Azure DevOps Anchore Task Extension
The Anchor task is created by me (Jason Farrell) with permission from Anchore (https://anchore.com/) as an open source extension to enable integration of Anchore Engine Image Scanner into Azure DevOps pipelines in both Build and Release modes.
This guide assumes you have an Anchore Engine running somewhere that is accessible to Azure DevOps. An explanation of how to setup and configure the Engine server can be found here (https://docs.anchore.com/current/docs/engine/engine_installation/).
Anchore Engine Url (Required)
This is the Url to your Anchore Engine API (ex. https://my.anchore.engine/v1) this is what the task will call out to and leverage when adding and analyzing images.
Anchore Engine Username (Required)
This is the Username used to authenticate to the Anchore Engine API. When using this task the user should be setup ahead of time. More information (https://docs.anchore.com/current/docs/engine/usage/cli_usage/accounts/)
Anchore Engine Password (Required)
This is the password used to authenticate to the Anchore Engine API. As with the username, it should be setup ahead of time. Refer to link above
Analyze Image (Required)
This is the image that will be targeted for analysis during execution. You will want to use build variables to ensure the correct image can be targeted. Note that for Anchore Engine to analyze the image it must FIRST be pushed to an accessible registry. For private registries, the registry will need to be registered with Anchore to permit access. More Information (https://docs.anchore.com/current/docs/engine/usage/cli_usage/registries/)
Perform a vulernability scan for the image
Indicates whether the task should perform a Vulnerability Check following the analysis step.
Min High Allowed (Available if Vuln scan performed)
The minimum number of High Vulnerabilities to allow before the Task fails. If left empty, no limit is enforced
Min Medium Allowed (Available if Vuln scan performed)
The minimum number of Medium Vulnerabilities to allow before the Task fails. If left empty, no limit is enforced
Min Low Allowed (Available if Vuln scan performed)
The minimum number of Low Vulnerabilities to allow before the Task fails. If left empty, no limit is enforced
Min Negligibile Allowed (Available if Vuln scan performed)
The minimum number of Negligible Vulnerabilities to allow before the Task fails. If left empty, no limit is enforced
Vuln Report Export Path
Indicates where the task should output the results of the Vulnerability Scan - HTML report
How the Task Works
anchore-cliis installed via Python
- Target image is pushed to a public or repository registered with Anchore Engine (see Task Properties)
- Task will add the image to Anchore Engine via the
- Following the add Task will poll Anchore Engine for the specific image until status of
- Max tries is 100 attempts to prevent endless looping in the event of error within Anchor Engine
- If selected task will execute a
vuln allcommand against the image in question
- If limits are in place, the actual totals will be counted and compared against these specified limits
More to come as additional features are added
Anchore Engine provides many features to aid in deeper scanning of images that are not yet supported. I am activity seeking people to get involved and assist. Full details are available under the Product tab on the GitHub page
I am not an employee of Anchore nor am I affiliated with their organization. Nor is my current employer in any way responsible for this extension. This is purely a side project that I maintain in my free time.