Docker images are files used to execute code to run an application in docker containers. This file contains source code, libraries, dependencies, tools, and other configuration files required for an application to run. They are all packed as one in a way that the images are independent of any host resources apart from the kernel. As Docker images represent an application and its environment at a specific point in time, they are also referred to as snapshots. These snapshots may at one point become outdated and contain files that are corrupted which can cause harm to the host systems when they are deployed.
This makes Docker images also prone to vulnerabilities. Another option for causing vulnerabilities would be sometimes the images are packed with a lot of files due to their read-only state making several files unnecessary for the application which can increase the risk surface of being corrupted. Due to this, several tools are available to help in scanning for vulnerabilities in the docker images and sometimes detect them even before deploying the images. The most popular one is the Docker scan utility tool. But in this guide, we are going to deal with the Anchore Engine.
Anchore Engine
Anchore Engine is an open-source project that provides a centralized way of carrying out inspection, analysis, and certification of docker containers. It comes as a docker image that can be run as a standalone or on any orchestration platform like Kubernetes, Rancher, or Amazon ECS. It evaluates container images against a vulnerability database after they are analyzed from Docker V2-compatible container registries.
Anchore Engine can be accessed directly through a RESTful API or via the Anchore CLI to manage and inspect images, policies, subscriptions, and registries. Anchore Engine supports different Operating systems including Alpine, Amazon Linux 2, CentOS, Debian, Google Distroless, Oracle Linux, Red Hat Enterprise Linux, Red Hat Universal Base Image (UBI), and Ubuntu. The supported packages are; GEM, Java Archive (jar, ar, ear), NPM, Python (PIP), and Go Modules.
Anchore Engine is available as a docker image from the DockerHub.
Prepare Environment
A stand-alone installation requires at least 4GB of RAM with enough disk space available at least 3x the size of the container to analyze.
You should have Docker and Docker Compose installed on your system.
Add your user account to docker group.
sudo usermod -aG docker $USER
newgrp dockerAnchore Engine uses the PostgreSQL database of version 9.6 or higher to provide persistent storage.
Install Anchore Engine
Set up the working directories which include the home directory for anchore, the configuration file directory, and the database directory.
mkdir -p ~/anchore/{db,config}Download the configuration files
cd ~/anchore/config
curl -O https://engine.anchore.io/docs/quickstart/anchore-prometheus.ymlDownload Compose fole Anchore Engine with the following command.
cd ~/anchore/
curl -O https://engine.anchore.io/docs/quickstart/docker-compose.yamlUse the following command which will pull the images for Anchore and PostgreSQL.
docker compose pullYou can change the default Anchore credentials from the configuration file.
vim docker-compose.yamlBut in this guide, we will use the default username admin and password foobar.
Start up the service:
$ docker compose up -d
[+] Running 8/8
⠿ Network anchore_default Created 0.1s
⠿ Volume "anchore_anchore-db-volume" Created 0.0s
⠿ Container anchore-db-1 Started 2.4s
⠿ Container anchore-catalog-1 Started 0.9s
⠿ Container anchore-queue-1 Started 2.3s
⠿ Container anchore-policy-engine-1 Started 2.7s
⠿ Container anchore-analyzer-1 Started 2.6s
⠿ Container anchore-api-1 Started 2.7sVerify the service is running with the following command.
$ docker compose ps
NAME COMMAND SERVICE STATUS PORTS
anchore-analyzer-1 "/docker-entrypoint.…" analyzer running (starting) 8228/tcp
anchore-api-1 "/docker-entrypoint.…" api running (starting) 0.0.0.0:8228->8228/tcp, :::8228->8228/tcp
anchore-catalog-1 "/docker-entrypoint.…" catalog running (starting) 8228/tcp
anchore-db-1 "docker-entrypoint.s…" db running (starting) 5432/tcp
anchore-policy-engine-1 "/docker-entrypoint.…" policy-engine running (starting) 8228/tcp
anchore-queue-1 "/docker-entrypoint.…" queue running (starting) 8228/tcp
Install Anchore CLI
Anchore CLI provides an easy way to control and interact with Anchore Engine to manage and inspect images, policies, subscriptions, and registries for the supported operating systems. To install Anchore CLI, run the following command:
git clone https://github.com/anchore/anchore-cli
cd anchore-cli
pip install --user --upgrade . || pip install --user --upgrade .The Anchore CLI will try to connect to the Anchore Engine at http://localhost/v1 with no authentication. But this will not work. Pass the Anchore Engine CLI credentials and store them as environment variables to avoid passing them with every Anchore CLI command.
If you changed the default credentials, remember to replace them here.
ANCHORE_CLI_URL=http://localhost:8228/v1
ANCHORE_CLI_USER=admin
ANCHORE_CLI_PASS=foobar
export ANCHORE_CLI_URL
export ANCHORE_CLI_USER
export ANCHORE_CLI_PASSSource our profile to use the command.
echo 'export PATH=$PATH:~/.local/bin'| tee -a ~/.bashrc
source ~/.profileVerify the successful installation.
$ anchore-cli --version
anchore-cli, version 0.9.4To get the status of the Anchore Engine services run the following command
$ cd ~/anchore
$ docker compose exec api anchore-cli system status
Service simplequeue (anchore-quickstart, http://queue:8228): up
Service policy_engine (anchore-quickstart, http://policy-engine:8228): up
Service apiext (anchore-quickstart, http://api:8228): up
Service catalog (anchore-quickstart, http://catalog:8228): up
Service analyzer (anchore-quickstart, http://analyzer:8228): up
Engine DB Version: 0.0.15
Engine Code Version: 1.0.0You can check the status of your feed with the following command. The RecordCount values should be greater than 0 (zero) to confirm the system is fully populated and ready to present vulnerability results.
$sss
Feed Group LastSync RecordCount
vulnerabilities alpine:3.10 2022-10-14T14:33:40Z 2331
vulnerabilities alpine:3.11 2022-10-14T14:33:40Z 2665
vulnerabilities alpine:3.12 2022-10-14T14:33:40Z 3205
vulnerabilities alpine:3.13 2022-10-14T14:33:40Z 3676
vulnerabilities alpine:3.14 2022-10-14T14:33:40Z 4117
vulnerabilities alpine:3.15 2022-10-14T14:33:40Z 4507
vulnerabilities alpine:3.16 2022-10-14T14:33:40Z 4824
vulnerabilities alpine:3.2 2022-10-14T14:33:40Z 306
vulnerabilities alpine:3.3 2022-10-14T14:33:40Z 471
vulnerabilities alpine:3.4 2022-10-14T14:33:40Z 683
vulnerabilities alpine:3.5 2022-10-14T14:33:40Z 903
vulnerabilities alpine:3.6 2022-10-14T14:33:40Z 1077
vulnerabilities alpine:3.7 2022-10-14T14:33:40Z 1462
vulnerabilities alpine:3.8 2022-10-14T14:33:40Z 1675
vulnerabilities alpine:3.9 2022-10-14T14:33:40Z 1962
vulnerabilities alpine:edge 2022-10-14T14:33:40Z 4895
vulnerabilities amzn:2 2022-10-14T14:33:40Z 947
vulnerabilities amzn:2022 2022-10-14T14:33:40Z 140
vulnerabilities debian:10 2022-10-14T14:33:40Z 29273
vulnerabilities debian:11 2022-10-14T14:33:40Z 26829
vulnerabilities debian:12 2022-10-14T14:33:40Z 26067
vulnerabilities debian:7 2022-10-14T14:33:40Z 20455
vulnerabilities debian:8 2022-10-14T14:33:40Z 24058
vulnerabilities debian:9 2022-10-14T14:33:40Z 28240
vulnerabilities debian:unstable 2022-10-14T14:33:40Z 32208
......
...... For Integrated monitoring using Prometheus check;
Use Anchore Engine
To add an image to the Anchore Engine use the following command:
$ anchore-cli image add docker.io/library/debian:latest
Image Digest: sha256:9b0e3056b8cd8630271825665a0613cc27829d6a24906dc0122b3b4834312f7d
Parent Digest: sha256:e538a2f0566efc44db21503277c7312a142f4d0dedc5d2886932b92626104bff
Analysis Status: not_analyzed
Image Type: docker
Analyzed At: None
Image ID: d91720f514f733190e529148212d53a33021d62900b9901138cfb3fc404dd33c
Dockerfile Mode: None
Distro: None
Distro Version: None
Size: None
Architecture: None
Layer Count: None
Full Tag: docker.io/library/debian:latest
Tag Detected At: 2022-10-14T14:47:08ZTo Wait for the image to move to the ‘analyzed’ state:
$ anchore-cli image wait docker.io/library/debian:latest
Image Digest: sha256:9b0e3056b8cd8630271825665a0613cc27829d6a24906dc0122b3b4834312f7d
Parent Digest: sha256:e538a2f0566efc44db21503277c7312a142f4d0dedc5d2886932b92626104bff
Analysis Status: analyzed
Image Type: docker
Analyzed At: 2022-10-14T14:47:33Z
Image ID: d91720f514f733190e529148212d53a33021d62900b9901138cfb3fc404dd33c
Dockerfile Mode: Guessed
Distro: debian
Distro Version: 11
Size: 136765440
Architecture: amd64
Layer Count: 1
Full Tag: docker.io/library/debian:latest
Tag Detected At: 2022-10-14T14:47:08Z
List images analyzed by the Anchore Engine:
$ anchore-cli image list
Full Tag Image Digest Analysis Status
docker.io/library/debian:latest sha256:9b0e3056b8cd8630271825665a0613cc27829d6a24906dc0122b3b4834312f7d analyzed Get image overview and summary information:
$ anchore-cli image get docker.io/library/debian:latest
Image Digest: sha256:9b0e3056b8cd8630271825665a0613cc27829d6a24906dc0122b3b4834312f7d
Parent Digest: sha256:e538a2f0566efc44db21503277c7312a142f4d0dedc5d2886932b92626104bff
Analysis Status: analyzed
Image Type: docker
Analyzed At: 2022-10-14T14:47:33Z
Image ID: d91720f514f733190e529148212d53a33021d62900b9901138cfb3fc404dd33c
Dockerfile Mode: Guessed
Distro: debian
Distro Version: 11
Size: 136765440
Architecture: amd64
Layer Count: 1
Full Tag: docker.io/library/debian:latest
Tag Detected At: 2022-10-14T14:47:08ZPerform a vulnerability scan on an image:
$ anchore-cli image vuln docker.io/library/debian:latest os
Vulnerability ID Package Severity Fix CVE Refs Vulnerability URL Type Feed Group Package Path
CVE-2011-3389 libgnutls30-3.7.1-5+deb11u2 Medium None CVE-2011-3389 https://security-tracker.debian.org/tracker/CVE-2011-3389 dpkg debian:11 pkgdb
CVE-2004-0971 libgssapi-krb5-2-1.18.3-6+deb11u2 Negligible None CVE-2004-0971 https://security-tracker.debian.org/tracker/CVE-2004-0971 dpkg debian:11 pkgdb
CVE-2004-0971 libk5crypto3-1.18.3-6+deb11u2 Negligible None CVE-2004-0971 https://security-tracker.debian.org/tracker/CVE-2004-0971 dpkg debian:11 pkgdb
CVE-2004-0971 libkrb5-3-1.18.3-6+deb11u2 Negligible None CVE-2004-0971 https://security-tracker.debian.org/tracker/CVE-2004-0971 dpkg debian:11 pkgdb
CVE-2004-0971 libkrb5support0-1.18.3-6+deb11u2 Negligible None CVE-2004-0971 https://security-tracker.debian.org/tracker/CVE-2004-0971 dpkg debian:11 pkgdb
CVE-2005-2541 tar-1.34+dfsg-1 Negligible None CVE-2005-2541 https://security-
......
......Perform a policy evaluation on an image:
$ anchore-cli evaluate check docker.io/library/debian:latest --detail
Image Digest: sha256:9b0e3056b8cd8630271825665a0613cc27829d6a24906dc0122b3b4834312f7d
Full Tag: docker.io/library/debian:latest
Image ID: d91720f514f733190e529148212d53a33021d62900b9901138cfb3fc404dd33c
Status: pass
Last Eval: 2022-10-14T14:53:30Z
Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060
Final Action: warn
Final Action Reason: policy_evaluation
Gate Trigger Detail Status
dockerfile instruction Dockerfile directive 'HEALTHCHECK' not found, matching condition 'not_exists' check warn
vulnerabilities package MEDIUM Vulnerability found in os package type (dpkg) - libgnutls30 (CVE-2011-3389 - https://security-tracker.debian.org/tracker/CVE-2011-3389) warn List operating system packages present in an image:
$ anchore-cli image content docker.io/library/debian:latest os
Package Version Licenses
adduser 3.118 GPL-2
apt 2.2.4 GPL-2 GPLv2+
base-files 11.1+deb11u5 GPL
base-passwd 3.5.51 GPL-2 public-domain
bash 5.1-2+deb11u1 GPL-3
bsdutils 1:2.36.1-8+deb11u1 BSD-2-clause BSD-3-clause BSD-4-clause GPL-2 GPL-2+ GPL-3 GPL-3+ LGPL LGPL-2 LGPL-2+ LGPL-2.1 LGPL-2.1+ LGPL-3 LGPL-3+ MIT public-domain
coreutils 8.32-4+b1 GPL-3
dash 0.5.11+git20200708+dd9ef66-5 BSD-3-Clause BSD-3-clause Expat FSFUL FSFULLR GPL-2 GPL-2+ public-domain
debconf 1.5.77 BSD-2-clause
debian-archive-keyring 2021.1.1 GPL
debianutils 4.11.2 GPL-2
diffutils 1:3.7-5 GFDL GPL
dpkg 1.20.12 BSD-2-clause GPL-2 GPL-2+ public-domain-md5 public-domain-s-s-d
......
......Conclusion
Anchore Engine can be deployed on a variety of operating systems as it comes as a docker image. This means it is lightweight and does not take up most of your system resources. The latest version 1.0 is considered feature complete and with it, you will receive updated vulnerability data. It is an automated system that allows you to inspect, analyze and evaluate images against user-defined checks and provide evaluation results for each image with a pass or fail.
