Pipeline Image Analysis and Scanning
Anchore now supports analysis of images at build time with no requirement to push images up to a registry in order for them to be analyzed and added to the system.
This feature works by executing anchorectl
inside your pipeline and giving it an endpoint and credentials to upload the results to and Anchore deployment. It will analyze the image
locally for package artifacts and upload the analysis and container metadata to Anchore. The system then loads the result after which the image analysis is available for vulnerability queries
and policy evaluations using AnchoreCTL or direct API operations.
The analysis import is processed by the analyzer services, so you will see the image enter the not_analyzed
state when first uploaded, then analyzing
and analyzed
. Once in the analyzing
state the proces
is usually very fast (seconds) since it only is operating on the provided package manifest rather than having to pull any image data or perform significant IO to unpack an image.
Example
❯ syft -o json ubuntu:latest | anchorectl image add ubuntu:latest --wait --from -
✔ Loaded image
✔ Parsed image
✔ Cataloged packages [101 packages]
Image:
status: analyzed (active)
tag: docker.io/ubuntu:latest
digest: sha256:33bca6883412038cc4cbd3ca11406076cf809c1dd1462a144ed2e38a7e79378a
id: sha256:df5de72bdb3b711aba4eca685b1f42c722cc8a1837ed3fbd548a9282af2d836d
distro: [email protected] (amd64)
layers: 1
❯ anchorectl image get ubuntu:latest
Tag: docker.io/ubuntu:latest
Digest: sha256:33bca6883412038cc4cbd3ca11406076cf809c1dd1462a144ed2e38a7e79378a
ID: sha256:df5de72bdb3b711aba4eca685b1f42c722cc8a1837ed3fbd548a9282af2d836d
Analysis: analyzed
Status: active
❯ anchorectl image vulnerabilities ubuntu:latest -t all
...
Next Steps
Install anchorectl. to scan local images and generate software Bill-of-Materials to upload into your Anchore deployment.
After uploading the analysis, you’ll need to use AnchoreCTL or the UI to view vulnerabilities or policy evaluations using the enterprise feed data and policy features such as base-image diffs or false positive management