scanLocalImage (Anchore)

This operation will scan a locally built docker image and return the scan results as plugin outputs. The scan report will also be saved in the reports directory as ScanResults.json so it can be viewed later on.

Inputs

Input NameInput CodeRequiredDescription
Image NameFDANCR_INP_IMAGE_NAMEYesThe full image tag of the locally built image you want to scan. For example ubuntu:16.06 or myuser/myimage:latest
Groovy Fail ConditionFDANCR_INP_SCAN_FAIL_CONDITIONNo

Optional groovy script to determine if the scan should fail the workflow. Available variables include all FlexDeploy environment variables and the following scan result variables:

  • STATUS
  • FINAL_ACTION
  • STOP_COUNT
  • WARN_COUNT
  • ALL_COUNTS

See more information here for configuring the Groovy Fail Condition.

Policy FileFDANCR_INP_POLICY_FILENoA custom Anchore Policy Bundle to set your own scan/analysis metrics. See Defining Custom Policy Bundles below.
Scan TimeoutFDANCR_INP_TIMEOUTNoBy default the scan will timeout if it exceeds 900 seconds (15min). This is likely more than enough time but the timeout can be increased here if needed.

Outputs

See the main plugin page for outputs and groovy script validation.

Artifacts

This operation delegates the consume/produce artifacts decision to the workflow developer.

Endpoint Selection

This operation delegates the selection to the workflow developer to determine.

Endpoint Execution

This operations delegates the execution to the workflow developer to decide.

Special Considerations

Defining Custom Policy Bundles

You can define your own scanning criteria by creating a json file following these specifications. After creating the custom policy you have two main options:

  1. Store the policy json in source control next to your Dockerfile
    • In this case your Policy File input will look like the following:
  2. Store the policy json in an absolute location on your docker build server. This can be useful if you want all of your images to use the same policy bundle.