Container (Docker) image vulnerability scan using Anchore
Container (Docker) images play a crucial role in container security. Container images include everything a container needs to run such as OS libraries, utilities, configuration settings, and other application packages needed to run an application.
Any container created from an image inherits all its characteristics including security vulnerabilities, misconfigurations and malware.
Its very important to understand the impact and mitigate the security vulnerabilities which are introduced in container images before image is deployed.
Here, We will use an open source tool, Anchore to scan a container (Docker) images for security vulnerabilities and generate vulnerabilities list.
Pre-requisites
This demo is tested on/with:
- Ubuntu 20.04 server
- Docker 20.10.8
- docker-compose 1.29.1
- Python 3.8.10
- Pip 21.2.4
Installation
Complete Anchore setup consists of:
- Anchore Engine — This is core of Anchore which exposes an API and runs analysis of images.
- Anchore CLI — This is a CLI utility (tool) which communicates with anchore engine through its API and performs action for us.
Install Anchore Engine
- Create a directory.
mkdir anchore
cd anchore2. Download docker-compose.yaml file from Anchore’s official site.
curl -O https://engine.anchore.io/docs/quickstart/docker-compose.yaml3. Its recommended to change password of anchore and its database.
vi docker-compose.yaml
Change the value of below environment variables everywhere in docker-compose.yaml file to the desired anchore admin password and database password. (Make sure values of environment variable is same across all services in docker-compose.yaml file)
ANCHORE_ADMIN_PASSWORD
ANCHORE_DB_PASSWORD
Default anchore admin password is ‘foobar’, and default database password is ‘mysecretpassword’.
4. Deploy anchore engine
docker-compose up -d
5. Once all containers are up and healthy. Anchore’s API will be accessible at http://localhost:8228/v1
6. Proceed with Anchore CLI installation and setup after all the containers are up and healthy.
docker ps
Install Anchore CLI
- Install anchore cli using pip
python3 -m pip install --upgrade pip
pip install --upgrade anchorecli2. Configure anchore username and password.
mkdir $HOME/.anchore
vi $HOME/.anchore/credentials.yamlAdd below lines in .anchore/credentials.yaml file.
(Mind the indentations)
default:
ANCHORE_CLI_USER: 'admin'
ANCHORE_CLI_PASS: 'anchorepassword'
ANCHORE_CLI_URL: 'http://localhost:8228/v1'Replace anchorepassword with the value of ANCHORE_ADMIN_PASSWORD environment variable which was set in docker-compose.yaml file
Scan a Docker (Container) image
- Add registry credential (One time, Only if we want to scan image from a private registry)
anchore-cli registry add REGISTRY_URL REGISTRY_USER REGISTRY_PASSWORD
e.g.
anchore-cli registry add docker.io user1 password1
2. Add image to scan.
anchore-cli image add REGISTRY/IMAGENAME:TAG
e.g.
anchore-cli image add docker.io/nginx:1.20.1
3. Wait for anchore to analyze the image.
anchore-cli image list | grep REGISTRY/IMAGENAME:TAG
4. Once analysis is completed. Generate vulnerability report.
anchore-cli image vuln REGISTRY/IMAGENAME:TAG all
anchore-cli image vuln REGISTRY/IMAGENAME:TAG all > filename.csv
Vulnerability report lists all the vulnerable packages, Its vulnerability ID, Severity (Critical/High/Medium/Low/Negligible), Fix (If any) and type of package.
Other features of Anchore scan includes (but not limited to):
- Adding policies to whitelist a vulnerability.
- User account management — To create new account in anchore engine to share non-admin creds with other team members.
- Inspect an image — Inspecting files, OS, packages, etc. of an image.
- Working with cloud container registries like Azure, AWS and GCP.
- API integration with applications.
- Integration with CI tools like Jenkins, GitLab, AWS CodeBuild, etc.
Please find more about Anchore, in its documentation.
Navratan Lal Gupta
Linux Shots
