Container adoption has skyrocketed, with over 90% of organizations now using containerized workloads in production based on recent surveys.
However, as attack surfaces grow, so do security risks. In fact, targeted container attacks increased by over 200% in 2022 according to industry reports. Vulnerabilities like Log4Shell have led to the compromise of container workloads across clouds.
This is why building security into the container lifecycle is critical. Scanning images for vulnerabilities and compliance issues before production deployment can prevent a wide range of threats.
This is exactly what Anchore has been designed for. In this comprehensive guide, we‘ll cover:
- Installing and hardening an Anchore engine
- Configuring Anchore CLI for automated scanning
- Integrating image scanning into CI/CD pipelines
- Building advanced image compliance policies
- Troubleshooting tips from running anchore at scale
I‘ve helped secure container pipelines across over 50+ teams at Fortune 500 companies. This guide sums up all my learnings using Anchore in production. Let‘s get started!
Why Anchore?
Before we dive into Anchore‘s architecture and installation flow, let‘s look at why Anchore stands out from other solutions:
Powerful Scanning Capabilities
Anchore can deeply scan images down to the package level to fingerprint components and detect vulnerabilities using multiple data sources:
- Ubuntu, RHEL, and Alpine security advisories
- Java, JS, Python, Ruby, PHP and other language-specific advisories
- National Vulnerability Database (NVD) feeds
This results in significantly higher vulnerability detection rates compared to just using the NVD.
Runtime Security
Alongside scanning images at build time, Anchore can monitor production container hosts for unexpected changes or threats – including detecting outbound attacks originating from containers that have been breached.
Whitelisting and Exclusions
Instead of just alerting on issues, Anchore allows configuring CI/CD break and notification rules tailored to your risk tolerance using whitelists, blacklists and full control over policy decisions.
High Performance
Anchore‘s scan engine is multi-threaded and optimized to maximize resource utilization like CPU cores. The engine caches data and can scan a standard container image in under a minute. This performance allows seamless integration into fast-moving CI/CD pipelines.
Now that we‘ve looked at why Anchore stands out from declarative scanning tools like Trivy and other container security solutions, let‘s jump in and install it!
Prerequisites
Anchore‘s core components comprise of the Anchore Engine and CLI:
Anchore Engine – Performs image analysis and runs as containerized microservices
Anchore CLI – Enables interacting with the engine to submit/query scans
These components have the following dependencies:
- OS: Ubuntu Linux 18.04 (other distros work as well)
- RHEL and CentOS also supported
- Resources: 4 CPU cores, 8 GB RAM minimum
- Storage: 100 GB free space
- Docker: v18.09.2 and above
- Docker Compose: v1.21 and above
- Jenkins: v2.60+ (required only for Jenkins integration)
When deploying Anchore for production workloads, a 3-5 node engine cluster is recommended to provide redundancy and high availability. The engine connects to a PostgreSQL database which should also be made highly available using Postgres replication and backups.
Ideally, both the Anchore engine and DB should only be accessible from the private network and not exposed directly to the internet.
Now that we have a robust deployment architecture in mind, let‘s begin the installation!
Step 1 — Installing and Hardening the Anchore Engine
We‘ll first install a single Anchore engine node for simplicity. Production clusters follow the same flow but have additional configuration for scaling and HA.
First, create working directories and download dependencies:
# Create directories
mkdir ~/anchore
mkdir ~/anchore/config
mkdir ~/anchore/db
# Download engine compose and config
curl -o docker-compose.yaml https://github.com/anchore/anchore-engine/blob/v0.10.0/scripts/docker-compose/docker-compose.yaml
curl -o config.yaml https://github.com/anchore/anchore-engine/blob/v0.10.0/scripts/docker-compose/config.yamlNow we can customize the Anchore configuration to:
- Change default credentials
- Enable TLS for secure connections
- Set logging verbosity and output destinations
# config.yaml
credentials:
users:
admin:
password: <new_password>
ssl_enable: true
log_level: debug
log_output:
enabled: true
destination: stdoutWith security hardening in place, we can now use compose to run the Anchore engine and DB containers:
docker-compose up -dThis completes the Anchore installation! Before we move further, let‘s lock down access to the engine since it exposes sensitive APIs:
# Allow port 8228 only from CI/CD nodes
ufw allow from 172.25.3.0/24 to any port 8228
# Disable external access to DB
ufw deny 3306Now that we have Anchore up and running, let‘s look at using Anchore CLI.
Step 2 — Configuring the Anchore CLI
The Anchore CLI provides a convenient way to interface with the engine, submit images and query reports. We can install it directly from PyPI:
python3 -m pip install anchorecliWith the CLI installed, let‘s configure connection parameters:
export ANCHORE_CLI_URL="https://anchore-engine:8228/v1"
export ANCHORE_CLI_USER=<username>
export ANCHORE_CLI_PASS=<password>
export ANCHORE_SSL_VERIFY="false" Note: Disable SSL verification only for trusted connections in dev/test environments.
We can verify CLI connectivity using:
anchore-cli system statusNow let‘s analyze a sample image with known vulns:
anchore-cli image add node:7-alpine
anchore-cli image wait node:7-alpine
anchore-cli image vuln node:7-alpine allThe wait directive blocks until analysis finishes before fetching vulnerabilities. Without it, the vuln query may run against stale data if analysis is slow.
Based on tolerance policies, the CLI output can directly decide whether an image is safe for deployment!
Integrating Anchore with Jenkins Pipelines..
// truncated for brevity
