The Anchore Plugin offers several operations to enhance container scanning in your devops pipeline. Anchore is specifically targeted at image scanning, unlike some of the other tools such as Docker Bench Security, which make it a perfect match to your image building CI process.
For those inexperienced with Anchore, the scanLocalImage operation is just where to start. This operation doesnThe scanImage operation is the recommended operation for scanning. It uses Grype for vulnerability scanning. The ScanImage operation works with local and remote images. The desired Grype version can be specified, or the latest can be installed.
Legacy Operations
The 3 legacy operations, analyzeImage, analyzeLocalImage, and scanLocalImage, utlize the Anchore CI Tools Anchore Inline Scan script, which is deprecated and reached EOL on Jan 10, 2022. These operations don't require any prerequisites other than having docker installed. For those looking scan and publish results to an existing Anchore Engine installation, analyzeLocalImage and analyzeImage are what you are looking for.
...
Anchore
...
requires images to be pushed to a registry prior to analyzing. The Anchore CI Tools get around this by starting a temporary local Anchore container with a 'localbuild' registry. This allows you to scan and analyze images directly after building on your local docker engine.
...
Supported Versions
Windows is NOT supported for these 3 operations. These operations require Docker version 18.06+
...
Windows is NOT supported
Key Features
...
to be installed.
Supports both inline scanning (scanLocalImage) and publishing results to an existing installation (analyzeImage and analyzeLocalImage).
Ability to use predefined or custom policy bundles to define what should be scanned or analyzed.
Optional groovy script validation with variable support for the scan results as well as FlexDeploy environment variables.
Outputs and Groovy Condition
Each operation in this plugin supplies the option to configure a Groovy script to determine if the scan results are inacceptable and should fail the operation. Below is a list of variables available to the Groovy script.
| Info |
|---|
Each of these variables is also available as a plugin output |
...
Groovy Variable
...
Plugin Output
...
Description
...
Example
...
STATUS
...
FDANCR_OUT_STATUS
...
Overall status of the scan/analysis. This is ultimately determined by the policy bundle that is used. Possible values are pass or fail.
...
fail
...
FINAL_ACTION
...
FDANCR_OUT_FINAL_ACTION
...
Similar to the status, this provides the recommended action for the image.
...
stop
...
STOP_COUNT
...
FDANCR_OUT_STOP_COUNT
...
An integer count of the number of STOP rules detected for the image
...
2
...
WARN_COUNT
...
FDANCR_OUT_WARN_COUNT
...
An integer count of the number of WARN rules detected for the image
...
10
...
ALL_COUNTS
...
FDANCR_OUT_ALL_COUNT_LIST
...
A full list of all counts returned
...
[STOP:2, WARN:10, GO:37]
...
All other FlexDeploy Variables are also available in the Groovy Script Condition
Example Groovy Script Conditions
...
The most common use case lets the policy bundle unequivocally determine failure.
| Code Block | ||
|---|---|---|
| ||
STATUS == "fail" |
...
No warn or stop checks found
| Code Block | ||
|---|---|---|
| ||
(STOP_COUNT + WARN_COUNT) != 0 |
A script that is more lenient on non-master stream builds (could be only master stream is pushed to the registry and other streams are for local testing).
...
| language | groovy |
|---|
...
Key Features
Can be used without an Anchore installation or knowledge.
Workflow Configuration
Anchore is FlexDeploy's preferred choice when it comes to container scanning. As such, you can configure your project to scan the specified image without any configuration other than setting the below properties:
...