Pipeline Image Analysis

Pipeline Image Analysis and Scanning

Anchore now supports analysis of images at build time with no requirement to push images up to a registry in order for them to be analyzed and added to the system.

This feature works by executing anchorectl inside your pipeline and giving it an endpoint and credentials to upload the results to and Anchore deployment. It will analyze the image locally for package artifacts and upload the analysis and container metadata to Anchore. The system then loads the result after which the image analysis is available for vulnerability queries and policy evaluations using AnchoreCTL or direct API operations.

The analysis import is processed by the analyzer services, so you will see the image enter the not_analyzed state when first uploaded, then analyzing and analyzed. Once in the analyzing state the proces is usually very fast (seconds) since it only is operating on the provided package manifest rather than having to pull any image data or perform significant IO to unpack an image.

Example

❯ syft -o json ubuntu:latest | anchorectl image add ubuntu:latest --wait --from -
 ✔ Loaded image
 ✔ Parsed image
 ✔ Cataloged packages      [101 packages]
Image:
  status:           analyzed (active)
  tag:              docker.io/ubuntu:latest
  digest:           sha256:33bca6883412038cc4cbd3ca11406076cf809c1dd1462a144ed2e38a7e79378a
  id:               sha256:df5de72bdb3b711aba4eca685b1f42c722cc8a1837ed3fbd548a9282af2d836d
  distro:           [email protected] (amd64)
  layers:           1

❯ anchorectl image get ubuntu:latest
Tag: docker.io/ubuntu:latest
Digest: sha256:33bca6883412038cc4cbd3ca11406076cf809c1dd1462a144ed2e38a7e79378a
ID: sha256:df5de72bdb3b711aba4eca685b1f42c722cc8a1837ed3fbd548a9282af2d836d
Analysis: analyzed
Status: active

❯ anchorectl image vulnerabilities ubuntu:latest -t all
...

Next Steps

Install anchorectl. to scan local images and generate software Bill-of-Materials to upload into your Anchore deployment.

After uploading the analysis, you’ll need to use AnchoreCTL or the UI to view vulnerabilities or policy evaluations using the enterprise feed data and policy features such as base-image diffs or false positive management

Last modified October 20, 2023