A service that analyzes docker images and applies user-defined acceptance policies to allow automated container image validation and certification
Clone or download
nurmi update pyyaml dependency version
Signed-off-by: Daniel Nurmi <nurmi@anchore.com>
Latest commit 50eb3ae Jan 15, 2019
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
.circleci use spaces instead of tabs in .circleci/config.yaml Nov 14, 2018
.github Adds github issue and PR templates to help improve communication and … Mar 27, 2018
anchore_engine Improve feed sync error handlinig. Fixes #125 Jan 15, 2019
anchore_manager version bump to 0.3.3-dev Jan 14, 2019
conf Make the port for services configurable in env var for the default bu… Nov 2, 2018
legacy_test Fix errors in mixed case username/accountnames by adding full case se… Jan 7, 2019
scripts Changes the db upgrade from 0.0.7 -> 0.0.8 to properly paginate npm a… Jan 5, 2019
test update example functional tests to support 0.2.X and 0.3.X Jan 10, 2019
twisted/plugins Initial python3 port Aug 3, 2018
.dockerignore Update to Dockerfile and new docker-compose.yaml to facilitate an eas… Oct 30, 2018
.gitignore events api and feed sync event examples May 31, 2018
CHANGELOG.md version bump to 0.3.2 Jan 11, 2019
CONTRIBUTING.rst initial code commit Sep 6, 2017
Dockerfile new skopeo build directives Nov 28, 2018
LICENSE script cleanup and version lock python dependencies Oct 22, 2018
MANIFEST.in initial code commit Sep 6, 2017
README.md Update README.md Jul 26, 2018
docker-compose-dev.yaml Update to Dockerfile and new docker-compose.yaml to facilitate an eas… Oct 30, 2018
docker-compose.yaml version bump to 0.3.0 Nov 13, 2018
docker-entrypoint.sh Fix name in docker-entrypoint.sh for setting host_id to hostname Oct 31, 2018
requirements-test.txt Fix typos in authz plugin swagger and adds aws ecr parse test into ne… Oct 29, 2018
requirements.txt update pyyaml dependency version Jan 15, 2019
setup.py script cleanup and version lock python dependencies Oct 22, 2018
tox.ini Adds tox for running local tests Oct 29, 2018

README.md

Anchore Engine

For the most up-to-date information on Anchore Engine, Anchore CLI, and other Anchore software, please refer to the Anchore Documentation

The Anchore Engine is an open source project that provides a centralized service for inspection, analysis and certification of container images. The Anchore engine is provided as a Docker container image that can be run standalone (a docker-compose file is provided), or on an orchestration platform such as Kubernetes, Docker Swarm, Rancher or Amazon ECS.

The Anchore engine can be accessed directly through a RESTful API or via the Anchore CLI.

Using the Anchore Engine, container images can be downloaded from Docker V2 compatible container registries, and then evaluated against user defined policies. The Anchore Engine can integrate with Anchore's Navigator service, allowing you to define policies and whitelists using a graphical editor that are automatically synchronized to the Anchore Engine.

Installation

The Anchore Engine is distributed as a Docker Image available from DockerHub.

A PostgreSQL database is required to provide persistent storage for the Anchore Engine.

The Anchore Engine requires a single volume used to store configuration information and optionally certificates for TLS.

Configuration

  1. Create a directory to expose as a volume containing Anchore Engine configuration files (we use /root/aevolume here but you can use non-root paths and adjust the samepl config/docker-compose configuration files accordingly)

mkdir -p ~/aevolume/config

  1. Download the sample configuration file config.yaml from the scripts/docker-compose directory of the github project and save into the directory created in step #1

cd ~/aevolume/config && curl -O https://raw.githubusercontent.com/anchore/anchore-engine/master/scripts/docker-compose/config.yaml && cd -

  1. Edit the config.yaml file to specify your email and password for the admin user.
    credentials:
      default_user: 'admin'
      users:
         admin:
           password: 'foobar'
           email: 'admin@myemail.com'
           external_service_auths:
           #  anchoreio:
           #    anchorecli:
           #      auth: 'myanchoreiouser:myanchoreiopass'
           #auto_policy_sync: True
  1. Make other changes to config.yaml to enable additional features or tune to your environment (not required for basic usage)

  2. Create a directory to expose as a volume for PostgreSQL data

mkdir -p ~/aevolume/db/

Running Anchore Engine using Docker Compose

To run Anchore Engine using Docker Compose the following additional steps must be performed:

  1. Change to the directory in which you have created the config and db subdirectories.

cd ~/aevolume

  1. Download the docker-compose.yaml file from the scripts/docker-compose directory of the github project.

curl -O https://raw.githubusercontent.com/anchore/anchore-engine/master/scripts/docker-compose/docker-compose.yaml

  1. Run docker-compose pull to instruct Docker to download the required container images from DockerHub.

  2. To start Anchore Engine run docker-compose up -d

  3. To stop the Anchore Engine run docker-compose down

Getting Started using the CLI

The Anchore CLI is an easy way to control the Anchore Engine.

The Anchore CLI can be installed using the Python pip command. See Anchore CLI for instructions.

By default the Anchore CLI will try to connect to the Anchore Engine at http://localhost/v1 with no authentication. The username, password and URL for the server can be passed to the Anchore CLI as command line arguments. These values are the ones defined in your ~/aevolume/config/config.yaml.

--u   TEXT   Username     eg. admin
--p   TEXT   Password     eg. foobar
--url TEXT   Service URL  eg. http://localhost:8228/v1

Rather than passing these parameters for every call to the cli they can be set as environment variables.

ANCHORE_CLI_URL=http://myserver.example.com:8228/v1
ANCHORE_CLI_USER=admin
ANCHORE_CLI_PASS=foobar

Add an image to the Anchore Engine:

anchore-cli image add docker.io/library/debian:latest

List images analyzed by the Anchore Engine:

anchore-cli image list

Get a specific image and see when its status goes to analyzed:

anchore-cli image get docker.io/library/debian:latest

Obtain the results of the vulnerability scan on an image:

anchore-cli image vuln docker.io/library/debian:latest os

List operating system packages present in an image:

anchore-cli image content docker.io/library/debian:latest os

Subscribe to receive webhook notifications when new CVEs are added to an update:

anchore-cli subscription activate vuln_update docker.io/library/debian:latest

API

Each service implements its own API, and all APIs are defined in Swagger/OpenAPI spec. You can find each in the anchore_engine/services/<servicename>/api/swagger directory.

For the external API definition (the user-facing service), see External API Spec.

More Information

For further details on use of the Anchore CLI with the Anchore Engine please refer to the Anchore Engine Documentation