« Previous 1 2 3 4 Next »
Securing containers with Anchore
Secure Containers
Are You Sitting Down?
Once Anchore has happily finished analyzing your image, you can get a full readout of what's going on inside with the following command, which uses Nginx:
$ anchore-cli image vuln docker.io/library/nginx:latest os
I'm assuming larger images take a little longer to complete, because this command returned empty output for a few minutes after running it against some images.
I'm sorry to say that Anchore came back with some unwelcome news (Figure 7), reporting a vast number of issues found in the latest nginx image. Each CVE is marked as High, Medium, and so on for clarity. I'm sure you can see why tools as powerful as Anchore are so critical to improving your security posture.
Figure 7: An abbreviated list of the nginx image analysis just keeps on coming, with 93 CVEs in total.
For comparison, when Anchore was run over Debian's latest image, the total was 43 CVEs, and my own image (a handful of tools for security auditing using an old 2017 Debian base OS) [8] contained a whopping 260 CVEs!
You can incorporate Anchore into your continuous integration and continuous delivery pipelines nicely with webhooks and receive notifications when new CVEs appear in an image. To activate this functionality, use the command:
$ anchore-cli subscription activate vuln_update docker.io/library/debian:latest Success
As you might expect, the result Success is a welcome message, meaning you've subscribed to notices about that image.
So Many Files
You can also use Anchore to show details of what a container image holds with the command:
$ anchore-cli image content chrisbinnie/super:latest files
You might want to redirect the output to an empty text file so you can look at it more closely later. Figure 8 shows the content of the image, with the size of each file listed to the far right for reference.
Figure 8: Heavily abbreviated output from the Anchore content command.
Starship Enterprise
At this stage, I would be remiss not to mention the Enterprise version of Anchore, which describes itself as offering the ability to "start utilizing the most comprehensive container image inspection and policy management platform available today" [9]. With the Enterprise version, you can view Anchore in a dashboard and drill down into items of interest with ease.
« Previous 1 2 3 4 Next »
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Best practices when working with Docker images
Whether you are developing containerized applications or running them, observing best practices helps to obtain optimal results. -
Tools for testing container vulnerability
Vulnerable software and incorrect settings cause problems, but administrators have some tools at hand that can help with container security. -
Update your Docker containers safely
A scripted approach lets you know when to update your Docker containers. -
Dockerizing Legacy Applications
Sooner or later, you'll want to convert your legacy application to a containerized environment. Docker offers the tools for a smooth and efficient transition. -
Dialing up security for Docker containers
Docker containers are a convenient way to run almost any service, but admins need to be aware of the need to address some important security issues.