Introduction
In this section, you’ll learn about the requirements for installing Anchore Enterprise Feeds and configuring its components. You can read more about how Feeds works in the feature overview.
Requirements
Network Ingress
Anchore Enterprise Feeds exposes a RESTful API by default on port 8228
however this port can be remapped.
The policy engine service(s) in your Anchore deployment will use this endpoint and API to get the latest updates aggregated into Anchore-specific formats.
Network Egress
Anchore Enterprise Feeds requires access to the upstream data feeds from supported Linux distributions and package registries. See Feeds Endpoints for the full list of the endpoints.
Database
Note
Important Note: The Feed service DB must be version PostgreSQL 13 or newer for 5.0.
See 5.0 Preparation Guide for details.
Ruby Gems project publishes package data as a PostgreSQL dump. Enabling the gem driver in Anchore Enterprise Feeds will
increase the load on the PostgreSQL database used by the service. We recommend using a different PostgreSQL instance
for the gem driver to avoid load spikes and interruptions to the service. The database endpoint for the gem driver can
be configured using services.feeds.drivers.gem.db_connect
parameter in config.yaml
Vulnerability Provider Configuration
Some of the vulnerability data providers will require additional configuration steps, like retrieving an API or token key from a provider.
GitHub Provider
The GitHub provider requires generation of a Personal Access Token (PAT) which is associated with a GitHub Account. To generate this token, the user will be required to log in to GitHub and use the following url: https://github.com/settings/tokens/new
There are no special permissions needed for the token, so there is no need to select any scopes. A note may be added as a reminder for what the token is being used. At the bottom of the tokens page, click the Generate token button which will show a new page displaying the generated token. Make sure you copy that token and use it to configure the GitHub provider, the token will only be seen once in the GitHub interface.
Use the new token in config.yaml in the feeds
section: for all components of the deployment:
feeds:
...
github:
enabled: true
token: "****************************************"
It is also possible to set the token with the following environment variable: ANCHORE_ENTERPRISE_FEEDS_GITHUB_DRIVER_TOKEN
.
Note that this is only valid when using the config.yaml provided in the image due to that file referencing them
explicitly as replacement values.
Microsoft Security Response Center (MSRC) Provider
The MSRC provider is not enabled by default so must be explicitly enabled in order to execute. This provider is required in order for Anchore to get data about vulnerabilities and fixes for Microsoft Windows and its associated KBs (patches).
For quickstart and deployments using docker-compose.yaml, find the
feeds
service definition and uncomment or add the following environment variables:services: ... feeds: ... environment: ... - ANCHORE_ENTERPRISE_FEEDS_MSRC_DRIVER_ENABLED=true
For deployments using config.yaml, update the
feeds
configuration section:services: ... feeds: ... drivers: msrc: enabled: true
Anchore Vulnerability Match Exclusion Provider
The Anchore Vulnerability Match Exclusion provider is available to users that meet specific license requirements. Please contact Anchore Support for details.
For quickstart and deployments using docker-compose.yaml, find the
feeds
service definition and uncomment or add the following environment variables:services: ... feeds: ... environment: ... - ANCHORE_ENTERPRISE_FEEDS_VULN_MATCH_EXCLUSION_DRIVER_ENABLED=true
For deployments using config.yaml, update the
feeds
configuration section:services: ... feeds: ... drivers: anchore_match_exclusion: enabled: true
Ubuntu Provider
The Ubuntu https endpoint is heavily throttled and can be seen as unreliable.
A configuration option is provided to switch the Ubuntu provider’s access to the git protocol endpoint instead.
This endpoint has improved reliability but is not validated or encrypted and uses a different port than https.
Please contact Anchore Support for additional details.
NVD Provider
The NVD provider uses the v2 NVD API and it is recommended passing an API key to avoid more aggressive throttling.
Request an API key via https://nvd.nist.gov/developers/request-an-api-key.
Use the new api key in config.yaml in the feeds
section: for all components of the deployment:
feeds:
...
nvd:
enabled: true
api_key: "****************************************"
It is also possible to set the token with the following environment variable: ANCHORE_ENTERPRISE_FEEDS_NVD_PROVIDER_API_KEY
.
Note that this is only valid when using the config.yaml provided in the image due to that file referencing them
explicitly as replacement values.