Docker images are files used to execute code to run an application in docker containers. This file contains source code, libraries, dependencies, tools, and other configuration files required for an application to run. They are all packed as one in a way that the images are independent of any host resources apart from the kernel. As Docker images represent an application and its environment at a specific point in time, they are also referred to as snapshots. These snapshots may at one point become outdated and contain files that are corrupted which can cause harm to the host systems when they are deployed.<\/p>\n\n\n\n
This makes Docker images also prone to vulnerabilities. Another option for causing vulnerabilities would be sometimes the images are packed with a lot of files due to their read-only state making several files unnecessary for the application which can increase the risk surface of being corrupted. Due to this, several tools are available to help in scanning for vulnerabilities in the docker images and sometimes detect them even before deploying the images. The most popular one is the Docker scan utility tool. But in this guide, we are going to deal with the Anchore Engine.<\/p>\n\n\n\n
Anchore Engine is an open-source project that provides a centralized way of carrying out inspection, analysis, and certification of docker containers. It comes as a docker image that can be run as a standalone or on any orchestration platform like Kubernetes, Rancher, or Amazon ECS. It evaluates container images against a vulnerability database after they are analyzed from Docker V2-compatible container registries.<\/p>\n\n\n\n
Anchore Engine can be accessed directly through a RESTful API or via the Anchore CLI to manage and inspect images, policies, subscriptions, and registries. Anchore Engine supports different Operating systems including Alpine, Amazon Linux 2, CentOS, Debian, Google Distroless, Oracle Linux, Red Hat Enterprise Linux, Red Hat Universal Base Image (UBI), and Ubuntu. The supported packages are; GEM, Java Archive (jar, ar, ear), NPM, Python (PIP), and Go Modules.<\/p>\n\n\n\n
Anchore Engine is available as a docker image from the DockerHub.<\/p>\n\n\n\n
A stand-alone installation requires at least 4GB of RAM with enough disk space available at least 3x the size of the container to analyze.<\/p>\n\n\n\n
You should have Docker and Docker Compose installed on your system.<\/p>\n\n\n\n
Add your user account to Anchore Engine uses the PostgreSQL database of version 9.6 or higher to provide persistent storage.<\/p>\n\n\n\n Set up the working directories which include the home directory for anchore, the configuration file directory, and the database directory.<\/p>\n\n\n\n Download the configuration files<\/p>\n\n\n\n Download Compose fole Anchore Engine with the following command.<\/p>\n\n\n\n Use the following command which will pull the images for Anchore and PostgreSQL.<\/p>\n\n\n\n You can change the default Anchore credentials from the configuration file.<\/p>\n\n\n\n But in this guide, we will use the default username admin<\/strong> and password foobar<\/strong>.<\/p>\n\n\n\n Start up the service:<\/p>\n\n\n\n Verify the service is running with the following command.<\/p>\n\n\n\n Anchore CLI provides an easy way to control and interact with Anchore Engine to manage and inspect images, policies, subscriptions, and registries for the supported operating systems. To install Anchore CLI, run the following command:<\/p>\n\n\n\n The Anchore CLI will try to connect to the Anchore Engine at http:\/\/localhost\/v1<\/strong> with no authentication. But this will not work. Pass the Anchore Engine CLI credentials and store them as environment variables to avoid passing them with every Anchore CLI command.<\/p>\n\n\n\n If you changed the default credentials, remember to replace them here.<\/p>\n\n\n\n Source our profile to use the command.<\/p>\n\n\n\n Verify the successful installation.<\/p>\n\n\n\n To get the status of the Anchore Engine services run the following command<\/p>\n\n\n\n You can check the status of your feed with the following command. The RecordCount values should be greater than 0 (zero) to confirm the system is fully populated and ready to present vulnerability results.<\/p>\n\n\n\n For Integrated monitoring using Prometheus check;<\/p>\n\n\n\n To add an image to the Anchore Engine use the following command:<\/p>\n\n\n\n To Wait for the image to move to the ‘analyzed’ state:<\/p>\n\n\n\n List images analyzed by the Anchore Engine:<\/p>\n\n\n\n Get image overview and summary information:<\/p>\n\n\n\n Perform a vulnerability scan on an image:<\/p>\n\n\n\n Perform a policy evaluation on an image:<\/p>\n\n\n\n List operating system packages present in an image:<\/p>\n\n\n\n Anchore Engine can be deployed on a variety of operating systems as it comes as a docker image. This means it is lightweight and does not take up most of your system resources. The latest version 1.0 is considered feature complete and with it, you will receive updated vulnerability data. It is an automated system that allows you to inspect, analyze and evaluate images against user-defined checks and provide evaluation results for each image with a pass or fail.<\/p>\n\n\n\n Docker images are files used to execute code to run an application in docker containers. This file contains source code, libraries, dependencies, tools, and other configuration files required for an application to run. They are all packed as one in a way that the images are independent of any host resources apart from the kernel. … Read more<\/a><\/p>\n","protected":false},"author":3,"featured_media":75717,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[316,299,47,50,86],"tags":[39266,19410],"class_list":["post-64535","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-containers","category-how-to","category-linux","category-linux-tutorials","category-virtualization","tag-anchore-engine","tag-docker-images"],"_links":{"self":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/64535","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/comments?post=64535"}],"version-history":[{"count":0,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/posts\/64535\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/media\/75717"}],"wp:attachment":[{"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/media?parent=64535"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/categories?post=64535"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/computingforgeeks.com\/wp-json\/wp\/v2\/tags?post=64535"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}docker<\/code> group.<\/p>\n\n\n\nsudo usermod -aG docker $USER\nnewgrp docker<\/code><\/pre>\n\n\n\nInstall Anchore Engine<\/h4>\n\n\n\n
mkdir -p ~\/anchore\/{db,config}<\/code><\/pre>\n\n\n\ncd ~\/anchore\/config\ncurl -O https:\/\/engine.anchore.io\/docs\/quickstart\/anchore-prometheus.yml<\/code><\/pre>\n\n\n\ncd ~\/anchore\/\ncurl -O https:\/\/engine.anchore.io\/docs\/quickstart\/docker-compose.yaml<\/code><\/pre>\n\n\n\ndocker compose pull<\/code><\/pre>\n\n\n\nvim docker-compose.yaml<\/code><\/pre>\n\n\n\n$ docker compose up -d<\/strong><\/mark>\n[+] Running 8\/8\n \u283f Network anchore_default Created 0.1s\n \u283f Volume \"anchore_anchore-db-volume\" Created 0.0s\n \u283f Container anchore-db-1 Started 2.4s\n \u283f Container anchore-catalog-1 Started 0.9s\n \u283f Container anchore-queue-1 Started 2.3s\n \u283f Container anchore-policy-engine-1 Started 2.7s\n \u283f Container anchore-analyzer-1 Started 2.6s\n \u283f Container anchore-api-1 Started 2.7s<\/code><\/pre>\n\n\n\n$ docker compose ps<\/strong><\/mark>\nNAME COMMAND SERVICE STATUS PORTS\nanchore-analyzer-1 \"\/docker-entrypoint.\u2026\" analyzer running (starting) 8228\/tcp\nanchore-api-1 \"\/docker-entrypoint.\u2026\" api running (starting) 0.0.0.0:8228->8228\/tcp, :::8228->8228\/tcp\nanchore-catalog-1 \"\/docker-entrypoint.\u2026\" catalog running (starting) 8228\/tcp\nanchore-db-1 \"docker-entrypoint.s\u2026\" db running (starting) 5432\/tcp\nanchore-policy-engine-1 \"\/docker-entrypoint.\u2026\" policy-engine running (starting) 8228\/tcp\nanchore-queue-1 \"\/docker-entrypoint.\u2026\" queue running (starting) 8228\/tcp\n<\/code><\/pre>\n\n\n\nInstall Anchore CLI<\/h4>\n\n\n\n
git clone https:\/\/github.com\/anchore\/anchore-cli\ncd anchore-cli\npip install --user --upgrade . || pip install --user --upgrade .<\/code><\/pre>\n\n\n\nANCHORE_CLI_URL=http:\/\/localhost:8228\/v1\nANCHORE_CLI_USER=admin<\/mark>\nANCHORE_CLI_PASS=foobar<\/mark>\nexport ANCHORE_CLI_URL\nexport ANCHORE_CLI_USER\nexport ANCHORE_CLI_PASS<\/code><\/pre>\n\n\n\necho 'export PATH=$PATH:~\/.local\/bin'| tee -a ~\/.bashrc\nsource ~\/.profile<\/code><\/pre>\n\n\n\n$ anchore-cli --version<\/strong><\/mark>\nanchore-cli, version 0.9.4<\/code><\/pre>\n\n\n\n$ cd ~\/anchore<\/strong><\/mark>\n$ docker compose exec api anchore-cli system status<\/strong><\/mark>\nService simplequeue (anchore-quickstart, http:\/\/queue:8228): up\nService policy_engine (anchore-quickstart, http:\/\/policy-engine:8228): up\nService apiext (anchore-quickstart, http:\/\/api:8228): up\nService catalog (anchore-quickstart, http:\/\/catalog:8228): up\nService analyzer (anchore-quickstart, http:\/\/analyzer:8228): up\n\nEngine DB Version: 0.0.15\nEngine Code Version: 1.0.0<\/code><\/pre>\n\n\n\n$sss<\/strong>\nFeed Group LastSync RecordCount \nvulnerabilities alpine:3.10 2022-10-14T14:33:40Z 2331 \nvulnerabilities alpine:3.11 2022-10-14T14:33:40Z 2665 \nvulnerabilities alpine:3.12 2022-10-14T14:33:40Z 3205 \nvulnerabilities alpine:3.13 2022-10-14T14:33:40Z 3676 \nvulnerabilities alpine:3.14 2022-10-14T14:33:40Z 4117 \nvulnerabilities alpine:3.15 2022-10-14T14:33:40Z 4507 \nvulnerabilities alpine:3.16 2022-10-14T14:33:40Z 4824 \nvulnerabilities alpine:3.2 2022-10-14T14:33:40Z 306 \nvulnerabilities alpine:3.3 2022-10-14T14:33:40Z 471 \nvulnerabilities alpine:3.4 2022-10-14T14:33:40Z 683 \nvulnerabilities alpine:3.5 2022-10-14T14:33:40Z 903 \nvulnerabilities alpine:3.6 2022-10-14T14:33:40Z 1077 \nvulnerabilities alpine:3.7 2022-10-14T14:33:40Z 1462 \nvulnerabilities alpine:3.8 2022-10-14T14:33:40Z 1675 \nvulnerabilities alpine:3.9 2022-10-14T14:33:40Z 1962 \nvulnerabilities alpine:edge 2022-10-14T14:33:40Z 4895 \nvulnerabilities amzn:2 2022-10-14T14:33:40Z 947 \nvulnerabilities amzn:2022 2022-10-14T14:33:40Z 140 \nvulnerabilities debian:10 2022-10-14T14:33:40Z 29273 \nvulnerabilities debian:11 2022-10-14T14:33:40Z 26829 \nvulnerabilities debian:12 2022-10-14T14:33:40Z 26067 \nvulnerabilities debian:7 2022-10-14T14:33:40Z 20455 \nvulnerabilities debian:8 2022-10-14T14:33:40Z 24058 \nvulnerabilities debian:9 2022-10-14T14:33:40Z 28240 \nvulnerabilities debian:unstable 2022-10-14T14:33:40Z 32208 \n......\n...... <\/code><\/pre>\n\n\n\n\n
Use Anchore Engine<\/h4>\n\n\n\n
$ anchore-cli image add docker.io\/library\/debian:latest<\/mark>\nImage Digest: sha256:9b0e3056b8cd8630271825665a0613cc27829d6a24906dc0122b3b4834312f7d\nParent Digest: sha256:e538a2f0566efc44db21503277c7312a142f4d0dedc5d2886932b92626104bff\nAnalysis Status: not_analyzed<\/mark>\nImage Type: docker\nAnalyzed At: None\nImage ID: d91720f514f733190e529148212d53a33021d62900b9901138cfb3fc404dd33c\nDockerfile Mode: None\nDistro: None\nDistro Version: None\nSize: None\nArchitecture: None\nLayer Count: None\n\nFull Tag: docker.io\/library\/debian:latest\nTag Detected At: 2022-10-14T14:47:08Z<\/code><\/pre>\n\n\n\n$ anchore-cli image wait docker.io\/library\/debian:latest<\/strong><\/mark>\nImage Digest: sha256:9b0e3056b8cd8630271825665a0613cc27829d6a24906dc0122b3b4834312f7d\nParent Digest: sha256:e538a2f0566efc44db21503277c7312a142f4d0dedc5d2886932b92626104bff\nAnalysis Status: analyzed<\/mark>\nImage Type: docker\nAnalyzed At: 2022-10-14T14:47:33Z\nImage ID: d91720f514f733190e529148212d53a33021d62900b9901138cfb3fc404dd33c\nDockerfile Mode: Guessed\nDistro: debian\nDistro Version: 11\nSize: 136765440\nArchitecture: amd64\nLayer Count: 1\n\nFull Tag: docker.io\/library\/debian:latest\nTag Detected At: 2022-10-14T14:47:08Z\n<\/code><\/pre>\n\n\n\n$ anchore-cli image list<\/strong><\/mark>\nFull Tag Image Digest Analysis Status \ndocker.io\/library\/debian:latest sha256:9b0e3056b8cd8630271825665a0613cc27829d6a24906dc0122b3b4834312f7d analyzed <\/code><\/pre>\n\n\n\n$ anchore-cli image get docker.io\/library\/debian:latest<\/strong><\/mark>\nImage Digest: sha256:9b0e3056b8cd8630271825665a0613cc27829d6a24906dc0122b3b4834312f7d\nParent Digest: sha256:e538a2f0566efc44db21503277c7312a142f4d0dedc5d2886932b92626104bff\nAnalysis Status: analyzed\nImage Type: docker\nAnalyzed At: 2022-10-14T14:47:33Z\nImage ID: d91720f514f733190e529148212d53a33021d62900b9901138cfb3fc404dd33c\nDockerfile Mode: Guessed\nDistro: debian\nDistro Version: 11\nSize: 136765440\nArchitecture: amd64\nLayer Count: 1\n\nFull Tag: docker.io\/library\/debian:latest\nTag Detected At: 2022-10-14T14:47:08Z<\/code><\/pre>\n\n\n\n$ anchore-cli image vuln docker.io\/library\/debian:latest os<\/strong><\/mark>\nVulnerability ID Package Severity Fix CVE Refs Vulnerability URL Type Feed Group Package Path \nCVE-2011-3389 libgnutls30-3.7.1-5+deb11u2 Medium None CVE-2011-3389 https:\/\/security-tracker.debian.org\/tracker\/CVE-2011-3389 dpkg debian:11 pkgdb \nCVE-2004-0971 libgssapi-krb5-2-1.18.3-6+deb11u2 Negligible None CVE-2004-0971 https:\/\/security-tracker.debian.org\/tracker\/CVE-2004-0971 dpkg debian:11 pkgdb \nCVE-2004-0971 libk5crypto3-1.18.3-6+deb11u2 Negligible None CVE-2004-0971 https:\/\/security-tracker.debian.org\/tracker\/CVE-2004-0971 dpkg debian:11 pkgdb \nCVE-2004-0971 libkrb5-3-1.18.3-6+deb11u2 Negligible None CVE-2004-0971 https:\/\/security-tracker.debian.org\/tracker\/CVE-2004-0971 dpkg debian:11 pkgdb \nCVE-2004-0971 libkrb5support0-1.18.3-6+deb11u2 Negligible None CVE-2004-0971 https:\/\/security-tracker.debian.org\/tracker\/CVE-2004-0971 dpkg debian:11 pkgdb \nCVE-2005-2541 tar-1.34+dfsg-1 Negligible None CVE-2005-2541 https:\/\/security- \n......\n......<\/code><\/pre>\n\n\n\n$ anchore-cli evaluate check docker.io\/library\/debian:latest --detail<\/strong><\/mark>\nImage Digest: sha256:9b0e3056b8cd8630271825665a0613cc27829d6a24906dc0122b3b4834312f7d\nFull Tag: docker.io\/library\/debian:latest\nImage ID: d91720f514f733190e529148212d53a33021d62900b9901138cfb3fc404dd33c\nStatus: pass\nLast Eval: 2022-10-14T14:53:30Z\nPolicy ID: 2c53a13c-1765-11e8-82ef-23527761d060\nFinal Action: warn\nFinal Action Reason: policy_evaluation\n\nGate Trigger Detail Status \ndockerfile instruction Dockerfile directive 'HEALTHCHECK' not found, matching condition 'not_exists' check warn \nvulnerabilities package MEDIUM Vulnerability found in os package type (dpkg) - libgnutls30 (CVE-2011-3389 - https:\/\/security-tracker.debian.org\/tracker\/CVE-2011-3389) warn <\/code><\/pre>\n\n\n\n$ anchore-cli image content docker.io\/library\/debian:latest os<\/strong><\/mark>\nPackage Version Licenses \nadduser 3.118 GPL-2 \napt 2.2.4 GPL-2 GPLv2+ \nbase-files 11.1+deb11u5 GPL \nbase-passwd 3.5.51 GPL-2 public-domain \nbash 5.1-2+deb11u1 GPL-3 \nbsdutils 1:2.36.1-8+deb11u1 BSD-2-clause BSD-3-clause BSD-4-clause GPL-2 GPL-2+ GPL-3 GPL-3+ LGPL LGPL-2 LGPL-2+ LGPL-2.1 LGPL-2.1+ LGPL-3 LGPL-3+ MIT public-domain \ncoreutils 8.32-4+b1 GPL-3 \ndash 0.5.11+git20200708+dd9ef66-5 BSD-3-Clause BSD-3-clause Expat FSFUL FSFULLR GPL-2 GPL-2+ public-domain \ndebconf 1.5.77 BSD-2-clause \ndebian-archive-keyring 2021.1.1 GPL \ndebianutils 4.11.2 GPL-2 \ndiffutils 1:3.7-5 GFDL GPL \ndpkg 1.20.12 BSD-2-clause GPL-2 GPL-2+ public-domain-md5 public-domain-s-s-d \n......\n......<\/code><\/pre>\n\n\n\nConclusion<\/h3>\n\n\n\n
\n