API

APIs Overview

Anchore Enterprise is an API-first system. All functions available in the UI and AnchoreCTL are constructed from the same APIs directly available to users. The APIs are a combination of a OpenAPI-specified REST-like API and a reporting-specific GraphQL API.

REST API

The REST API is the primary API for interacting with Anchore and has the most functionality. The Anchore V2 API is viewable in the following ways:

API Browser

API Specification

GraphQL API

The GraphQL API is intended for reporting functions and aggregating data from all resources in an Anchore account and does not provide the same functionality as the REST API. The data that the GraphQL API operates on is updated differently than the data in the REST API and thus may have an update lag between when changes are visible via the REST API and when that data flows into functionality covered by the GraphQL API.

Authentication & Authorization

Authentication

Both the REST and GraphQL APIs are exposed on a network and should be protected at the channel level using TLS. Regardless of the authentication scheme, transport security ensures resistance to replay attacks and other forms of request and credential abuse and should always be used.

See Configuring TLS for setting up TLS in Anchore services directly, or use TLS termination via load balancers or service meshes such as Istio and LinkerD. The right choice for your deployment will depend on your specific environment and requirements.

Anchore APIs support three authentication methods:

  1. HTTP Basic
    • Use HTTP ‘Authorization’ header: Authorization: Basic <base64_encode(<username> + ':' + <password>)> along with your native account credentials
      • curl example: curl -u <username>:<password> http://localhost:8228/v2/images
  2. OAuth2 Bearer Tokens
  3. API Keys
    • Generate API keys following this guide
    • Use HTTP Basic Authorization with a special username _api_key and use the API key value generated as the password
      • curl example: curl -u "_api_key:<api_key_value>" http://localhost:8228/v2/images
    • If you are using SSO, you will need to allow API keys for SAML users

Authorization

Both the REST and GraphQL APIs implement authorization with Role-Based Access Control (RBAC). The APIs also supports Cross-Account access.

  • In this example, we can query for images in an account named ‘product1’ instead of the account that my user resides in.
    • curl -X GET -u {username:password} -H "x-anchore-account: product1" "http://{servername:port}/v2/images"
Last modified September 30, 2024