How to Perform a Local CLI Anchore Container Image Vulnerability Scan with a cURL Command
Anchore is a nice product available via open-source and an enterprise solution for identifying security vulnerabilities and flaws in container images. Through my day-to-day work, I’ve been able to become quite familiar with working with it; after all, its ability to be integrated into the software delivery lifecycle has made it pretty seamless.
Before we start, what does Anchore scan?
When you provide a Docker image to Anchore, it can return to you the security vulnerabilities pertaining to the associated application, operating system packages, secrets, passwords, third-party libraries, Dockerfile, and more.
Additionally, it has configuration for both blocklists and allowlists to fine-tune your deployment process; after all, you wouldn’t want a false positive security vulnerability that you’ve vetted to be a showstopper in your deployment pipeline.
How to scan with Anchore locally with your CLI
I mentioned that a mature approach to Anchore would be to incorporate Anchore into your deployment process, which would ideally somewhere in the CI/CD pipeline. However, both before that is in place and even during, it can be quite important and productive to know how to scan your local Docker images with Anchore.
After all, you wouldn’t want to put your code through the entire CI/CD pipeline to get your Anchore result back if you’re actively trying to knock out security vulnerabilities one-by-one; it’d be a lot faster to just be able to do it locally to get a quicker feedback loop.
A great way to do this is through your terminal (in other words, your command line interface, or CLI for short).
cURL to Anchore’s inline scan script
If you don’t want to download Anchore’s own command line interface, then no problem — Anchore’s provided a way where you can perform inline command line scans via a wrapper script called inline_scan.
What this means is that all you have to do is provide a local Docker image and then send a cURL request to inline_scan to get vulnerability scan results right away.
1. Have your Docker image available
Your first order of business should be to have your Docker image available that you wish to scan for security vulnerabilities.
With Docker, if the image name you specify isn’t found locally, then by default it will try to pull the image from Docker Hub. So if you provide the image name alpine:latest because you want to scan the latest tag of Alpine Linux, first Docker will try to search its own Docker images in your machine; if it can’t find it, then it will just pull it from Docker Hub.
If you’re trying to find the security vulnerabilities in one of your images that you’re actively developing, then you’ll have to build the Docker image. If you need help with that, I would suggest Docker’s documentation on docker build.
2. Just the run the simple command!
Assuming your machine is also able to run bash commands, all you have to do now is run this command in your terminal (making sure to substitute alpine:latest with your image of choice):
What this will do is pull the anchore/inline_scan image from Docker Hub, start PostgreSQL, start the Anchore Engine, and then analyze your provided image.
According to its Policy Evaluation, it will then issue a pass or fail result. The Policy Evaluation will then output a list of issues it found in your image; gates can include issues in the Dockerfile or security vulnerabilities (which range in severity from LOW all the way to CRITICAL).
The output will provide details on the offenders and how you can get started re-mediating them, complete with a link to the specific CVE (short for Common Vulnerabilities and Exposures) in the National Vulnerability Database, if applicable.
For more information on this inline scan, then you can read Anchore’s documentation here. As an example of what that documentation contains, the following is a quoted code block of other potential flags you can add to the above command (note that the command above is just what I got to work for myself):
-b <PATH> [optional] Path to local Anchore policy bundle (ex: -b ./policy_bundle.json)
-d <PATH> [optional] Path to local Dockerfile (ex: -d ./dockerfile)
-v <PATH> [optional] Path to directory, all image archives in directory will be scanned (ex: -v /tmp/scan_images/)
-t <TEXT> [optional] Specify timeout for image scanning in seconds. Defaults to 300s. (ex: -t 500)
-f [optional] Exit script upon failed Anchore policy evaluation
-p [optional] Pull remote docker images
-r [optional] Generate analysis reports in your current working directory
-V [optional] Increase verbosityBeyond just your local machine
In CircleCI, GitLab, CodeShip, Jenkins, TravisCI, and AWS CodeBuild
While this article is mostly concerned with how to perform this inline scanner locally on your machine for your own security remediation in your development process, the great thing is that you can work this command into your CI/CD processes.
For instance, you can integrate it into CircleCI with this config.yml file and by configuring $DOCKER_USER and $DOCKER_PASS environment variables. You could also do something similar with GitLab and a .gitlab-ci.yml file. Additionally, a codeship-services.yml file is available for CodeShip, a Jenkinsfile one for Jenkins, a travis.yml file for TravisCI, and a buildspec.yml file for AWS CodeBuild.
I hope that through this article, you were able to see how a local scan in your terminal using Anchore’s inline_scan works and possibly even got it working for yourself. In a future article, I will go over the Anchore CLI, which is a tool that allows you to run a command anchore-cli in your terminal as an alternative means of performing such scans.
