FlexDeploy - Anchore Plugin Guide

The Anchore Plugin offers several operations to enhance container scanning in your devops pipeline. Anchore is specifically targeted at image scanning, unlike some of the other tools such as Docker Bench Security, which make it a perfect match to your image building CI process.

For those inexperienced with Anchore, the scanLocalImage operation is just where to start. This operation doesn't require any prerequisites other than having docker installed. For those looking scan and publish results to an existing Anchore Engine installation, analyzeLocalImage and analyzeImage are what you are looking for.

This plugin uses Anchore CI Tools to perform local scanning. Anchore requires images to be pushed to a registry prior to analyzing. The Anchore CI Tools get around this by starting a temporary local Anchore container with a 'localbuild' registry. This allows you to scan and analyze images directly after building on your local docker engine.

Supported Versions

  • Docker version 18.06+ (Older versions of Docker may work but have not been tested)

  • Windows is NOT supported

Key Features

  • Can be used without any previous Anchore installation or knowledge.

  • Supports both inline scanning (scanLocalImage) and publishing results to an existing installation (analyzeImage and analyzeLocalImage).

  • Ability to use predefined or custom policy bundles to define what should be scanned or analyzed.

  • Optional groovy script validation with variable support for the scan results as well as FlexDeploy environment variables.

Outputs and Groovy Condition

Each operation in this plugin supplies the option to configure a Groovy script to determine if the scan results are inacceptable and should fail the operation. Below is a list of variables available to the Groovy script.

Each of these variables is also available as a plugin output

Groovy Variable

Plugin Output

Description

Example

Groovy Variable

Plugin Output

Description

Example

STATUS

FDANCR_OUT_STATUS

Overall status of the scan/analysis. This is ultimately determined by the policy bundle that is used. Possible values are pass or fail.

fail

FINAL_ACTION