Scanning Repositories
Introduction
Individual images can be added to Anchore Enterprise using the image add command. This may be performed by a CI/CD plugin such as Jenkins or manually by a user with the CLI or API.
Anchore Enterprise can also be configured to scan repositories and automatically add any tags found in the repository. Once added, Anchore Enterprise will poll the registry to look for changes at a user configurable interval. This interval is specified in the Anchore Enterprise configuration file: config.yaml within the services -> Catalog configuration stanza.
Example Configuration
cycle_timers:
image_watcher: 3600
repo_watcher: 60
In this example the repo is polled for updates every minute (60 seconds).
Adding Repositories
The repo add command instructs Anchore Enterprise to add the specified repository watch list.
$ anchore-cli repo add repo.example.com/apps
By default Anchore Enterprise will automatically add the discovered tags to the list of subscribed tags (see Working with Subscriptions this behavior can be overridden by passing the --noautosubscribe option.
Anchore Enterprise needs to find a single TAG in the repository before the repository can be added to the watch list. By default Anchore Enterprise will look for a tag named latest this behavior can be overridden using the --lookuptag option.
In the following example the apps repo is known to contain a dev tag.
$ anchore-cli repo add repo.example.com/apps --lookuptag dev
Listing Repositories
The repo list command will show the repositories monitored by Anchore Enterprise.
$ anchore-cli repo list
Repository Watched TagCount
docker.io/anchore/test True 15
docker.io/anchore/prod True 25
Deleting Repositories
The del option can be used to instruct Anchore Enterprise to remove the repository from the watch list. Once the repository record has been deleted no further changes to the repository will be detected by Anchore Enterprise.
Note: No existing image data will be removed from Anchore Enterprise.
$ anchore-cli repo del repo.example.com/myrepo
Unwatching Repositories
When a repository is added, Anchore Enterprise will monitor the repository for new and updated tags. This behavior can be disabled preventing Anchore Enterprise from monitoring the repository for changes.
In this case the repo list command will show false in the Watched column for this registry.
$ anchore-cli repo unwatch repo.example.com/myrepo
Watching Repositories
The repo watch command instructs Anchore Enterprise to monitor a repository for new and updated tags. By default repositories added to Anchore Enterprise are automatically watched. This option is only required if a repository has been manually unwatched.
$ anchore-cli repo watch repo.example.com/myrepo
As of v3.0, Anchore Enterprise can be configured to have a size limit for images being added for analysis. This feature applies to the repo watcher. Images that exceed the max configured size in the repo being watched will not be added and a message will be logged in the catalog service. This feature is disabled by default so see documentation for additional details on the functionality of this feature and instructions on how to configure the limit
Removing a Repository and All Images
There may be a time when you wish to stop a repository analysis when the analysis is running (e.g., accidentally watching an image with a large number of tags). There are several steps in the process which are outlined below. We will use docker.io/library/alpine as an example.
Note: Be careful when deleting images. In this flow, Anchore deletes the image, not just the repository/tag combo. Because of this, deletes may impact more than the expected repository since an image may have tags in multiple repositories or even registries.
Check the State
Take a look at the repository list.
# anchore-cli repo list
Repository Watched TagCount
docker.io/library/alpine True 29
Also look at the image list.
# anchore-cli image list | grep 'docker.io/library/alpine'
docker.io/library/alpine:20190228 sha256:1dd6a46eca0d7025920a8b3e3db7fdc33ad5c4e2e317c314e125d4141ce14a0f not_analyzed
docker.io/library/alpine:20190408 sha256:00c76f80fd9298c831c4c5e799df6d7164b2a2692b10318c00ab217b381ba659 not_analyzed
docker.io/library/alpine:20190707 sha256:c04b643dedaccae53e036f2bf72b0e792870f51708aff6ceaa6895de60e46257 not_analyzed
docker.io/library/alpine:3.1 sha256:25fd8fc1aefcc8ae46aae23daefcd7dcb97f676fa0bc72bb0bf7cfb75df4f22e not_analyzed
docker.io/library/alpine:3.10.1 sha256:57334c50959f26ce1ee025d08f136c2292c128f84e7b229d1b0da5dac89e9866 not_analyzed
docker.io/library/alpine:3.5 sha256:f7d2b5725685826823bc6b154c0de02832e5e6daf7dc25a00ab00f1158fabfc8 not_analyzed
docker.io/library/alpine:3.6.5 sha256:36c3a913e62f77a82582eb7ce30d255f805c3d1e11d58e1f805e14d33c2bc5a5 not_analyzed
...
...
Removing the Repository from the Watched List
Unwatch docker.io/library/alpine to prevent future automatic updates.
# anchore-cli repo unwatch docker.io/library/alpine
Repository Watched TagCount
docker.io/library/alpine False 29
Delete the Repository
Delete the repository. This may need to be done a couple times if the repository still shows in the repository list.
# anchore-cli repo del docker.io/library/alpine
Success
Forcefully Delete the Images
Delete the analysis/images. This may need to be done several times to remove all images depending on how many there are.
# for i in `anchore-cli image list | grep 'docker.io/library/alpine' | awk '{print $1}' | sort | uniq`
> do
> anchore-cli image del ${i} --force
> done
Success
Success
Success
...
...
Verify the Repository and All Images are Deleted
Check the repository list.
# anchore-cli repo list
<no output>
Check the image list.
# anchore-cli image list | grep 'docker.io/library/alpine'
<no output>
Next Steps
- View security vulnerabilities in the image
- Evaluate the image against policies you create
- Subscribe to receive notifications when the image is updated, when the policy status changes, or when new vulnerabilites are detected.
Feedback
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.