How to Perform a Local CLI Anchore Container Image Vulnerability Scan with a cURL Command

Tremaine Eto
Jan 14 · 4 min read
Image for post
Image for post
Original photo by ammiel jr on Unsplash; logo by Anchore; text by Tremaine Eto.

Anchore is a nice product available via open-source and an enterprise solution for identifying security vulnerabilities and flaws in container images. Through my day-to-day work, I’ve been able to become quite familiar with working with it; after all, its ability to be integrated into the software delivery lifecycle has made it pretty seamless.

Before we start, what does Anchore scan?

When you provide a Docker image to Anchore, it can return to you the security vulnerabilities pertaining to the associated application, operating system packages, secrets, passwords, third-party libraries, Dockerfile, and more.

Additionally, it has configuration for both blocklists and allowlists to fine-tune your deployment process; after all, you wouldn’t want a false positive security vulnerability that you’ve vetted to be a showstopper in your deployment pipeline.

How to scan with Anchore locally with your CLI

I mentioned that a mature approach to Anchore would be to incorporate Anchore into your deployment process, which would ideally somewhere in the CI/CD pipeline. However, both before that is in place and even during, it can be quite important and productive to know how to scan your local Docker images with Anchore.

After all, you wouldn’t want to put your code through the entire CI/CD pipeline to get your Anchore result back if you’re actively trying to knock out security vulnerabilities one-by-one; it’d be a lot faster to just be able to do it locally to get a quicker feedback loop.

A great way to do this is through your terminal (in other words, your command line interface, or CLI for short).

cURL to Anchore’s inline scan script

If you don’t want to download Anchore’s own command line interface, then no problem — Anchore’s provided a way where you can perform inline command line scans via a wrapper script called .

What this means is that all you have to do is provide a local Docker image and then send a cURL request to to get vulnerability scan results right away.

1. Have your Docker image available

Your first order of business should be to have your Docker image available that you wish to scan for security vulnerabilities.

With Docker, if the image name you specify isn’t found locally, then by default it will try to pull the image from Docker Hub. So if you provide the image name because you want to scan the latest tag of Alpine Linux, first Docker will try to search its own Docker images in your machine; if it can’t find it, then it will just pull it from Docker Hub.

If you’re trying to find the security vulnerabilities in one of your images that you’re actively developing, then you’ll have to build the Docker image. If you need help with that, I would suggest Docker’s documentation on .

2. Just the run the simple command!

Assuming your machine is also able to run bash commands, all you have to do now is run this command in your terminal (making sure to substitute with your image of choice):

What this will do is pull the image from Docker Hub, start PostgreSQL, start the Anchore Engine, and then analyze your provided image.

According to its Policy Evaluation, it will then issue a or result. The Policy Evaluation will then output a list of issues it found in your image; gates can include issues in the Dockerfile or security vulnerabilities (which range in severity from all the way to ).

The output will provide details on the offenders and how you can get started re-mediating them, complete with a link to the specific CVE (short for Common Vulnerabilities and Exposures) in the National Vulnerability Database, if applicable.

For more information on this inline scan, then you can read Anchore’s documentation here. As an example of what that documentation contains, the following is a quoted code block of other potential flags you can add to the above command (note that the command above is just what I got to work for myself):

-b <PATH>  [optional] Path to local Anchore policy bundle (ex: -b ./policy_bundle.json)
-d <PATH> [optional] Path to local Dockerfile (ex: -d ./dockerfile)
-v <PATH> [optional] Path to directory, all image archives in directory will be scanned (ex: -v /tmp/scan_images/)
-t <TEXT> [optional] Specify timeout for image scanning in seconds. Defaults to 300s. (ex: -t 500)
-f [optional] Exit script upon failed Anchore policy evaluation
-p [optional] Pull remote docker images
-r [optional] Generate analysis reports in your current working directory
-V [optional] Increase verbosity

Beyond just your local machine

Image for post
Image for post
The Great Beyond. Photo by Brian Wangenheim on Unsplash.

In CircleCI, GitLab, CodeShip, Jenkins, TravisCI, and AWS CodeBuild

While this article is mostly concerned with how to perform this inline scanner locally on your machine for your own security remediation in your development process, the great thing is that you can work this command into your CI/CD processes.

For instance, you can integrate it into CircleCI with this file and by configuring and environment variables. You could also do something similar with GitLab and a file. Additionally, a file is available for CodeShip, a one for Jenkins, a file for TravisCI, and a file for AWS CodeBuild.

I hope that through this article, you were able to see how a local scan in your terminal using Anchore’s works and possibly even got it working for yourself. In a future article, I will go over the Anchore CLI, which is a tool that allows you to run a command in your terminal as an alternative means of performing such scans.

The Startup

Medium's largest active publication, followed by +771K people. Follow to join our community.

Tremaine Eto

Written by

Full-time software engineer since 2016. UCLA Computer Science B.S. with Atmospheric and Oceanic Sciences minor, class of ‘16.

The Startup

Medium's largest active publication, followed by +771K people. Follow to join our community.

Tremaine Eto

Written by

Full-time software engineer since 2016. UCLA Computer Science B.S. with Atmospheric and Oceanic Sciences minor, class of ‘16.

The Startup

Medium's largest active publication, followed by +771K people. Follow to join our community.

Medium is an open platform where 170 million readers come to find insightful and dynamic thinking. Here, expert and undiscovered voices alike dive into the heart of any topic and bring new ideas to the surface. Learn more

Follow the writers, publications, and topics that matter to you, and you’ll see them on your homepage and in your inbox. Explore

If you have a story to tell, knowledge to share, or a perspective to offer — welcome home. It’s easy and free to post your thinking on any topic. Write on Medium

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store