# All-in-one docker compose deployment of a full anchore-enterprise service system --- version: "2.1" name: "anchore-590" volumes: # Since this is for a quickstart, each minor version has its own db, to use a previous db and upgrade, change this to the db volume name you want to upgrade. e.g. "anchore-enterprise-4.2-db" if upgrading from a 4.2 quickstart deployment. anchore-enterprise-5.9-db: # Set this to 'true' to use an external volume. In which case, it must be created manually with "docker volume create anchore-db-volume" external: false feeds-workspace-volume: # Set this to 'true' to use an external volume. In which case, it must be created manually with "docker volume create feeds-workspace-volume" external: false enterprise-feeds-db-volume: # Set this to 'true' to use an external volume. In which case, it must be created manually with "docker volume create enterprise-feeds-db-volume" external: false services: # The primary API endpoint service api: image: docker.io/anchore/enterprise:v5.9.0 depends_on: - anchore-db - catalog volumes: - ./license.yaml:/license.yaml:ro #- ./config-enterprise.yaml:/config/config.yaml:z ports: - "8228:8228" logging: driver: "json-file" options: max-size: 100m environment: - ANCHORE_ENDPOINT_HOSTNAME=api - ANCHORE_DB_HOST=anchore-db - ANCHORE_DB_PASSWORD=mysecretpassword - ANCHORE_ADMIN_PASSWORD=foobar - ANCHORE_ENABLE_METRICS=false - ANCHORE_LOG_LEVEL=INFO - ANCHORE_OAUTH_ENABLED=true - ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS=true - ANCHORE_AUTH_SECRET=supersharedsecret command: ["anchore-enterprise-manager", "service", "start", "apiext"] # Catalog is the primary persistence and state manager of the system catalog: image: docker.io/anchore/enterprise:v5.9.0 depends_on: - anchore-db volumes: - ./license.yaml:/license.yaml:ro #- ./config-enterprise.yaml:/config/config.yaml:z logging: driver: "json-file" options: max-size: 100m expose: - 8228 environment: - ANCHORE_ENDPOINT_HOSTNAME=catalog - ANCHORE_DB_HOST=anchore-db - ANCHORE_DB_PASSWORD=mysecretpassword - ANCHORE_ADMIN_PASSWORD=foobar - ANCHORE_ENABLE_METRICS=false - ANCHORE_LOG_LEVEL=INFO - ANCHORE_CATALOG_NOTIFICATION_INTERVAL_SEC=0 - ANCHORE_OAUTH_ENABLED=true - ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS=true - ANCHORE_AUTH_SECRET=supersharedsecret command: ["anchore-enterprise-manager", "service", "start", "catalog"] queue: image: docker.io/anchore/enterprise:v5.9.0 depends_on: - anchore-db - catalog volumes: - ./license.yaml:/license.yaml:ro #- ./config-enterprise.yaml:/config/config.yaml:z expose: - 8228 logging: driver: "json-file" options: max-size: 100m environment: - ANCHORE_ENDPOINT_HOSTNAME=queue - ANCHORE_DB_HOST=anchore-db - ANCHORE_DB_PASSWORD=mysecretpassword - ANCHORE_ADMIN_PASSWORD=foobar - ANCHORE_ENABLE_METRICS=false - ANCHORE_LOG_LEVEL=INFO - ANCHORE_OAUTH_ENABLED=true - ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS=true - ANCHORE_AUTH_SECRET=supersharedsecret command: ["anchore-enterprise-manager", "service", "start", "simplequeue"] policy-engine: image: docker.io/anchore/enterprise:v5.9.0 depends_on: - anchore-db - catalog volumes: - ./license.yaml:/license.yaml:ro #- ./config-enterprise.yaml:/config/config.yaml:z expose: - 8228 logging: driver: "json-file" options: max-size: 100m environment: - ANCHORE_ENDPOINT_HOSTNAME=policy-engine - ANCHORE_DB_HOST=anchore-db - ANCHORE_DB_PASSWORD=mysecretpassword - ANCHORE_ADMIN_PASSWORD=foobar - ANCHORE_ENABLE_METRICS=false - ANCHORE_LOG_LEVEL=INFO - ANCHORE_OAUTH_ENABLED=true - ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS=true - ANCHORE_AUTH_SECRET=supersharedsecret # To use on-prem feed service with grype, uncomment ANCHORE_GRYPE_DB_URL. In addition, uncomment the enterprise-feeds-db and feeds services at the end of this file # - ANCHORE_GRYPE_DB_URL=http://feeds:8228/v2/databases/grypedb # To use on-prem feed service, uncomment the following ANCHORE_FEEDS_* environment variables. In addition, uncomment the enterprise-feeds-db and feeds services at the end of this file #- ANCHORE_FEEDS_URL=http://feeds:8228/v2/feeds # Uncomment the next variable in addition to enabling the on-prem feed service just above, to enable syncing of the MSRC data feeds for windows scanning support. #- ANCHORE_FEEDS_MICROSOFT_ENABLED=true # Uncomment this to enable the vulnerability-annotations feed to be synced to the policy engine and include CISA KEV data #- ANCHORE_VULN_ANNOTATIONS_FEED_ENABLED=true # The following environment variables can be used to tune the system-level vulnerability matching settings and will apply to all vulnerability scans across all accounts. # It is important to note that the github provider must be enabled in the feed service if search by cpe is disabled for any ecosystem or there will be no vulnerability matches at all for # that ecosystem. The below settings represent the current defaults if nothing else is specified. Searching by CPE is enabled for all configurable ecosystems except for javascript. # - ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED=${ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED:-true} # - ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_DOTNET_SEARCH_BY_CPE_ENABLED=${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_DOTNET_SEARCH_BY_CPE_ENABLED:-ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED:-true} # - ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_GOLANG_SEARCH_BY_CPE_ENABLED=${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_GOLANG_SEARCH_BY_CPE_ENABLED:-ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED:-true} # - ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVA_SEARCH_BY_CPE_ENABLED=${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVA_SEARCH_BY_CPE_ENABLED:-ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED:-true} # - ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVASCRIPT_SEARCH_BY_CPE_ENABLED=${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVASCRIPT_SEARCH_BY_CPE_ENABLED:-ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED:-false} # - ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_PYTHON_SEARCH_BY_CPE_ENABLED=${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_PYTHON_SEARCH_BY_CPE_ENABLED:-ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED:-true} # - ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_RUBY_SEARCH_BY_CPE_ENABLED=${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_RUBY_SEARCH_BY_CPE_ENABLED:-ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED:-true} # The `stock` matcher is the default catch-all ecosystem and it is *STRONGLY DISCOURAGED* to disable search by cpe for this ecosystem. This will disable vulnerability matching for all # binaries that are not installed by a package manager (python interpreter, go tooling, ruby, etc) # - ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_STOCK_SEARCH_BY_CPE_ENABLED=${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_STOCK_SEARCH_BY_CPE_ENABLED:-ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED:-true} command: ["anchore-enterprise-manager", "service", "start", "policy_engine"] analyzer: image: docker.io/anchore/enterprise:v5.9.0 depends_on: - anchore-db - catalog expose: - 8228 logging: driver: "json-file" options: max-size: 100m environment: - ANCHORE_ENDPOINT_HOSTNAME=analyzer - ANCHORE_DB_HOST=anchore-db - ANCHORE_DB_PASSWORD=mysecretpassword - ANCHORE_ADMIN_PASSWORD=foobar - ANCHORE_ENABLE_METRICS=false - ANCHORE_LOG_LEVEL=INFO - ANCHORE_OAUTH_ENABLED=true - ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS=true - ANCHORE_AUTH_SECRET=supersharedsecret volumes: - ./license.yaml:/license.yaml:ro - /analysis_scratch #- ./config-enterprise.yaml:/config/config.yaml:z # To enable and configure malware and catalogers during centralized analysis/scans please review - https://docs.anchore.com/current/docs/configuration/malware. #- ./analyzer_config.yaml:/anchore_service/analyzer_config.yaml:z command: ["anchore-enterprise-manager", "service", "start", "analyzer"] anchore-db: image: docker.io/library/postgres:13 volumes: - anchore-enterprise-5.9-db:/var/lib/postgresql/data environment: - POSTGRES_PASSWORD=mysecretpassword expose: - 5432 logging: driver: "json-file" options: max-size: 100m healthcheck: test: ["CMD-SHELL", "pg_isready -U postgres"] reports: image: docker.io/anchore/enterprise:v5.9.0 volumes: - ./license.yaml:/license.yaml:ro #- ./config-enterprise.yaml:/config/config.yaml:z depends_on: - anchore-db - catalog ports: - "8558:8228" logging: driver: "json-file" options: max-size: 100m environment: - ANCHORE_ENDPOINT_HOSTNAME=reports - ANCHORE_DB_HOST=anchore-db - ANCHORE_DB_PASSWORD=mysecretpassword - ANCHORE_ADMIN_PASSWORD=foobar - ANCHORE_ENABLE_METRICS=false - ANCHORE_LOG_LEVEL=INFO - ANCHORE_OAUTH_ENABLED=true - ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS=true - ANCHORE_AUTH_SECRET=supersharedsecret command: ["anchore-enterprise-manager", "service", "start", "reports"] reports_worker: image: docker.io/anchore/enterprise:v5.9.0 volumes: - ./license.yaml:/license.yaml:ro #- ./config-enterprise.yaml:/config/config.yaml:z depends_on: - anchore-db - catalog expose: - 8228 logging: driver: "json-file" options: max-size: 100m environment: - ANCHORE_ENDPOINT_HOSTNAME=reports_worker - ANCHORE_DB_HOST=anchore-db - ANCHORE_DB_PASSWORD=mysecretpassword - ANCHORE_ADMIN_PASSWORD=foobar - ANCHORE_ENABLE_METRICS=false - ANCHORE_LOG_LEVEL=INFO - ANCHORE_OAUTH_ENABLED=true - ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS=true - ANCHORE_AUTH_SECRET=supersharedsecret command: ["anchore-enterprise-manager", "service", "start", "reports_worker"] notifications: image: docker.io/anchore/enterprise:v5.9.0 volumes: - ./license.yaml:/license.yaml:ro #- ./config-enterprise.yaml:/config/config.yaml:z depends_on: - anchore-db - catalog ports: - "8668:8228" logging: driver: "json-file" options: max-size: 100m environment: - ANCHORE_ENDPOINT_HOSTNAME=notifications - ANCHORE_DB_HOST=anchore-db - ANCHORE_DB_PASSWORD=mysecretpassword - ANCHORE_ADMIN_PASSWORD=foobar - ANCHORE_ENABLE_METRICS=false - ANCHORE_LOG_LEVEL=INFO - ANCHORE_ENTERPRISE_UI_URL=http://localhost:3000 - ANCHORE_OAUTH_ENABLED=true - ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS=true - ANCHORE_AUTH_SECRET=supersharedsecret command: ["anchore-enterprise-manager", "service", "start", "notifications"] ui-redis: image: docker.io/library/redis:4 expose: - 6379 logging: driver: "json-file" options: max-size: 100m healthcheck: test: ["CMD-SHELL", "redis-cli PING"] ui: image: docker.io/anchore/enterprise-ui:v5.9.0 volumes: - ./license.yaml:/license.yaml:ro #- ./config-ui.yaml:/config/config-ui.yaml:z depends_on: - api - ui-redis - anchore-db ports: - "3000:3000" logging: driver: "json-file" options: max-size: 100m environment: - ANCHORE_ENTERPRISE_URI=http://api:8228/v2 - ANCHORE_REDIS_URI=redis://ui-redis:6379 - ANCHORE_APPDB_URI=postgres://postgres:mysecretpassword@anchore-db:5432/postgres - ANCHORE_ENABLE_METRICS=false # Uncomment this section to add an on-prem feed service to this deployment. This will incur first-time feed sync delay, but is included for completeness / review of enterprise service deployment options # You will need to configure the policy engine service to talk to the feeds service - uncomment env var - ANCHORE_FEEDS_URL # enterprise-feeds-db: # image: docker.io/library/postgres:13 # volumes: # - enterprise-feeds-db-volume:/var/lib/postgresql/data # environment: # - POSTGRES_PASSWORD=mysecretpassword # expose: # - 5432 # logging: # driver: "json-file" # options: # max-size: 100m # healthcheck: # test: ["CMD-SHELL", "pg_isready -U postgres"] # feeds: # image: docker.io/anchore/enterprise:v5.9.0 # volumes: # - feeds-workspace-volume:/workspace # - ./license.yaml:/license.yaml:ro # #- ./config-enterprise.yaml:/config/config.yaml:z # depends_on: # - enterprise-feeds-db # ports: # - "8448:8228" # logging: # driver: "json-file" # options: # max-size: 100m # environment: # - ANCHORE_ENDPOINT_HOSTNAME=feeds # - ANCHORE_DB_HOST=enterprise-feeds-db # - ANCHORE_DB_PASSWORD=mysecretpassword # - ANCHORE_ENABLE_METRICS=false # - ANCHORE_DISABLE_METRICS_AUTH=true # - ANCHORE_LOG_LEVEL=INFO # - ANCHORE_OAUTH_ENABLED=true # - ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS=true # - ANCHORE_ENTERPRISE_FEEDS_EXTERNAL_URL=http://feeds:8228/v2 # # Uncomment the following to enable Microsoft msrc driver. # - ANCHORE_ENTERPRISE_FEEDS_MSRC_DRIVER_ENABLED=true # # Uncomment ANCHORE_ENTERPRISE_FEEDS_VULN_MATCH_EXCLUSION_DRIVER_ENABLED to enable Anchore's vulnerability match exclusion feed driver. Contact administrator for an appropriate license. # - ANCHORE_ENTERPRISE_FEEDS_VULN_MATCH_EXCLUSION_DRIVER_ENABLED=true # # Uncomment ANCHORE_ENTERPRISE_FEEDS_GITHUB_DRIVER_TOKEN for github driver. # # Generate token with https://github.com/settings/tokens/new?scopes=user,public_repo,repo,repo_deployment,repo:status,read:repo_hook,read:org,read:public_key,read:gpg_key # # and assign the value to environment variable # - ANCHORE_ENTERPRISE_FEEDS_GITHUB_DRIVER_TOKEN= # - ANCHORE_AUTH_SECRET=supersharedsecret # - ANCHORE_VULN_ANNOTATIONS_FEED_ENABLED=true # command: ["anchore-enterprise-manager", "service", "start", "feeds"] # # Uncomment this section to add a prometheus instance to gather metrics. This is mostly for quickstart to demonstrate prometheus metrics exported # # You will also need to set metrics env variable to true foreach Anchore service "ANCHORE_ENABLE_METRICS=true" in this file. # prometheus: # image: docker.io/prom/prometheus:latest # depends_on: # - api # volumes: # - ./anchore-prometheus.yml:/etc/prometheus/prometheus.yml:z # logging: # driver: "json-file" # options: # max-size: 100m # ports: # - "9090:9090" # # Uncomment this section to run a swagger UI service, for inspecting and interacting with the anchore enterprise API via a browser (http://localhost:8080 by default, change if needed in both sections below) # swagger-ui-nginx: # image: docker.io/nginx:latest # depends_on: # - api # - swagger-ui # ports: # - "8080:8080" # volumes: # - ./anchore-swaggerui-nginx.conf:/etc/nginx/nginx.conf:z # logging: # driver: "json-file" # options: # max-size: 100m # swagger-ui: # image: docker.io/swaggerapi/swagger-ui # environment: # - URL=http://localhost:8080/v2/openapi.json # logging: # driver: "json-file" # options: # max-size: 100m