Introduction to Anchore Security Scanning
Anchore is a powerful open-source container security platform that allows developers and security teams to analyze, inspect, and validate container images. It performs deep inspection of container images, evaluating them against user-defined policies to provide governance and compliance with security standards. Anchore is particularly valuable in DevSecOps pipelines, helping organizations detect vulnerabilities, malware, and policy violations before containers reach production environments.
Core Concepts and Components
Key Anchore Components
| Component | Description |
|---|---|
| Anchore Engine | The core open-source service that provides container image analysis and policy evaluation |
| Anchore Enterprise | Commercial offering with enhanced features, UI dashboard, and enterprise support |
| Anchore CLI | Command-line interface for interacting with Anchore Engine |
| Syft | Anchore’s open-source tool for generating Software Bill of Materials (SBOM) |
| Grype | Anchore’s open-source vulnerability scanner for container images and filesystems |
Anchore Workflow
- Image Analysis – Container images are submitted for deep inspection
- Policy Evaluation – Images are checked against defined security policies
- Vulnerability Scanning – CVE detection across OS packages and application dependencies
- SBOM Generation – Creation of detailed Software Bill of Materials
- Results & Reports – Actionable security findings are presented
Installation and Setup
Installing Anchore Engine
bash
# Using Docker Compose (recommended for quick setup)
curl -O https://engine.anchore.io/docs/quickstart/docker-compose.yaml
docker-compose up -d
# Verify installation
docker-compose psInstalling Anchore CLI
bash
# Install via pip
pip install anchorecli
# Verify installation
anchore-cli --version
# Configure CLI
export ANCHORE_CLI_URL=http://localhost:8228/v1
export ANCHORE_CLI_USER=admin
export ANCHORE_CLI_PASS=foobarInstalling Standalone Tools
bash
# Install Syft (SBOM generator)
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
# Install Grype (vulnerability scanner)
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/binKey Commands and Operations
Anchore CLI Commands
| Operation | Command | Description |
|---|---|---|
| Add image | anchore-cli image add IMAGE_NAME | Submit an image for analysis |
| Check status | anchore-cli image get IMAGE_NAME | Check analysis status |
| List images | anchore-cli image list | List all analyzed images |
| View vulnerabilities | anchore-cli image vuln IMAGE_NAME [os|non-os|all] | Show vulnerabilities in image |
| Policy evaluation | anchore-cli evaluate check IMAGE_NAME | Evaluate image against policies |
| View policy rules | anchore-cli policy get | Show default policy details |
| Subscription status | anchore-cli subscription list | List active subscriptions |
Syft Commands (SBOM)
bash
# Generate SBOM for container image
syft alpine:latest
# Output in different formats (JSON, SPDX, CycloneDX)
syft alpine:latest -o json > alpine-sbom.json
syft alpine:latest -o spdx-json > alpine-spdx.json
syft alpine:latest -o cyclonedx-json > alpine-cyclonedx.json
# Scan specific package types
syft alpine:latest --scope all-layersGrype Commands (Vulnerability Scanning)
bash
# Basic vulnerability scan
grype alpine:latest
# Scan with specific database
grype alpine:latest --db ./path/to/db
# Output in different formats
grype alpine:latest --output json > results.json
# Only show vulnerabilities of specified severity
grype alpine:latest --fail-on mediumPolicy Management
Policy Structure
Anchore policies consist of:
- Gates: High-level security categories (e.g., vulnerabilities, secrets)
- Triggers: Specific conditions to check within each gate
- Actions: What to do when trigger conditions are met (stop, warn, go)
Sample Policy File
json
{
"id": "sample_policy",
"version": "1_0",
"name": "Sample Policy",
"rules": [
{
"action": "STOP",
"gate": "vulnerabilities",
"trigger": "package",
"params": [
{ "name": "package_type", "value": "all" },
{ "name": "severity", "value": "high" }
]
}
]
}Managing Policies
bash
# List policies
anchore-cli policy list
# Get current policy
anchore-cli policy get
# Add new policy
anchore-cli policy add policy-file.json
# Activate policy
anchore-cli policy activate POLICY_IDIntegration with CI/CD Pipelines
Jenkins Pipeline Example
groovy
pipeline {
agent any
stages {
stage('Build') {
steps {
sh 'docker build -t myapp:latest .'
}
}
stage('Scan') {
steps {
sh 'anchore-cli image add myapp:latest'
sh 'anchore-cli image wait myapp:latest'
sh 'anchore-cli evaluate check myapp:latest'
}
}
}
}GitHub Actions Example
yaml
name: Anchore Container Scan
on: push
jobs:
anchore-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v2
- name: Build image
run: docker build -t myapp:latest .
- name: Anchore scan
uses: anchore/scan-action@v3
with:
image: "myapp:latest"
fail-build: true
severity-cutoff: highCommon Challenges and Solutions
| Challenge | Solution |
|---|---|
| Slow initial scanning | Pre-cache common base images and use image caching |
| False positives | Use policy whitelists for known acceptable issues |
| CI/CD integration timeouts | Use asynchronous scanning workflows with callbacks |
| Database updates | Implement automated vulnerability DB update schedule |
| Large image analysis | Optimize images for smaller size before scanning |
| Custom application scanning | Configure language-specific analyzers for your tech stack |
Best Practices
Scanning Efficiency
- Scan early in the development process
- Cache analysis results for base images
- Use distroless or minimal base images when possible
- Implement policy-as-code for consistent enforcement
Security Posture
- Define graduated severity thresholds based on environment (dev vs. prod)
- Integrate with vulnerability management systems
- Implement “break the build” for critical findings
- Use image signing and attestation after successful scans
Compliance and Governance
- Map policies to compliance frameworks (NIST, CIS, etc.)
- Document policy exceptions with justification
- Generate compliance reports for audits
- Track vulnerability remediation metrics
Anchore vs. Other Container Scanning Tools
| Feature | Anchore | Trivy | Clair | Docker Scan |
|---|---|---|---|---|
| Open Source | Yes | Yes | Yes | No (Limited) |
| Enterprise Version | Yes | Yes | No | Yes |
| OS Package Scanning | Excellent | Excellent | Good | Good |
| App Dependencies | Excellent | Excellent | Limited | Good |
| Policy Management | Advanced | Basic | Limited | Basic |
| SBOM Generation | Yes | Yes | No | No |
| Integration Options | Extensive | Good | Moderate | Docker-focused |
| Performance | Moderate | Fast | Fast | Fast |
| UI Dashboard | Enterprise only | No | No | Yes (Docker Hub) |
Resources for Further Learning
Official Documentation
- Anchore Engine Documentation
- Anchore Enterprise Documentation
- Syft GitHub Repository
- Grype GitHub Repository
Community Resources
Training Resources
Related Tools
- Kubernetes admission controllers for Anchore integration
- CI/CD pipeline plugins for various platforms
- Container registry integrations
This cheatsheet provides a comprehensive overview of Anchore container security scanning, covering everything from basic concepts to advanced techniques. Whether you’re just getting started with container security or looking to optimize your existing implementation, these tools and practices will help you build a robust security posture for your containerized applications.