Docker Image Scanner Anchore - saviovettoor/DevOps-wiki GitHub Wiki

Docker Image Scanner - Anchore

Anchore Engine is an open-source tool that scans your Docker images for security vulnerabilities. Also, Anchore provides an Enterprise version which has many features, UI to configuring Anchore, role-based access control, generate reports....

Install anchore engine

mkdir -p /opt/anchore/config
cd /opt/anchore/config
curl -O https://raw.githubusercontent.com/anchore/anchore-engine/master/scripts/docker-compose/config.yaml
cd /opt/anchore/
curl -O https://raw.githubusercontent.com/anchore/anchore-engine/master/scripts/docker-compose/docker-compose.yaml

You can update the anchore-engine default admin user details from the file:

/opt/anchore/config/config.yaml
credentials:
  users:
     admin:
       password: 'foobar'
       email: '[email protected]'

Starting anchore engine

docker-compose up -d

Install Anchore CLI

Anchore CLI in order to control the Anchore Engine.

yum install -y epel-release
yum install -y python-pip
pip install anchorecli

More about anchore cli link NOTES: To run anchore-cli you need to export user-name and password

eg:
export ANCHORE_CLI_USER=admin
export ANCHORE_CLI_PASS=foobar

Integrate with jenkins pipeline

1. Install the jenkins Anchore Container Image Scanner plugin. MORE INFO: link
2. Configure the Anchore plugin, Jenkins -> Manage Jenkins -> Configure System

	Anchore Plugin Mode:
	Engine Mode
		Engine URL:	http://127.0.0.1:8228/v1
		Engine Username: admin
		Engine Password: foobar

In the pipeline scan stage of your job:

stage(‘Scan’) {
	steps {
		sh ‘echo “library/debian `pwd`/Dockerfile” > anchore_images’
		anchore name: ‘anchore_images’
	}
}

Will downloadn inline-scan and run the scan

stage('Scan') {
	steps {        
		sh 'curl -s https://ci-tools.anchore.io/inline_scan-v0.3.3 | bash -s -- -d Dockerfile -b .anchore_policy.json ${IMAGE_NAME}:ci'
	}
}