Working with Policies

Introduction

Policies are central to the concept of Anchore Enterprise, this article provides information on how to create, delete, update, and describe policies using AnchoreCTL to interact with a running Anchore Enterprise deployment.

At a high-level Anchore Enterprise consumes policies store in a Policy that contain:

  • Policies
  • Allowlists
  • Mappings
  • Allowlisted Images
  • Denylisted Images

Anchore Enterprise can store multiple policies for each account, but only one policy can be active at any point in time. All users within an account share the same set of policies. It is common to store historic policies to allow previous policies and evaluations to be inspected. The active policy is the one used for evaluation for notifications, incoming kubernetes webhooks (unless configured otherwise), and other automatic system functions, but a user may request evaluation of any policy stored in the system using its id.

For more information on the content and semantics of policies see: Policies and Evaluation

Creating Policies

Policies are just JSON documents. Anchore Enterprise includes a default policy configured at installation that performs basic CVE checks as well as some Dockerfile checks.

To create custom polices, you may:

  • Edit JSON manually and upload a file
  • Use the Anchore Enterprise UI to edit policies

Managing Policies

Policies can be managed directly using the REST API or the anchorectl policy command.

Adding Policies using AnchoreCTL

The anchorectl tool allows you to upload policies to Anchore Enterprise.

# anchorectl policy add --input /path/to/policy/policy.json

Note: Adding a policy will not automatically set the policy to be active, you will need to activate the policy using the activate command.

Listing Policies

Anchore Enterprise may store multiple policies however at a given time only one policy may be active. Policies can be listed using the policy list command.


# anchorectl policy list
 ✔ Fetched policies
┌────────────────┬──────────────────────────────────────┬────────┬──────────────────────┐
│ NAME           │ POLICY ID                            │ ACTIVE │ UPDATED              │
├────────────────┼──────────────────────────────────────┼────────┼──────────────────────┤
│ Default policy │ 2c53a13c-1765-11e8-82ef-23527761d060 │ true   │ 2023-10-25T20:39:28Z │
│ devteam1policy │ da8208a2-c8ae-4cf2-a25b-a52b0cdcd789 │ false  │ 2023-10-25T20:47:16Z │
└────────────────┴──────────────────────────────────────┴────────┴──────────────────────┘

Each policy has a unique ID that will be reference in policy evaluation reports.

Note: Times are reported in UTC.

Viewing Policies

Using the policy get command, summary or detailed information about a policy can be retrieved. The policy is referenced using its unique id.


# anchorectl policy get 2c53a13c-1765-11e8-82ef-23527761d060
 ✔ Fetched policy
Name: Default policy
ID: 2c53a13c-1765-11e8-82ef-23527761d060
Comment: Default policy
Policies:
  - artifactType: image
    comment: System default policy
    id: 48e6f7d6-1765-11e8-b5f9-8b6f228548b6
    name: DefaultPolicy
    rules:
      - action: STOP
        gate: dockerfile
        id: ce7b8000-829b-4c27-8122-69cd59018400
        params:
          - name: ports
            value: "22"
          - name: type
            value: denylist
        trigger: exposed_ports
...
...

The policy can be downloaded in JSON format by passing the --detail parameter.

# anchorectl policy get 2c53a13c-1765-11e8-82ef-23527761d060 --detail -o json-raw > policy.json
 ✔ Fetched policy

Activating Policies

The policy activate command can be used to activate a policy. The policy is referenced using its unique id which can be retrieved using the policy list command.


# anchorectl policy activate 2c53a13c-1765-11e8-82ef-23527761d061
 ✔ Activate policy
┌─────────────────┬──────────────────────────────────────┬────────┬──────────────────────┐
│ NAME            │ POLICY ID                            │ ACTIVE │ UPDATED              │
├─────────────────┼──────────────────────────────────────┼────────┼──────────────────────┤
│ Default policy  │ 2c53a13c-1765-11e8-82ef-23527761d061 │ true   │ 2023-10-25T20:50:17Z │
└─────────────────┴──────────────────────────────────────┴────────┴──────────────────────┘

Note: If Anchore Enterprise has been configured to automatically synchronize policies from the Anchore Cloud then the active policy may be overridden automatically during the next sync.

Deleting Policies

Policies can be deleted from Anchore Enterprise using the policy del command The policy is referenced using its unique id. A policy marked as active cannot be deleted, another policy has to be marked active before deleting the currently active policy.


# anchorectl policy delete 2c53a13c-1765-11e8-82ef-23527761d061
 ✔ Deleted policy
No results

See Anchore Policy Checks for information about available policy gates and triggers in Anchore Enterprise.

Last modified October 25, 2023