This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

DoD

Current IronBank policy pack version: Anchore DoD Iron Bank v20250101 Current DISA policy pack version: Anchore DISA Image Creation and Hardening Guide v20250101

Introduction

Anchore Enterprise provides two DoD policies:

  • DISA Image Creation and Deployment Guide — provided by the Defense Information Systems Agency (DISA), the agency that supplies IT and communications support to the U.S. government and federal organizations. This policy provides security and compliance checks that align with specific NIST 800-53 and NIST 800-190 controls as described in the DoD Container Image Creation and Deployment Guide.
  • IronBank — validates images against DoD security and compliance requirements in alignment with U.S. Air Force security standards at Platform One and IronBank, written in accordance with DoD Enterprise DevSecOps Reference Design documentation.

DISA

Anchore Enterprise checks for the following control specifications in the DISA policy:

  • AC-6(10) Container Image Must Have Permissions Removed from Executables that Allow a User to Execute Software at Higher Privileges
  • CM-6(b) Confidential Data Checks
  • CM-7(1b) Network Port Exposure Checks
  • CM-7(a) Container Image Build Content Checks
  • IA-5(2a) Base Image Checks
  • IA-5(7) Embedded Credentials
  • RA-5 Software Vulnerability Checks
  • SC-5 Image Checks
  • SC-8(2) Base Image Checks
  • SI-2(6) Image Software Update/Layer Checks

IronBank

The IronBank policy includes checks across the following areas:

Dockerfile, User, File, Istio, Software, Transfer Protocol, Node.js, Etcd, Snort, Jenkins, Grafana, UBI7, Chef, Sonarqube, Prometheus, Postgres, Nginx, OpenJDK, Twistlock, Keycloak, Fluentd, Elasticsearch, Kibana, Redis, Apache HTTP, and Apache Tomcat.

Using the Pack

Import the pack like any other policy — see Manage Policies for the GUI, AnchoreCTL, and API workflows. Once imported, scope it to the registries and repositories it should apply to through Policy Mappings, then activate it as the account’s default policy.

Configuring Rule Sets

The IronBank policy does not require rule set configuration. The DISA policy, however, requires configuration for certain specifications — the control specifications are represented by rule sets, edited from the policy’s Edit action in the Anchore Enterprise GUI (see Manage Policies).

The following rule sets must be configured before using the DISA policy:

  • CM-6(b) Confidential Data Checks
  • CM-7(1b) Network Port Exposure Checks
  • CM-7(a) Container Image Build Content Checks