Skip to content

A service that analyzes docker images and applies user-defined acceptance policies to allow automated container image validation and certification

License

Notifications You must be signed in to change notification settings

zhill/anchore-engine

 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 

Repository files navigation

Anchore Engine CircleCI

Latest News Anchore Engine is now version 1.0 and considered feature complete. There are no plans for any new feature development because Anchore's open source development efforts are now focused on Syft and Grype.

The vulnerability feed that provides data to v0.9 and earlier will be deactivated on June 30th 2022. Please ensure you have upgraded to 1.0 with the Grype-based provider enabled before this date to ensure you continue to receive updated vulnerability data.

For users interested in a supported commercial solution, schedule a demo to see Anchore Enterprise’s broad set of enterprise capabilities including SBOM management, security scanning, and reporting.

For more information, please see this blog post for details.

About

Anchore Engine is an open-source project that provides a centralized service for inspection, analysis, and certification of container images. Anchore Engine is provided as a Docker container image that can be run standalone or within an orchestration platform such as Kubernetes, Docker Swarm, Rancher, Amazon ECS, and other container orchestration platforms.

With a deployment of Anchore Engine running in your environment, container images are downloaded and analyzed from Docker V2 compatible container registries and then evaluated against a vulnerability database.

For the most up-to-date information on Anchore Engine, Anchore CLI, and other Anchore software, please refer to the Anchore Documentation.

Anchore Engine can be accessed directly through a RESTful API or via the Anchore CLI.

Anchore Engine is the foundation for Anchore Enterprise, an SBOM-powered platform for software supply chain security which includes support for source code, container images, secret scanning, malware detection, and more.

Supported Operating Systems

  • Alpine
  • Amazon Linux 2
  • CentOS
  • Debian
  • Google Distroless
  • Oracle Linux
  • Red Hat Enterprise Linux
  • Red Hat Universal Base Image (UBI)
  • Ubuntu

Supported Packages

  • GEM
  • Java Archive (jar, war, ear)
  • NPM
  • Python (PIP)
  • Go Modules

Installation

There are several ways to get started with Anchore Engine, for the latest information on quickstart and full production installation with docker-compose, Helm, and other methods, please visit:

The Anchore Engine is distributed as a Docker Image available from DockerHub.

Quick Start (TLDR)

See documentation for the full quickstart guide.

To quickly bring up an installation of Anchore Engine on a system with docker (and docker-compose) installed, follow these simple steps:

curl https://engine.anchore.io/docs/quickstart/docker-compose.yaml > docker-compose.yaml
docker-compose up -d

Once the Engine is up and running, you can begin to interact with the system using the CLI.

Getting Started using the CLI

The Anchore CLI is an easy way to control and interact with the Anchore Engine.

The Anchore CLI can be installed using the Python pip command, or by running the CLI from the Anchore Engine CLI container image. See the Anchore CLI project on Github for code and more installation options and usage.

CLI Quick Start (TLDR)

By default, the Anchore CLI tries to connect to the Anchore Engine at http://localhost:8228/v1 with no authentication. The username, password, and URL for the server can be passed to the Anchore CLI as command-line arguments:

--u   TEXT   Username     eg. admin
--p   TEXT   Password     eg. foobar
--url TEXT   Service URL  eg. http://localhost:8228/v1

Rather than passing these parameters for every call to the tool, they can also be set as environment variables:

ANCHORE_CLI_URL=http://myserver.example.com:8228/v1
ANCHORE_CLI_USER=admin
ANCHORE_CLI_PASS=foobar

Add an image to the Anchore Engine:

anchore-cli image add docker.io/library/debian:latest

Wait for the image to move to the 'analyzed' state:

anchore-cli image wait docker.io/library/debian:latest

List images analyzed by the Anchore Engine:

anchore-cli image list

Get image overview and summary information:

anchore-cli image get docker.io/library/debian:latest

List feeds and wait for at least one vulnerability data feed sync to complete. The first sync can take some time (20-30 minutes) after that syncs will only merge deltas.

anchore-cli system feeds list
anchore-cli system wait

Obtain the results of the vulnerability scan on an image:

anchore-cli image vuln docker.io/library/debian:latest os

List operating system packages present in an image:

anchore-cli image content docker.io/library/debian:latest os

API

For the external API definition (the user-facing service), see External API Swagger Spec. If you have Anchore Engine running, you can also review the Swagger by directing your browser at http://:8228/v1/ui/ (NOTE: the trailing slash is required for the embedded swagger UI browser to be viewed properly).

Each service implements its own API, and all APIs are defined in Swagger/OpenAPI spec. You can find each in the anchore_engine/services/<servicename>/api/swagger directory.

More Information

For further details on the use of the Anchore CLI with the Anchore Engine, please refer to the Anchore Engine Documentation

Developing

This repo was reformatted using Black in Nov. 2020. This commit can be ignored in your local environment when using git blame since it impacted so many files. To ignore the commit you need to configure git-blame to use the provided file: .git-blame-ignore-revs as a list of commits to ignore for blame.

Set your local git configuration to use the provided file by running this from within the root of this source tree: git config blame.ignoreRevsFile .git-blame-ignore-revs

About

A service that analyzes docker images and applies user-defined acceptance policies to allow automated container image validation and certification

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • Python 99.0%
  • Other 1.0%