Anchore
Anchore is a container security platform for scanning images, analyzing dependencies, enforcing policies, and managing vulnerabilities across your container registry.
Installation
Docker
# Run Anchore Engine
docker run -d --name anchore-engine \
-e ANCHORE_DB_PASSWORD="password" \
-p 8228:8228 \
-v /var/run/docker.sock:/var/run/docker.sock \
anchore/anchore-engine:latest
# Wait for service startup
docker logs -f anchore-engine | grep "Anchore initialized"Kubernetes Deployment
# helm install anchore anchore/anchore
# Or raw deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: anchore-engine
spec:
replicas: 1
selector:
matchLabels:
app: anchore
template:
metadata:
labels:
app: anchore
spec:
containers:
- name: anchore
image: anchore/anchore-engine:latest
ports:
- containerPort: 8228
env:
- name: ANCHORE_DB_PASSWORD
value: "password"
volumeMounts:
- mountPath: /var/run/docker.sock
name: docker-socket
volumes:
- name: docker-socket
hostPath:
path: /var/run/docker.sockCLI Installation
# Install anchore-cli
pip install anchorecli
# or
brew install anchore-cli
# Configure
anchore-cli --url "http://localhost:8228" --username admin --password foobar system status
# Export to .bashrc or .zshrc
export ANCHORE_CLI_URL="http://localhost:8228"
export ANCHORE_CLI_USER="admin"
export ANCHORE_CLI_PASS="foobar"Image Analysis
Add Images
# Add image for analysis
anchore-cli image add docker.io/library/nginx:latest
# List images
anchore-cli image list
# Get image details
anchore-cli image get docker.io/library/nginx:latest | jq '.'Syft (Bill of Materials)
# Generate SBOM in JSON format
syft docker.io/library/nginx:latest -o json > sbom.json
# CycloneDX format
syft docker.io/library/nginx:latest -o cyclonedx > sbom.xml
# Packages summary
syft docker.io/library/nginx:latest \
--scope all-layers | grep "^pkg:"Grype (Vulnerability Detection)
# Scan image for vulnerabilities
grype docker.io/library/nginx:latest
# Detailed JSON output
grype docker.io/library/nginx:latest -o json > vuln-report.json
# Filter by severity
grype docker.io/library/nginx:latest \
--fail-on critical \
--show-suppressed
# Check specific CVE
grype docker.io/library/nginx:latest | grep "CVE-2021"Vulnerability Scanning
Anchore Analysis
# Wait for analysis to complete
anchore-cli image wait docker.io/library/nginx:latest
# Get vulnerability results
anchore-cli image vuln docker.io/library/nginx:latest all
# High-severity CVEs only
anchore-cli image vuln docker.io/library/nginx:latest high
# Export in CSV
anchore-cli --json image vuln docker.io/library/nginx:latest all \
| jq -r '.[] | [.vuln_id, .severity, .package] | @csv' > vulns.csvPackage Analysis
# Get package listing
anchore-cli image content docker.io/library/nginx:latest pkglist
# Check specific package
anchore-cli image content docker.io/library/nginx:latest pkglist \
| grep -i openssl
# File analysis
anchore-cli image content docker.io/library/nginx:latest files | head -20
# Metadata inspection
anchore-cli image metadata docker.io/library/nginx:latest | jq '.image_metadata'Policy Enforcement
Policy Bundles
# Get default policy
anchore-cli policy get --bundleid default
# List policies
anchore-cli policy list
# Add custom policy
anchore-cli policy add policy.json
# Evaluate image against policy
anchore-cli image policy docker.io/library/nginx:latest bundleid=defaultExample Policy (policy.json)
{
"id": "production-policy",
"version": "1.0",
"whitelists": [],
"blacklists": [
{
"name": "Blacklisted packages",
"items": ["openssl=1.0.*", "curl=*"]
}
],
"rules": [
{
"gate": "vulnerabilities",
"trigger": "package",
"action": "WARN",
"params": [{"name": "severity", "value": "high"}]
},
{
"gate": "dockerfile",
"trigger": "exposed_port",
"action": "STOP",
"params": [{"name": "port", "value": "22"}]
}
]
}Policy Evaluation
# Check if image passes policy
anchore-cli image policy docker.io/library/nginx:latest \
bundleid=production-policy
# Detailed gate results
anchore-cli --json image policy docker.io/library/nginx:latest \
bundleid=production-policy | jq '.policy_evaluation'
# Suppress false positives
anchore-cli image whitelist add docker.io/library/nginx:latest \
CVE-2021-12345 --whitelist-type "global"Registry Integration
Add Registry
# Configure registry credentials
anchore-cli registry add docker.io username password
# List registered registries
anchore-cli registry list
# Add private registry
anchore-cli registry add registry.example.com:5000 \
--skipvalidateScan Registry
# Index all images in registry
anchore-cli registry analyze --full-report docker.io
# Subscribe to tag/repo for continuous scanning
anchore-cli subscription add docker.io/library/nginx:*
# List subscriptions
anchore-cli subscription list
# Trigger re-scan
anchore-cli image re-analyze docker.io/library/nginx:latestCI/CD Integration
GitHub Actions
name: Container Security Scan
on: [push]
jobs:
anchore:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v2
- name: Build image
run: docker build -t myapp:$GITHUB_SHA .
- name: Scan with Grype
uses: anchore/scan-action@v3
id: scan
with:
image: myapp:$GITHUB_SHA
fail-build: true
severity-cutoff: high
- name: Upload Anchore report
uses: github/codeql-action/upload-sarif@v2
with:
sarif_file: ${{ steps.scan.outputs.sarif }}GitLab CI
container-scan:
stage: security
image: anchore/anchore-engine:latest
script:
- anchore-cli image add $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
- anchore-cli image wait $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA
- anchore-cli image vuln $CI_REGISTRY_IMAGE:$CI_COMMIT_SHA critical high
artifacts:
reports:
container_scanning: vulnerabilities.jsonJenkins
stage('Container Scan') {
steps {
script {
sh '''
anchore-cli image add ${DOCKER_IMAGE}:${BUILD_NUMBER}
anchore-cli image wait ${DOCKER_IMAGE}:${BUILD_NUMBER}
anchore-cli image policy ${DOCKER_IMAGE}:${BUILD_NUMBER} \
bundleid=production-policy
'''
}
}
}Advanced Scanning
Dockerfile Analysis
# Analyze Dockerfile
anchore-cli image content docker.io/library/nginx:latest dockerfile
# Check for bad practices
anchore-cli --json image content docker.io/library/nginx:latest dockerfile \
| jq '.[] | select(.directive | contains("RUN"))'
# Detect secrets in image
grype docker.io/library/nginx:latest --vex-ignore secretsSecrets Detection
# Scan for hardcoded secrets
syft docker.io/library/nginx:latest | grep -i "secret\|key\|password"
# Use trivy for secrets
trivy image --secret-scanners all docker.io/library/nginx:latest
# Check for credential patterns
grype docker.io/library/nginx:latest | grep -E "password|api.?key|secret"Base Image Tracking
# Get base image info
anchore-cli image metadata docker.io/library/nginx:latest \
| jq '.image_metadata | .parent'
# Audit base image changes
anchore-cli subscription list-updates
# Alert on base image vuln
anchore-cli --json image vuln docker.io/library/nginx:latest all \
| jq '.[] | select(.package_name | contains("openssl"))'Reporting & Compliance
Generate Reports
# HTML report
anchore-cli image report docker.io/library/nginx:latest \
--format html > report.html
# JSON detailed report
anchore-cli --json image vuln docker.io/library/nginx:latest all \
> vulnerability-report.json
# CSV for auditors
anchore-cli --json image vuln docker.io/library/nginx:latest all \
| jq -r '.[] | [.vuln_id, .severity, .package, .package_type] | @csv' \
> findings.csvCompliance Checks
# PCI DSS compliance
anchore-cli --json image policy docker.io/library/nginx:latest \
bundleid=pci-dss | jq '.policy_evaluation'
# HIPAA compliance check
anchore-cli image vuln docker.io/library/nginx:latest critical
# License compliance
anchore-cli image content docker.io/library/nginx:latest licensesBest Practices
- Scan all base images before use
- Enforce policies: fail on critical/high CVEs
- Add secrets scanning to scan pipeline
- Monitor and re-analyze images periodically
- Track base image updates automatically
- Maintain approved base image list
- Review and suppress confirmed false positives
- Generate compliance reports monthly
- Integrate with image signing (Cosign) for provenance
- Use private registries for approved images