Linux Shots
Published in

Linux Shots

Container (Docker) image vulnerability scan using Anchore

Container (Docker) images play a crucial role in container security. Container images include everything a container needs to run such as OS libraries, utilities, configuration settings, and other application packages needed to run an application.

Any container created from an image inherits all its characteristics including security vulnerabilities, misconfigurations and malware.

Its very important to understand the impact and mitigate the security vulnerabilities which are introduced in container images before image is deployed.

Here, We will use an open source tool, Anchore to scan a container (Docker) images for security vulnerabilities and generate vulnerabilities list.


This demo is tested on/with:

  • Ubuntu 20.04 server
  • Docker 20.10.8
  • docker-compose 1.29.1
  • Python 3.8.10
  • Pip 21.2.4


Complete Anchore setup consists of:

  • Anchore Engine — This is core of Anchore which exposes an API and runs analysis of images.
  • Anchore CLI — This is a CLI utility (tool) which communicates with anchore engine through its API and performs action for us.

Install Anchore Engine

  1. Create a directory.
mkdir anchore
cd anchore

2. Download docker-compose.yaml file from Anchore’s official site.

curl -O

3. Its recommended to change password of anchore and its database.

vi docker-compose.yaml

Change the value of below environment variables everywhere in docker-compose.yaml file to the desired anchore admin password and database password. (Make sure values of environment variable is same across all services in docker-compose.yaml file)



Snippet of environment variables in docker-compose.yaml

Default anchore admin password is ‘foobar’, and default database password is ‘mysecretpassword’.

4. Deploy anchore engine

docker-compose up -d

5. Once all containers are up and healthy. Anchore’s API will be accessible at http://localhost:8228/v1

6. Proceed with Anchore CLI installation and setup after all the containers are up and healthy.

docker ps

Install Anchore CLI

  1. Install anchore cli using pip
python3 -m pip install --upgrade pip
pip install --upgrade anchorecli

2. Configure anchore username and password.

mkdir $HOME/.anchore
vi $HOME/.anchore/credentials.yaml

Add below lines in .anchore/credentials.yaml file.

(Mind the indentations)

ANCHORE_CLI_PASS: 'anchorepassword'
ANCHORE_CLI_URL: 'http://localhost:8228/v1'

Replace anchorepassword with the value of ANCHORE_ADMIN_PASSWORD environment variable which was set in docker-compose.yaml file

Scan a Docker (Container) image

  1. Add registry credential (One time, Only if we want to scan image from a private registry)



anchore-cli registry add user1 password1

2. Add image to scan.

anchore-cli image add REGISTRY/IMAGENAME:TAG


anchore-cli image add

3. Wait for anchore to analyze the image.

anchore-cli image list | grep REGISTRY/IMAGENAME:TAG

Scan container (Docker) image

4. Once analysis is completed. Generate vulnerability report.

anchore-cli image vuln REGISTRY/IMAGENAME:TAG all
anchore-cli image vuln REGISTRY/IMAGENAME:TAG all > filename.csv

Vulnerability report lists all the vulnerable packages, Its vulnerability ID, Severity (Critical/High/Medium/Low/Negligible), Fix (If any) and type of package.

Other features of Anchore scan includes (but not limited to):

  • Adding policies to whitelist a vulnerability.
  • User account management — To create new account in anchore engine to share non-admin creds with other team members.
  • Inspect an image — Inspecting files, OS, packages, etc. of an image.
  • Working with cloud container registries like Azure, AWS and GCP.
  • API integration with applications.
  • Integration with CI tools like Jenkins, GitLab, AWS CodeBuild, etc.

Please find more about Anchore, in its documentation.

Navratan Lal Gupta

Linux Shots



Lets discuss about Linux, DevOps, Kubernetes, Docker and Cloud technology. Follow and subscribe for get my new article on E-mail. You can also buy me a coffee ☕ from here →

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Navratan Lal Gupta

Lets talk about Linux, DevOps, Kubernetes, Docker, opensource and Cloud technology. Don't forget to follow me and my publication linuxshots.