Evaluating Images Against Policies
Introduction
The evaluate command can be used to evaluate a given image for policy compliance.
The image to be evaluated can be in the following format:
- Image Digest
- Image ID
- registry/repo:tag
Using the Evaluate command
$ anchore-cli evaluate check debian:latest
Image Digest: sha256:427752aa7da803378f765f5a8efba421df5925cbde8ab011717f3642f406fb15
Full Tag: docker.io/debian:latest
Status: fail
Last Eval: 2017-09-02T15:19:55
Policy ID: 715a6056-87ab-49fb-abef-f4b4198c67bf
By default only the summary of the evaluation is shown. Passing the --detail parameter will show the policy checks that raised warnings or errors.
$ anchore-cli evaluate check debian:latest
Image Digest: sha256:427752aa7da803378f765f5a8efba421df5925cbde8ab011717f3642f406fb15
Full Tag: docker.io/debian:latest
Status: fail
Last Eval: 2017-09-02T15:19:55
Policy ID: 715a6056-87ab-49fb-abef-f4b4198c67bf
Gate Trigger Detail Status
DOCKERFILECHECK NOHEALTHCHECK Dockerfile does not contain any HEALTHCHECK instructions
ANCHORESEC VULNHIGH HIGH Vulnerability found in package - mount (CVE-2016-2779 - https://security-tracker.debian.org/tracker/CVE-2016-2779) stop
ANCHORESEC VULNHIGH HIGH Vulnerability found in package - libuuid1 (CVE-2016-2779 - https://security-tracker.debian.org/tracker/CVE-2016-2779) stop
In this example we specified library/repo:tag which could be ambiguous. At the time of writing the image Digest for library/debian:latest was sha:256:427752aa..... however previously different images may have been tagged as library/debian:latest. The --show-history parameter can be passed to show historic evaluations based on previous images or previous policy bundles.
Anchore supports whitelisting and blacklisting images by their name, ID or digest. A blacklist or whitelist takes precedence over any policy checks. For example if an image is explicitly listed as blacklisted then even if all the individual policy checks pass the image will still fail evaluation.
$ anchore-cli evaluate check library/alpine:latest --detail
Image Digest: sha256:8c03bb07a531c53ad7d0f6e7041b64d81f99c6e493cb39abba56d956b40eacbc
Full Tag: docker.io/library/alpine:latest
Image ID: 3fd9065eaf02feaf94d68376da52541925650b81698c53c6824d92ff63f98353
Status: fail
Last Eval: 2018-04-29T13:50:32
Policy ID: 2c53a13c-1765-11e8-82ef-23527761d060
Final Action: stop
Final Action Reason: blacklisted
Gate Trigger Detail Status
dockerfile instruction Dockerfile directive 'HEALTHCHECK' not found, matching condition 'not_exists' check warn
In this example even though the image only had one policy check that raised a warning the image fails policy evaluation since it is present on a blacklist.
Evaluating status based on Digest or ID
Performing an evaluation on an image specified by name is not recommended since an image name is ambiguous. For example the tag docker.io/library/centos:latest refers to whatever image has the tag library/centos:latest at the time of evaluation. At any point in time another image may be tagged as library/centos:latest.
It is recommended that images are referenced by their Digest. For example at the time of writing the digest of the ‘current’ library/centos:latest image is sha256:191c883e479a7da2362b2d54c0840b2e8981e5ab62e11ab925abf8808d3d5d44
If the image to be evaluated is specified by Image ID or Image Digest then the --tag parameter must be added. Policies are mapped to images based on registry/repo:tag so since an Image ID may may to multiple different names we must specify the name user in the evaluation.
For example - referencing by Image Digest:
$ anchore-cli evaluate check docker.io/library/centos@sha256:191c883e479a7da2362b2d54c0840b2e8981e5ab62e11ab925abf8808d3d5d44 --tag=latest
For example - referencing by image ID:
$ anchore-cli evaluate check e934aafc22064b7322c0250f1e32e5ce93b2d19b356f4537f5864bd102e8531f --tag=docker.io/library/centos:latest
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.