FlexDeploy - Anchore Plugin Guide
The Anchore Plugin offers several operations to enhance container scanning in your DevOps pipeline. Anchore is specifically targeted at image scanning, unlike some of the other tools such as Docker Bench Security, which make it a perfect match to your image building CI process.
scanImageÂ
The scanImage operation is the recommended operation for scanning. It uses Grype for vulnerability scanning. The ScanImage operation works with local and remote images. The desired Grype version can be specified, or the latest can be installed.
Legacy Operations
The 3 legacy operations, analyzeImage, analyzeLocalImage, and scanLocalImage, utlize the Anchore CI Tools Anchore Inline Scan script, which is deprecated and reached EOL on Jan 10, 2022. These operations don't require any prerequisites other than having docker installed. For those looking scan and publish results to an existing Anchore Engine installation, analyzeLocalImage and analyzeImage are what you are looking for. Anchore requires images to be pushed to a registry prior to analyzing. The Anchore CI Tools get around this by starting a temporary local Anchore container with a 'localbuild' registry. This allows you to scan and analyze images directly after building on your local docker engine. Windows is NOT supported for these 3 operations. These operations require Docker version 18.06+ to be installed.
Supports both inline scanning (scanLocalImage) and publishing results to an existing installation (analyzeImage and analyzeLocalImage).
Ability to use predefined or custom policy bundles to define what should be scanned or analyzed.
Optional groovy script validation with variable support for the scan results as well as FlexDeploy environment variables.
Key Features
Can be used without an Anchore installation or knowledge.
For more information on the properties outlined above and all of the Project Container Configuration see here.
Plugin Operations
- style