Deploying AnchoreCTL
In this section you will learn how to deploy and configure AnchoreCTL, the Anchore Enterprise Command Line Interface.
AnchoreCTL is published as a simple binary that can be installed by downloading it or using provided packages for installation in different platforms.
Using AnchoreCTL, you can manage and inspect all aspects of your Anchore Enterprise deployments, either as a manual human-readable configuration/instrumentation/control tool or as a CLI that is designed to be used in scripted environments such as CI/CD and other automation environments.
Note
Starting with Enterprise v4.9.0 and continuing forward, AnchoreCTL will be version-aligned with Anchore Enterprise for major/minor releases.Installation
AnchoreCTL’s release version coincides with the release version of Anchore Enterprise. For example,
- Enterprise v5.0.0
- AnchoreCTL v5.0.0
It is highly recommended that the version of AnchoreCTL you are using is supported by the deployed version of Enterprise. Please refer to the Enterprise Release Notes for the supported version of AnchoreCTL.
MacOS/Linux
Specify a release version and destination directory for the installation:
curl -sSfL https://anchorectl-releases.anchore.io/anchorectl/install.sh | sh -s -- -b <DESTINATION_DIR> <RELEASE_VERSION>
Alternatively, you can download a specific version without installation:
curl -o anchorectl.tar.gz https://anchorectl-releases.anchore.io/anchorectl/v5.0.0/anchorectl_5.0.0_linux_amd64.tar.gz
Windows
For windows, you must specify the version of AnchoreCTL to download if using a script.
curl -o anchorectl.zip https://anchorectl-releases.anchore.io/anchorectl/v5.0.0/anchorectl_5.0.0_windows_amd64.zip
Configuration
Anchorectl configuration search paths have the following precedence:
- .anchorectl.yaml
- anchorectl.yaml
- .anchorectl/config.yaml
- ~/.anchorectl.yaml
- ~/anchorectl.yaml
- $XDG_CONFIG_HOME/anchorectl/config.yaml
Required options:
urlusernamepassword
Default options:
# the Anchore Enterprise account that the user is a part of (env var: "ANCHORECTL_ACCOUNT")
account: ""
# the Anchore Enterprise user's login password (env var: "ANCHORECTL_PASSWORD")
password: ""
# the Anchore Enterprise username (env var: "ANCHORECTL_USERNAME")
username: ""
# the URL to the Anchore Enterprise API (env var: "ANCHORECTL_URL")
url: ""
debug:
# log HTTP requests, responses, headers, and body (requires log level debug or trace) (env var: "ANCHORECTL_DEBUG_API")
api: false
# log all events on the internal event bus and poll rich objects read from the bus (env var: "ANCHORECTL_DEBUG_EVENTS")
events: false
http:
# default HTTP headers to add to all HTTP requests (env var: "ANCHORECTL_HTTP_HEADERS")
headers: {}
# disable SSL certificate verification for all HTTP calls (not recommended) (env var: "ANCHORECTL_HTTP_TLS_INSECURE")
tls-insecure: false
# time in seconds before cancelling an HTTP request (env var: "ANCHORECTL_HTTP_TIMEOUT")
timeout: 180
log:
# error, warn, info, debug, trace (env var: "ANCHORECTL_LOG_LEVEL")
level: "warn"
# file to write all loge entries to (env var: "ANCHORECTL_LOG_FILE")
file: ""
update:
# check for a new version of anchorectl at startup (env var: "ANCHORECTL_UPDATE_CHECK")
check: true
# the URL used to check for application updates (env var: "ANCHORECTL_UPDATE_URL")
url: "https://anchorectl-releases.anchore.io/anchorectl/releases/latest/metadata.json"
Usage
The anchorectl tool has extensive built-in help information for each command and operation, with many of the parameters allowing for environment overrides. To start with anchorectl, you can run the command with --help to see all the operation sections available:
# anchorectl --help
Usage:
[flags]
[command]
Application Config:
(search locations: .anchorectl.yaml, anchorectl.yaml, .anchorectl/config.yaml, ~/.anchorectl.yaml, ~/anchorectl.yaml, $XDG_CONFIG_HOME/anchorectl/config.yaml)
# the URL to the Anchore Enterprise API (env var: "ANCHORECTL_URL")
url: ""
# the Anchore Enterprise username (env var: "ANCHORECTL_USERNAME")
username: ""
# the Anchore Enterprise user's login password (env var: "ANCHORECTL_PASSWORD")
password: ""
# the Anchore Enterprise account that the user is a part of (env var: "ANCHORECTL_ACCOUNT")
account: ""
update:
# check for a new version of anchorectl at startup (env var: "ANCHORECTL_UPDATE_CHECK")
check: true
# the URL used to check for application updates (env var: "ANCHORECTL_UPDATE_URL")
url: "https://anchorectl-releases.anchore.io/anchorectl/releases/latest/metadata.json"
# suppress logging output (env var: "ANCHORECTL_QUIET")
quiet: false
log:
# error, warn, info, debug, trace (env var: "ANCHORECTL_LOG_LEVEL")
level: "warn"
# file to write all loge entries to (env var: "ANCHORECTL_LOG_FILE")
file: ""
debug:
# log HTTP requests, responses, headers, and body (requires log level debug or trace) (env var: "ANCHORECTL_DEBUG_API")
api: false
# log all events on the internal event bus and poll rich objects read from the bus (env var: "ANCHORECTL_DEBUG_EVENTS")
events: false
http:
# disable SSL certificate verification for all HTTP calls (not recommended) (env var: "ANCHORECTL_HTTP_TLS_INSECURE")
tls-insecure: false
# time in seconds before cancelling an HTTP request (env var: "ANCHORECTL_HTTP_TIMEOUT")
timeout: 180
# default HTTP headers to add to all HTTP requests (env var: "ANCHORECTL_HTTP_HEADERS")
headers: map[]
Available Commands:
account Account related operations
application Application related operations
archive Archive rule and image operations
completion Generate the autocompletion script for the specified shell
compliance Compliance report operations
correction Correction related operations
event Event related operations
feed Feed related operations
help Help about any command
image Image related operations
policy Policy related operations
registry Registry credential operations
repo Repository related operations
source Source repository related operations
subscription Subscription related operations
system System related operations
user User related operations
version show anchorectl version information
Global Flags:
-c, --config string application config file (env: ANCHORECTL_CONFIG)
-h, --help help for this command
-q, --quiet suppress all logging output (env: ANCHORECTL_QUIET)
-v, --verbose count increase verbosity (-v = info, -vv = debug) (env: ANCHORECTL_VERBOSITY)
--version version for this command
Use "[command] --help" for more information about a command.
Once installed and configured, a good way to quickly test that your anchorectl client is ready to use against a deployed and running Anchore Enterprise endpoint is to exercise the system status call, which will display status information fetched from your Enterprise deployment.
With ~/.anchorectl.yaml installed and populated correctly, no environment or parameters are required:
# anchorectl system status
✔ Status system
┌─────────────────┬────────────────────┬─────────────────────────────┬──────┬────────────────┬────────────┬──────────────┐
│ SERVICE │ HOST ID │ URL │ UP │ STATUS MESSAGE │ DB VERSION │ CODE VERSION │
├─────────────────┼────────────────────┼─────────────────────────────┼──────┼────────────────┼────────────┼──────────────┤
│ rbac_authorizer │ anchore-quickstart │ http://rbac-authorizer:8228 │ true │ available │ 500 │ 5.0.0 │
│ reports │ anchore-quickstart │ http://reports:8228 │ true │ available │ 500 │ 5.0.0 │
│ analyzer │ anchore-quickstart │ http://analyzer:8228 │ true │ available │ 500 │ 5.0.0 │
│ notifications │ anchore-quickstart │ http://notifications:8228 │ true │ available │ 500 │ 5.0.0 │
│ apiext │ anchore-quickstart │ http://api:8228 │ true │ available │ 500 │ 5.0.0 │
│ policy_engine │ anchore-quickstart │ http://policy-engine:8228 │ true │ available │ 500 │ 5.0.0 │
│ rbac_manager │ anchore-quickstart │ http://rbac-manager:8228 │ true │ available │ 500 │ 5.0.0 │
│ reports_worker │ anchore-quickstart │ http://reports-worker:8228 │ true │ available │ 500 │ 5.0.0 │
│ simplequeue │ anchore-quickstart │ http://queue:8228 │ true │ available │ 500 │ 5.0.0 │
│ catalog │ anchore-quickstart │ http://catalog:8228 │ true │ available │ 500 │ 5.0.0 │
└─────────────────┴────────────────────┴─────────────────────────────┴──────┴────────────────┴────────────┴──────────────┘
Without setting up ~/.anchorectl.yaml or any configuration file, you can interact using environment variables:
ANCHORECTL_URL="http://localhost:8228" ANCHORECTL_USERNAME="admin" ANCHORECTL_PASSWORD="foobar" anchorectl system status
✔ Status system
┌─────────────────┬────────────────────┬─────────────────────────────┬──────┬────────────────┬────────────┬──────────────┐
│ SERVICE │ HOST ID │ URL │ UP │ STATUS MESSAGE │ DB VERSION │ CODE VERSION │
├─────────────────┼────────────────────┼─────────────────────────────┼──────┼────────────────┼────────────┼──────────────┤
│ rbac_authorizer │ anchore-quickstart │ http://rbac-authorizer:8228 │ true │ available │ 500 │ 5.0.0 │
│ reports │ anchore-quickstart │ http://reports:8228 │ true │ available │ 500 │ 5.0.0 │
│ analyzer │ anchore-quickstart │ http://analyzer:8228 │ true │ available │ 500 │ 5.0.0 │
│ notifications │ anchore-quickstart │ http://notifications:8228 │ true │ available │ 500 │ 5.0.0 │
│ apiext │ anchore-quickstart │ http://api:8228 │ true │ available │ 500 │ 5.0.0 │
│ policy_engine │ anchore-quickstart │ http://policy-engine:8228 │ true │ available │ 500 │ 5.0.0 │
│ rbac_manager │ anchore-quickstart │ http://rbac-manager:8228 │ true │ available │ 500 │ 5.0.0 │
│ reports_worker │ anchore-quickstart │ http://reports-worker:8228 │ true │ available │ 500 │ 5.0.0 │
│ simplequeue │ anchore-quickstart │ http://queue:8228 │ true │ available │ 500 │ 5.0.0 │
│ catalog │ anchore-quickstart │ http://catalog:8228 │ true │ available │ 500 │ 5.0.0 │
└─────────────────┴────────────────────┴─────────────────────────────┴──────┴────────────────┴────────────┴──────────────┘
Next Steps
Once the AnchoreCTL has been installed and configured, learn about using Anchore Enterprise
Last modified November 16, 2023