_Policies\"><\/span>Using Custom Policies<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Anchore is extensible through the use of custom policy sets. Policies are created from a combination of \u201cgates,\u201d \u201ctriggers,\u201d and \u201cactions.\u201d These let you <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/anchore.com\/blog\/creating-policies\">build rules<\/a> that audit container images against your precise security requirements.<\/p>\n<p>Each policy\u2019s gate produces one of three actions: \u201cgo,\u201d a pass that lets the scan proceed, \u201cwarn,\u201d allowing the run to continue but with a warning, and \u201cstop,\u201d indicating the image should not be further processed.<\/p>\n<p>Policies are packaged as \u201cbundles\u201d which map sets of rules to registries and images they apply to. You can add a policy bundle to your scan by pass the <code>-b<\/code> flag when running the script:<\/p>\n<pre>.\/anchore.sh -b policy-bundle.json<\/pre>\n<p>This will include your custom policies, giving you confidence the image meets your own security standards.<\/p>\n<p>Here\u2019s a simplistic policy bundle which emits a warning if you don\u2019t provide a Dockerfile to Anchore using the<code>-d<\/code> flag described above. Supplying the Dockerfile used to build the image gives Anchore the broadest possible coverage so it makes sense to warn when none is given.<\/p>\n<div class=\"wp-geshi-highlight-wrap5\">\n<div class=\"wp-geshi-highlight-wrap4\">\n<div class=\"wp-geshi-highlight-wrap3\">\n<div class=\"wp-geshi-highlight-wrap2\">\n<div class=\"wp-geshi-highlight-wrap\">\n<div class=\"wp-geshi-highlight\">\n<div class=\"json\">\n<pre class=\"de1\">{&#13;\n    \"action\": \"WARN\",&#13;\n    \"comment\": \"No Dockerfile given!\",&#13;\n    \"gate\": \"dockerfile\",&#13;\n    \"params\": [],&#13;\n    \"trigger\": \"no_dockerfile_provided\"&#13;\n}<\/pre>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<p>This policy applies to the <code>dockerfile<\/code> gate where Anchore checks whether your Dockerfile meets best practice standard. Anchore executes the <code>no_dockerfile_provided<\/code> trigger when a scan is initiated in the absence of the image\u2019s Dockerfile.<\/p>\n<h2 id=\"conclusion\"><span class=\"ez-toc-section\" id=\"Conclusion\"><\/span>Conclusion<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Anchore lets you generate security reports for Docker images by scanning for outdated software packages, known vulnerabilities, Dockerfile configuration issues, and other possible problem sources. You can write your own policy sets to customize what gets checked and align Anchore with your security standards.<\/p>\n<p>Although Anchore uses a client-server architecture, the project\u2019s \u201cinline\u201d script abstracts away the installation complexity so you can quickly scan local images and get the report straight in your terminal. If you\u2019ll be using Anchore regularly, or scanning images in your CI\/CD pipelines, it\u2019s still best to <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/github.com\/anchore\/anchore-engine#cli-quick-start-tldr\">deploy a dedicated<\/a> Anchore Engine instance, then use the CLI to produce reports. This does require a multi-stage process for each scan but also gives you more flexibility when accessing report sections and syncing vulnerability data feeds.\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/14544\/how-to-security-scan-docker-images-with-anchore\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#How to Security Scan Docker Images With Anchore \u2013 CloudSavvy IT&#8221; Wright Studio\/Shutterstock.com Anchore Engine is an open-source scanning tool that assesses the security of your Docker images. An Anchore report gives you insights into outdated package versions and lurking vulnerabilities in dependencies. You\u2019ll need to build your Docker image and push it to a&#8230;<\/p>\n","protected":false},"author":1,"featured_media":365019,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/10\/1239c52c.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-365018","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/365018","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=365018"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/365018\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/365019"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=365018"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=365018"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=365018"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}