Gate: ancestry

Introduction

The “ancestry” gate gives users the ability to construct policy rules against an image’s ancestry, specifically the base and ancestor images. This gate becomes useful when a user needs to quickly identify if an image SBOM is not part of an organization’s approved set of base and/or ancestor images.

Base images is referred to the image that a given image was built from. It serves as a template for developers to create a standardized environment on top of which they can build their custom images (often referred to as a “golden” image).

Ancestor images is referred to the chain of images built from other images.

Note To understand the concept of base and ancestor images more, please click here.

Example Use-case

Scenario 1

Goal: Fail a policy evaluation if an image is not part of a list of approved base images.

Example rule set configuration in Anchore Enterprise

Gate: ancestry
Trigger: allowed base image digest
Required Parameters: base digest = “SHA256:abcdef123456”
Recommendation (Optional): The image is not derived from an approved base image. Remediation required.
Action: STOP

ancestry1

Reference: ancestry

Trigger Name	Description	Parameter	Description	Example
allowed_base_image_digest	Checks to see if base image is approved	base_digest	List of approved base image digests.	sha256:123abc
allowed_base_image_tag	Checks to see if base image is approved	base_tag	List of approved base image tags.	docker.io/nginx:latest
denylist_ancestor_image_digest	Triggers if any of the ancestor images have the provided image digest(s)	ancestor_digest	List of ancestor image digests to check for. Accepts comma separated list of digests.	sha256:123abc
denylist_ancestor_image_tag	Triggers if any of the ancestor images have the provided image tag(s)	ancestor_tag	List of denied image tags to check the ancestry for. Accepts comma separated list of tags.	docker.io/nginx:latest
no_ancestors_analyzed	Checks to see if the image has a known ancestor

Last modified September 16, 2024