Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

Version 1 Current »

Analyzes a published docker image and stores results in Anchore Engine. If you are looking to scan or analyze a local build of an image, see scanLocalImage and analyzeLocalImage respectively.

Inputs

Input Name

Input Code

Required

Description

Anchore User

FDANCR_INP_USER

Yes

The Anchore User used when uploading the results.

Anchore Password

FDANCR_INP_PASSWORD

Yes

The Anchore Password used when uploading the results.

Anchore Url

FDANCR_INP_URL

Yes

The API url for the Anchore Engine install. Typically http://yourhost:8228/v1

Image Name

FDANCR_INP_IMAGE_NAME

Yes

The full image tag including the registry to analyze. For example:

  • docker.io/ubuntu:16.06 

  • compregistry.azurecr.io/myuser/myimage:latest

Wait For Results

FDANCR_INP_WAIT_FOR_RESULTS

Yes

Should the plugin wait for the results or simply start the upload and complete. If you want to use the Groovy Fail Condition or Plugin Outputs this needs to be true.

Groovy Fail Condition

FDANCR_INP_SCAN_FAIL_CONDITION

No

Optional groovy script to determine if the scan should fail the workflow. Available variables include all FlexDeploy environment variables and the following scan result variables:

  • STATUS

  • FINAL_ACTION

  • STOP_COUNT

  • WARN_COUNT

  • ALL_COUNTS

See more information here for configuring the Groovy Fail Condition.

Force Analyze

FDANCR_INP_FORCE_ANALYZE

No

Should the analysis be run if this image tag has already been analyzed and stored in Anchore Engine? If this is false, the existing analysis will just be returned.

Outputs

Each operation in this plugin supplies the option to configure a Groovy script to determine if the scan results are inacceptable and should fail the operation. Below is a list of variables available to the Groovy script.

Each of these variables is also available as a plugin output

Groovy Variable

Plugin Output

Description

Example

STATUS

FDANCR_OUT_STATUS

Overall status of the scan/analysis. This is ultimately determined by the policy bundle that is used. Possible values are pass or fail.

fail

FINAL_ACTION

FDANCR_OUT_FINAL_ACTION

Similar to the status, this provides the recommended action for the image.

stop

STOP_COUNT

FDANCR_OUT_STOP_COUNT

An integer count of the number of STOP rules detected for the image

2

WARN_COUNT

FDANCR_OUT_WARN_COUNT

An integer count of the number of WARN rules detected for the image

10

ALL_COUNTS

FDANCR_OUT_ALL_COUNT_LIST

A full list of all counts returned

[STOP:2, WARN:10, GO:37]

All other FlexDeploy Variables are also available in the Groovy Script Condition

Example Groovy Script Conditions

  • The most common use case lets the policy bundle unequivocally determine failure.

    STATUS == "fail"

  • No warn or stop checks found

    (STOP_COUNT + WARN_COUNT) != 0

  • A script that is more lenient on non-master stream builds (could be only master stream is pushed to the registry and other streams are for local testing).

    //master is not allowed any stop checks whereas every other stream can have 5 or less
FDBLD_STREAM_NAME == "master" ? STOP_COUNT > 0 : STOP_COUNT > 5

Outputs

These outputs will only be returned if Wait For Results is true

Artifacts

This operation delegates the consume/produce artifacts decision to the workflow developer.

Endpoint Selection

This operation delegates the selection to the workflow developer to determine.

Endpoint Execution

This operations delegates the execution to the workflow developer to decide.

  • No labels