This is a useful security tool that enables developers and QA teams to test, identify, and address vulnerabilities in the images they are using to create applications. In this article, we will look at how to install and use the Anchore image vulnerability scanner. Generally, there are are several implementation methods. However, I will focus on the following two,
Using the AnchoreCLI command-line option GUI based Jenkins Anchore Container Image Scanner plugin.
We will show you how to install, configure, and start the engine, configure and use the AnchoreCLI command-line tool as well as the Jenkins plugin. For each of the two methods, you will learn how to add the images to scan, perform the scan, and view reports. At the end of the article, you will learn the following three things.
Installing and configuring the Anchore Engine Installing, configuring and using AnchoreCLI Configuring and using Anchore Container Image Scanner Plugin in Jenkins
Prerequisites
The following are the requirements for this tutorial;
A local or virtual machine with Ubuntu 18.04 and the following; Docker Docker-compose Jenkins Installed and running sudo user
Step 1:— Setup the working directories and download the configuration files.
Create a working directory for your Anchore files. Within that directory, you’ll create two subdirectories, one for the configuration, and one for the database. Create a home directory for the Anchore files Go to the new directory and create the configuration and database subdirectories.
Download the configuration files
Once the directories are ready, we will download two configuration files (docker-compose.yaml and config.yaml) from the Github project. To download the docker-compose.yaml Go to the anchore home directory and use the command Then download the config.yaml to the ~/anchore/config directory The config.yaml file is a configuration file with the basic settings that the anchore engine service requires to run. It has several parameters, including includes the default, log level, listening port, username, password, and others that you can adjust to meet specific requirements. It is a good security practice to change the password, and you can do this by editing the config.yaml file. However, in this tutorial, we will use the default settings. To continue with the default credentials, (username – admin and password – foobar), proceed to step 2.
Changing Anchore Engine credentials (optional)
From the anchore directory use the command Locate the username (admin) and password (foobar) and change to your preferred values. Press CTRL + X, then Y to save and exit. With the working directories and configuration files in place, the system is ready for the installation of the Anchore Engine.
Step 2: — Install and start the Anchore Engine
You will use the Docker compose to install and start the Anchore Engine and database. From the anchore home directory, run. This will automatically pull the Anchore image and then create the Anchore engine and database in the home and ~/anchore/database/ directories respectively. Upon completion, the command will start the Anchore engine. After successfully installing and starting the anchore engine, you can now scan the images using the anchore command line AnchoreCLI. However, you need first to install the AnchoreCLI command-line utility, as shown below.
Installing, configuring AnchoreCLI
In this step, you will learn how to install and configure the AnchoreCLI command-line tool.
Step 3: — Install AnchoreCLI
In this tutorial, we will first install the python-pip utility, which will then use to install the AnchoreCLI from the source. To install Python pip. For to the Anchore home directory and run Install the AnchoreCLI using python-pip This command will download and install the files for the AnchoreCLI. After installation, we now need to source our .profile file to using the command To verify if the installation is successful and version of the Anchorecli, use the command To check anchore-CLI system status, use the command Please note that you must pass the Anchore engine URL, username, and password. Define Anchore Engine parameters By default, the AnchoreCLI will attempt to access the Anchore Engine without authentication. However, this will not work, and you need to provide the Anchore Engine credentials with every command. This involves passing the username, password, and URL parameters with every Anchore CLI command. Instead of providing these every time, the alternative is to define them as environmental variables in the following format. To pass the URL, run This defines the Anchore Engine URL together with the port 8228, which it uses. Set the username and password using the default values; otherwise, replace them with the new values you set in Step 1. The above sets the parameters only for the current shell. To set the current shell and other processes that start from it, we use the export command With the parameters defined, the AchoreCLI setup is complete, and you’ are ready to scan images.
Step 4: — Adding and analyzing images
Now that we have the Anchore Engine running and CLI configured, you will learn how to add and analyze the images for security issues. In this tutorial, we will analyze two images. -openjdk:8-jre-alpine with vulnerabilities and debian:latest without . Analyzing images To proceed, we need first to add the images to the engine. To add the images Add stable image debian:latest Add more images After adding an image to the Anchore Engine, the analysis starts immediately. If there are several loaded images, they are put in a queue and analyzed one at a time. You can check the progress and see the list of loaded images together with their analysis status. To see the list, run the command Output Depending on the number of images, size, and time elapsed after adding them, you will get analyzed for those complete, analyzing for those in progress and not analyzed for the queued images.
Step 5: — Retrieve and view analysis results
Once the analysis is complete, you can check the results and see the results for the vulnerability scans, policy checks, and other issues the engine has identified. To check results for the vulnerability scan on openjdk:8-jre-alpine vulnerable image Run Output The report shows the CVE identifier, the vulnerable package, severity, and whether there is a fix or not. For our image openjdk:8-jre-alpine, the analysis shows that it has five high vulnerabilities and quite a number of medium and negligible vulnerabilities. (some not shown above). To view vulnerabilities results for a stable image debian:latest Run the command Output As can be seen from the report, the image debian:latest has negligible vulnerabilities and no fixes. To see the policy evaluation results for the unstable image openjdk:8-jre-alpine run Output – The results show a fail The image openjdk:8-jre-alpine violates the specified policy ID (Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060) and therefore returns a Fail status. Now that we have seen how the Anchore Engine responds after detecting a policy violation, it is time to check if how it behaves with our stable image debian:latest. Policy check for debian:latest stable image The results show a Pass status and a Final Action of Warn because of information mismatch with a Dockerfile directive. This does not fail but may require checking and addressing the issue.
Configuring and using Anchore Container Image Scanner Plugin in Jenkins
Step 6:— Add and configure the Anchore Container Image Scanner Plugin in Jenkins
In this step, we will integrate the Anchor Engine with the Jenkins server. Jenkins is a java based, open-source server for automating a wide range of repetitive tasks in the software development cycle. The Anchore plugin is available in Jenkins but not installed by default. Log in to Jenkins using a web browser Enter the username and password. Go to Jenkins menu Locate and select Manage Jenkins Go to Manage Plugins On the Available tab, scroll down to Build Tools and select the Anchore Container Image Scanner Click the Install without restart option.
After the successful installation of the Anchore Container Image Scanner plugin, the next step is to configure the credentials.
Go to the Jenkins menu and select the Manage Jenkins tab. Open Configure system. Locate the Anchore configuration. Select Engine Mode Enter the Anchore Engine details (the engine URL, username and password, and port 8228 – the default port for the engine). URL – http://your_server_IP:8228/v1 Enter the username = admin Enter the Password = foobar or new password if you changed it in Step 3 (above) Click Save
Configure Anchore Plugin
Step 8:— Adding and scanning images
Click New Item at the Jenkins Dashboard on the top left menu This will open a screen with several options. Type the desired name for your test project in the Enter the item name field. In this project, we will use the Pipeline build. Select the Pipeline and click Ok.
You are now ready to scan the images. In our case, we will use images already in the docker registry that is accessible by the Anchore Engine. To do this, you will add the pipeline script that will specify the image to scan.
Step 9:— Add pipeline script
Scroll down to the Pipeline section and add the script to specify the image to scan. We will start with the openjdk:8-jre-alpine which contains some vulnerabilities. Click Save
Step 10:— Run the build and review the scan reports
From the Jenkins menu Click Build Now This will start the build process, which takes a few minutes depending on the image size. After completion, a number and a colored button will appear under the Build History. This will have a red color for Fail or Blue for Pass. Clicking the button will display more results.
Step 11:— Review Results
Click on Build # to view more details This opens a Console Output window indicating a failure – Anchore Report (FAIL)
The detailed reports indicate whether the analysis was a Fail or a Pass and provide several reports showing the vulnerabilities, warnings, and others based on the configuration. By default, the plugin is configured to fail a build (Stop) whenever there are vulnerabilities. Below are the screenshots for the Policy and Security reports.
Anchore Policy Evaluation summary Below is a screenshot of the Security results for the vulnerable image.
Common Vulnerabilities and Exposures (CVE) List If we now scan a stable image, debian:latest, with no vulnerabilities, we get the results below.
Anchore Policy Evaluation summary (Pass)
Common Vulnerabilities and Exposures (CVE) List Pass
Conclusion
The Anchore Container Image Scanner is a powerful image analysis tool that identifies a wide range of vulnerabilities and policy issues in Docker images. It has many customization options and can be configured on how to respond upon detecting issues during the analysis. One of these is to break the build when the engine encounters a severe vulnerability. If you are looking to build your career in DevSecOps, then check out this Udemy course.
