Throughout this guide, we break down the deployment and configuration of the CIS policy with the following sections:
Current CIS policy pack version: Anchore CIS Docker Benchmark V1.8.0 v20251101
Introduction
The Center for Internet Security (CIS) provides prescriptive configuration recommendations for a variety of software vendors. Anchore’s CIS policy pack is based off of the CIS Docker 1.8 Benchmark and validates a subset of security and compliance checks against container images deployed on Docker version 1.8.
Anchore checks for the following control specifications in the CIS policy:
- 4.1 Ensure that a user for the container has been created
- 4.2 Ensure that containers use only trusted base
- 4.3 Ensure that unnecessary packages are not installed in the container
- 4.4 Ensure images are scanned and rebuilt to include security patches
- 4.6 Ensure that HEALTHCHECK instructions have been added to container images
- 4.7 Ensure update instructions are not used alone in Dockerfiles
- 4.8 Ensure setuid and setgid permissions are removed
- 4.9 Ensure that COPY is used instead of ADD in Dockerfiles
- 4.10 Ensure secrets are not stored in Dockerfiles
- 4.11 Ensure only verified packages are installed
- 5.8 Ensure privileged ports are not mapped within containers
Enabling the CIS Policy
- If you are an Anchore Enterprise customer, you will receive an email, which includes a json file for the policy that comes with your service.
Navigate to the Policies tab in Anchore Enterprise and click on the ‘Import Policy’.
Drag and drop, or paste the .json file to import the policy into Anchore Enterprise.
Or run the following command using AnchoreCTL
# anchorectl policy add -i policy-anchore_cis_1.8.0.json ✔ Added policy Name: Anchore CIS Docker Benchmark V1.8.0 v20251101 Policy Id: 1bb3577d-7051-4981-9cd2-13777c44ca50 Active: false Updated: 2025-11-01T16:46:07ZAfter a successful import, the policy will be available in the Policies tab.
Or run the following command using AnchoreCTL
# anchorectl policy list ✔ Fetched policies ┌───────────────────────────────────────────────────────────┬──────────────────────────────────────┬────────┬──────────────────────┐ │ NAME │ POLICY ID │ ACTIVE │ UPDATED │ ├───────────────────────────────────────────────────────────┼──────────────────────────────────────┼────────┼──────────────────────┤ │ Anchore CIS Docker Benchmark V1.8.0 v20251101 │ 1bb3577d-7051-4981-9cd2-13777c44ca50 │ true │ 2025-11-20T13:46:07Z │ │ Anchore DoD Iron Bank v20250101 │ 3f2a60e5-e840-4cdc-9b24-4e9553a3b438 │ false │ 2025-11-19T14:14:50Z │ │ Anchore NIST 800-190 v20250101 │ 4d83d480-6bcc-4026-8137-c779011e9aa8 │ false │ 2025-11-13T14:35:43Z │ │ Anchore CIS Docker Benchmark V1.6.0 v20250101 │ anchore_cis_1.6.0 │ false │ 2025-11-13T14:35:43Z │ │ Anchore DISA Image Creation and Hardening Guide v20241001 │ anchore_disa_image_hardening │ false │ 2025-11-13T14:35:43Z │ │ Anchore FedRAMP v5 Checks v20250101 │ anchore_fedramp_v5 │ false │ 2025-11-13T14:35:43Z │ │ Anchore NIST 800-53 v20250101 │ anchore_nist_800_53 │ false │ 2025-11-13T14:35:43Z │ │ Anchore Enterprise - Secure v20250101 │ anchore_secure_default │ false │ 2025-11-20T13:46:07Z |In order to activate the policy, simply click on the circle under ‘Active’.
Once activated, you will see that the policy is highlighted in green.
Or run the following command using AnchoreCTL
# anchorectl policy activate "Anchore CIS Docker Benchmark V1.8.0 v20251101" ✔ Activate policy Name: Anchore CIS Docker Benchmark V1.8.0 v20251101 Policy Id: 1bb3577d-7051-4981-9cd2-13777c44ca50 Active: true Updated: 2025-11-20T13:46:07ZNavigate to the Image tab in Anchore Enterprise and you will now be able to evaluate an image with the policy.
Or run the following command using AnchoreCTL
As an example, we will add a centos image and evaluate it using the policy. please give it some time for Anchore to analyze the image when added
# anchorectl image add docker.io/centos:latest --wait ✔ Added Image docker.io/centos:latest ✔ Analyzed Image docker.io/centos:latest Image: status: analyzed (active) tag: docker.io/centos:latest digest: sha256:a1801b843b1bfaf77c501e7a6d3f709401a1e0c83863037fa3aab063a7fdb9dc id: 5d0da3dc976460b72c77d94c8a1ad043720b0416bfc16c52c45d4847e53fadb6 distro: centos@8 (amd64) layers: 1To apply the active policy and see all the details of violation:
#anchorectl image check docker.io/centos:latest --detailTo apply the active policy and get a simple pass/fail check:
#anchorectl image check -f docker.io/centos:latest ✔ Evaluated against policy [failed] docker.io/centos:latest Tag: docker.io/centos:latest Digest: sha256:a1801b843b1bfaf77c501e7a6d3f709401a1e0c83863037fa3aab063a7fdb9dc Policy ID: 1bb3577d-7051-4981-9cd2-13777c44ca50 Last Evaluation: 2025-11-01T22:08:52Z Evaluation: fail Final Action: stop Reason: policy_evaluation
Configuring Rule Sets for the CIS Policy
Some of the control specifications need configuration based on the user’s environment. The control specifications are represented by ‘Rule Sets’ in Anchore Enterprise. Navigate to the Policies tab and click on the ‘Edit’ under ‘Actions’.
It is recommended all configuration changes to rule sets be done in the Anchore Enterprise UI.
The following rule sets MUST be configured before using the CIS policy:
- 4.2 Ensure that containers use only trusted base
- 4.3 Ensure that unnecessary packages are not installed in the container
- 5.8 Ensure privileged ports are not mapped within containers