Securing containers with Anchore

Secure Containers

Are You Sitting Down?

Once Anchore has happily finished analyzing your image, you can get a full readout of what's going on inside with the following command, which uses Nginx:

$ anchore-cli image vuln docker.io/library/nginx:latest os

I'm assuming larger images take a little longer to complete, because this command returned empty output for a few minutes after running it against some images.

I'm sorry to say that Anchore came back with some unwelcome news (Figure 7), reporting a vast number of issues found in the latest nginx image. Each CVE is marked as High, Medium, and so on for clarity. I'm sure you can see why tools as powerful as Anchore are so critical to improving your security posture.

Figure 7: An abbreviated list of the nginx image analysis just keeps on coming, with 93 CVEs in total.

For comparison, when Anchore was run over Debian's latest image, the total was 43 CVEs, and my own image (a handful of tools for security auditing using an old 2017 Debian base OS) [8] contained a whopping 260 CVEs!

You can incorporate Anchore into your continuous integration and continuous delivery pipelines nicely with webhooks and receive notifications when new CVEs appear in an image. To activate this functionality, use the command:

$ anchore-cli subscription activate vuln_update docker.io/library/debian:latest
Success

As you might expect, the result Success is a welcome message, meaning you've subscribed to notices about that image.

So Many Files

You can also use Anchore to show details of what a container image holds with the command:

$ anchore-cli image content chrisbinnie/super:latest files

You might want to redirect the output to an empty text file so you can look at it more closely later. Figure 8 shows the content of the image, with the size of each file listed to the far right for reference.

Figure 8: Heavily abbreviated output from the Anchore content command.

Starship Enterprise

At this stage, I would be remiss not to mention the Enterprise version of Anchore, which describes itself as offering the ability to "start utilizing the most comprehensive container image inspection and policy management platform available today" [9]. With the Enterprise version, you can view Anchore in a dashboard and drill down into items of interest with ease.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

SINGLE ISSUES
 
SUBSCRIPTIONS
 
TABLET & SMARTPHONE APPS
Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

comments powered by Disqus