Anchore Policy Checks

Introduction

In this document, we describe the current gates (and related triggers and parameters) that are supported within Anchore policy.

Gate: dockerfile

Checks against the content of a dockerfile if provided, or a guessed dockerfile based on docker layer history if the dockerfile is not provided.

Note For further information on usage see Policy Gate: Dockerfile

Trigger NameDescriptionParameterDescriptionExample
instructionTriggers if any directives in the list are found to match the described condition in the dockerfile.instructionThe Dockerfile instruction to check.from
instructionTriggers if any directives in the list are found to match the described condition in the dockerfile.checkThe type of check to perform.=
instructionTriggers if any directives in the list are found to match the described condition in the dockerfile.valueThe value to check the dockerfile instruction against.scratch
instructionTriggers if any directives in the list are found to match the described condition in the dockerfile.actual_dockerfile_onlyOnly evaluate against a user-provided dockerfile, skip evaluation on inferred/guessed dockerfiles. Default is False.true
effective_userChecks if the effective user matches the provided user names, either as a allowlist or blocklist depending on the type parameter setting.usersUser names to check against as the effective user (last user entry) in the images history.root,docker
effective_userChecks if the effective user matches the provided user names, either as a allowlist or blocklist depending on the type parameter setting.typeHow to treat the provided user names.denylist
exposed_portsEvaluates the set of ports exposed. Allows configuring allowlist or blocklist behavior. If type=allowlist, then any ports found exposed that are not in the list will cause the trigger to fire. If type=denylist, then any ports exposed that are in the list will cause the trigger to fire.portsList of port numbers.80,8080,8088
exposed_portsEvaluates the set of ports exposed. Allows configuring allowlist or blocklist behavior. If type=allowlist, then any ports found exposed that are not in the list will cause the trigger to fire. If type=denylist, then any ports exposed that are in the list will cause the trigger to fire.typeWhether to use port list as a allowlist or denylist.denylist
exposed_portsEvaluates the set of ports exposed. Allows configuring allowlist or blocklist behavior. If type=allowlist, then any ports found exposed that are not in the list will cause the trigger to fire. If type=denylist, then any ports exposed that are in the list will cause the trigger to fire.actual_dockerfile_onlyOnly evaluate against a user-provided dockerfile, skip evaluation on inferred/guessed dockerfiles. Default is False.true
no_dockerfile_providedTriggers if anchore analysis was performed without supplying the actual image Dockerfile.

Gate: files

Checks against files in the analyzed image including file content, file names, and filesystem attributes.

Trigger NameDescriptionParameterDescriptionExample
content_regex_matchTriggers for each file where the content search analyzer has found a match using configured regexes in the analyzer_config.yaml “content_search” section. If the parameter is set, the trigger will only fire for files that matched the named regex. Refer to your analyzer_config.yaml for the regex values.regex_nameRegex string that also appears in the FILECHECK_CONTENTMATCH analyzer parameter in analyzer configuration, to limit the check to. If set, will only fire trigger when the specific named regex was found in a file..password.
name_matchTriggers if a file exists in the container that has a filename that matches the provided regex. This does have a performance impact on policy evaluation.regexRegex to apply to file names for match..*.pem
attribute_matchTriggers if a filename exists in the container that has attributes that match those which are provided . This check has a performance impact on policy evaluation.filenameFilename to check against provided checksum./etc/passwd
attribute_matchTriggers if a filename exists in the container that has attributes that match those which are provided . This check has a performance impact on policy evaluation.checksum_algorithmChecksum algorithmsha256
attribute_matchTriggers if a filename exists in the container that has attributes that match those which are provided . This check has a performance impact on policy evaluation.checksumChecksum of file.832cd0f75b227d13aac82b1f70b7f90191a4186c151f9db50851d209c45ede11
attribute_matchTriggers if a filename exists in the container that has attributes that match those which are provided . This check has a performance impact on policy evaluation.checksum_matchChecksum operation to perform.equals
attribute_matchTriggers if a filename exists in the container that has attributes that match those which are provided . This check has a performance impact on policy evaluation.modeFile mode of file.00644
attribute_matchTriggers if a filename exists in the container that has attributes that match those which are provided . This check has a performance impact on policy evaluation.mode_opFile mode operation to perform.equals
attribute_matchTriggers if a filename exists in the container that has attributes that match those which are provided . This check has a performance impact on policy evaluation.skip_missingIf set to true, do not fire this trigger if the file is not present. If set to false, fire this trigger ignoring the other parameter settings.true
suid_or_guid_setFires for each file found to have suid or sgid bit set.

Gate: passwd_file

Content checks for /etc/passwd for things like usernames, group ids, shells, or full entries.

Trigger NameDescriptionParameterDescriptionExample
content_not_availableTriggers if the /etc/passwd file is not present/stored in the evaluated image.
denylist_usernamesTriggers if specified username is found in the /etc/passwd fileuser_namesList of usernames that will cause the trigger to fire if found in /etc/passwd.daemon,ftp
denylist_useridsTriggers if specified user id is found in the /etc/passwd fileuser_idsList of userids (numeric) that will cause the trigger to fire if found in /etc/passwd.0,1
denylist_groupidsTriggers if specified group id is found in the /etc/passwd filegroup_idsList of groupids (numeric) that will cause the trigger ot fire if found in /etc/passwd.999,20
denylist_shellsTriggers if specified login shell for any user is found in the /etc/passwd fileshellsList of shell commands to denylist./bin/bash,/bin/zsh
denylist_full_entryTriggers if entire specified passwd entry is found in the /etc/passwd file.entryFull entry to match in /etc/passwd.ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

Gate: packages

Distro package checks.

Trigger NameDescriptionParameterDescriptionExample
required_packageTriggers if the specified package and optionally a specific version is not found in the image.nameName of package that must be found installed in image.libssl
required_packageTriggers if the specified package and optionally a specific version is not found in the image.versionOptional version of package for exact version match.1.10.3rc3
required_packageTriggers if the specified package and optionally a specific version is not found in the image.version_match_typeThe type of comparison to use for version if a version is provided.exact
verifyCheck package integrity against package db in the image. Triggers for changes or removal or content in all or the selected “dirs” parameter if provided, and can filter type of check with the “check_only” parameter.only_packagesList of package names to limit verification.libssl,openssl
verifyCheck package integrity against package db in the image. Triggers for changes or removal or content in all or the selected “dirs” parameter if provided, and can filter type of check with the “check_only” parameter.only_directoriesList of directories to limit checks so as to avoid checks on all dir./usr,/var/lib
verifyCheck package integrity against package db in the image. Triggers for changes or removal or content in all or the selected “dirs” parameter if provided, and can filter type of check with the “check_only” parameter.checkCheck to perform instead of all.changed
denylistTriggers if the evaluated image has a package installed that matches the named package optionally with a specific version as well.namePackage name to denylist.openssh-server
denylistTriggers if the evaluated image has a package installed that matches the named package optionally with a specific version as well.versionSpecific version of package to denylist.1.0.1
metadataTriggers on a package type comparison.typeThe type of package.rpm
metadataTriggers on a package name comparison.nameThe name of the package. Wildcards are supported.*ssl
metadataTriggers on a package version comparison.versionThe version of the package. Wildcards are supported.*fips

Gate: vulnerabilities

CVE/Vulnerability checks.

Trigger NameDescriptionParameterDescriptionExample
packageTriggers if a found vulnerability in an image meets the comparison criteria.package_typeOnly trigger for specific package type.all
packageTriggers if a found vulnerability in an image meets the comparison criteria.severity_comparisonThe type of comparison to perform for severity evaluation.>
packageTriggers if a found vulnerability in an image meets the comparison criteria.severitySeverity to compare against.high
packageTriggers if a found vulnerability in an image meets the comparison criteria.cvss_v3_base_score_comparisonThe type of comparison to perform for CVSS v3 base score evaluation.>
packageTriggers if a found vulnerability in an image meets the comparison criteria.cvss_v3_base_scoreCVSS v3 base score to compare against.None
packageTriggers if a found vulnerability in an image meets the comparison criteria.cvss_v3_exploitability_score_comparisonThe type of comparison to perform for CVSS v3 exploitability sub score evaluation.>
packageTriggers if a found vulnerability in an image meets the comparison criteria.cvss_v3_exploitability_scoreCVSS v3 exploitability sub score to compare against.None
packageTriggers if a found vulnerability in an image meets the comparison criteria.cvss_v3_impact_score_comparisonThe type of comparison to perform for CVSS v3 impact sub score evaluation.>
packageTriggers if a found vulnerability in an image meets the comparison criteria.cvss_v3_impact_scoreCVSS v3 impact sub score to compare against.None
packageTriggers if a found vulnerability in an image meets the comparison criteria.fix_availableIf present, the fix availability for the vulnerability record must match the value of this parameter.true
packageTriggers if a found vulnerability in an image meets the comparison criteria.vendor_onlyIf True, an available fix for this CVE must not be explicitly marked as wont be addressed by the vendortrue
packageTriggers if a found vulnerability in an image meets the comparison criteria.max_days_since_creationA grace period, in days, for a vulnerability match to be present after which the vulnerability is a policy violation. Uses the date the match was first found for the given image.7
packageTriggers if a found vulnerability in an image meets the comparison criteria.max_days_since_fixIf provided (only evaluated when fix_available option is also set to true), the fix first observed time must be older than the days provided, to trigger.30
packageTriggers if a found vulnerability in an image meets the comparison criteria.vendor_cvss_v3_base_score_comparisonThe type of comparison to perform for vendor specified CVSS v3 base score evaluation.>
packageTriggers if a found vulnerability in an image meets the comparison criteria.vendor_cvss_v3_base_scoreVendor CVSS v3 base score to compare against.None
packageTriggers if a found vulnerability in an image meets the comparison criteria.vendor_cvss_v3_exploitability_score_comparisonThe type of comparison to perform for vendor specified CVSS v3 exploitability sub score evaluation.>
packageTriggers if a found vulnerability in an image meets the comparison criteria.vendor_cvss_v3_exploitability_scoreVendor CVSS v3 exploitability sub score to compare against.None
packageTriggers if a found vulnerability in an image meets the comparison criteria.vendor_cvss_v3_impact_score_comparisonThe type of comparison to perform for vendor specified CVSS v3 impact sub score evaluation.>
packageTriggers if a found vulnerability in an image meets the comparison criteria.vendor_cvss_v3_impact_scoreVendor CVSS v3 impact sub score to compare against.None
packageTriggers if a found vulnerability in an image meets the comparison criteria.package_path_excludeThe regex to evaluate against the package path to exclude vulnerabilities.test.jar
packageTriggers if a found vulnerability in an image meets the comparison criteria.inherited_from_baseIf true, only show vulns inherited from the base, if false than only show vulns not inherited from the base. Don’t specify to include vulns from the base image and the current image. See Base Images for more details.True
denylistTriggers if any of a list of specified vulnerabilities has been detected in the image.vulnerability_idsList of vulnerability IDs, will cause the trigger to fire if any are detected.CVE-2019-1234
denylistTriggers if any of a list of specified vulnerabilities has been detected in the image.vendor_onlyIf set to True, discard matches against this vulnerability if vendor has marked as will not fix in the vulnerability record.True
stale_feed_dataTriggers if the CVE data is older than the window specified by the parameter MAXAGE (unit is number of days).max_days_since_syncFire the trigger if the last sync was more than this number of days ago.10
vulnerability_data_unavailableTriggers if vulnerability data is unavailable for the image’s distro packages such as rpms or dpkg. Non-OS packages like npms and java are not considered in this evaluation
kev list data missingTriggers if the KEV list data is unavailable in the deployment
kev listTriggers if a found vulnerability is in the KEV List of exploited vulnerabilities.

Gate: licenses

License checks against found software licenses in the container image.

Trigger NameDescriptionParameterDescriptionExample
denylist_exact_matchTriggers if the evaluated image has a package installed with software distributed under the specified (exact match) license(s).licensesList of license names to denylist exactly.GPLv2+,GPL-3+,BSD-2-clause
denylist_exact_matchTriggers if the evaluated image has a package installed with software distributed under the specified (exact match) license(s).package_typeOnly trigger for specific package type.all
denylist_partial_matchtriggers if the evaluated image has a package installed with software distributed under the specified (substring match) license(s)licensesList of strings to do substring match for denylist.LGPL,BSD
denylist_partial_matchtriggers if the evaluated image has a package installed with software distributed under the specified (substring match) license(s)package_typeOnly trigger for specific package type.all

Gate: secret_scans

Checks for secrets and content found in the image using configured regexes found in the “secret_search” section of analyzer_config.yaml.

Trigger NameDescriptionParameterDescriptionExample
content_regex_checksTriggers if the secret content search analyzer has found any matches with the configured and named regexes. Checks can be configured to trigger if a match is found or is not found (selected using match_type parameter). Matches are filtered by the content_regex_name and filename_regex if they are set. The content_regex_name shoud be a value from the “secret_search” section of the analyzer_config.yaml.content_regex_nameName of content regexps configured in the analyzer that match if found in the image, instead of matching all. Names available by default are: [‘AWS_ACCESS_KEY’, ‘AWS_SECRET_KEY’, ‘PRIV_KEY’, ‘DOCKER_AUTH’, ‘API_KEY’].AWS_ACCESS_KEY
content_regex_checksTriggers if the secret content search analyzer has found any matches with the configured and named regexes. Checks can be configured to trigger if a match is found or is not found (selected using match_type parameter). Matches are filtered by the content_regex_name and filename_regex if they are set. The content_regex_name shoud be a value from the “secret_search” section of the analyzer_config.yaml.filename_regexRegexp to filter the content matched files by./etc/.*
content_regex_checksTriggers if the secret content search analyzer has found any matches with the configured and named regexes. Checks can be configured to trigger if a match is found or is not found (selected using match_type parameter). Matches are filtered by the content_regex_name and filename_regex if they are set. The content_regex_name shoud be a value from the “secret_search” section of the analyzer_config.yaml.match_typeSet to define the type of match - trigger if match is found (default) or not found.found

Gate: metadata

Checks against image metadata (ie size, OS, distro, architecture, etc.).

Trigger NameDescriptionParameterDescriptionExample
attributeTriggers if a named image metadata value matches the given condition.attributeAttribute name to be checked.size
attributeTriggers if a named image metadata value matches the given condition.checkThe operation to perform the evaluation.>
attributeTriggers if a named image metadata value matches the given condition.valueValue used in comparison.1073741824

Gate: always

Triggers that fire unconditionally if present in policy, useful for things like testing and deny-listing.

Trigger NameDescriptionParameterDescriptionExample
alwaysFires if present in a policy being evaluated. Useful for things like deny-listing images or testing mappings and allowlists by using this trigger in combination with policy mapping rules.

Gate: retrieved_files

Checks against content and/or presence of files retrieved at analysis time from an image.

Trigger NameDescriptionParameterDescriptionExample
content_not_availableTriggers if the specified file is not present/stored in the evaluated image.pathThe path of the file to verify has been retrieved during analysis/etc/httpd.conf
content_regexEvaluation of regex on retrieved file contentpathThe path of the file to verify has been retrieved during analysis/etc/httpd.conf
content_regexEvaluation of regex on retrieved file contentcheckThe type of check to perform with the regexmatch
content_regexEvaluation of regex on retrieved file contentregexThe regex to evaluate against the content of the file.SSlEnabled.

Gate: Malware

Checks against malware presence.

TriggerDescriptionParameters
scansTriggers if any malware scanner has found any matches in the image.
scan_not_runTriggers if no scan was found for the image.

Gate: Tag Drift

Compares the SBOM from the evaluated image’s tag and the tag’s previous image, if found. Provides triggers to detect packages added, removed or modified.

Trigger NameDescriptionParameterDescriptionExample
packages_addedChecks to see if any packages have been added.package_typePackage type to filter for only specific types. If ommitted, then all types are evaluated.apk
packages_removedChecks to see if any packages have been removed.package_typePackage type to filter for only specific types. If ommitted, then all types are evaluated.apk
packages_modifiedChecks to see if any packages have been modified.package_typePackage type to filter for only specific types. If ommitted, then all types are evaluated.apk

Gate: Image Source Drift

Triggers for evaluating diffs of an image’s source repo SBOM and the built image. Operates on the diffs defined by ‘contains’ relationships where the image is the ‘source’ and the source revisions that are the ’target’ for the relationship.

Trigger NameDescriptionParameterDescriptionExample
package_downgradedChecks to see if any packages have a lower version in the built image than specified in the input source sbomspackage_typesTypes of package to filter byjava,npm
package_removedChecks to see if any packages are not installed that were expected based on the image’s related input source sbomspackage_typesTypes of package to filter byjava,npm
no_related_sourcesChecks to see if there are any source sboms related to the image. Findings indicate that the image does not have a source sbom to detect drift against

Gate: Ancestry

Checks the image ancestry against approved images. See Base Images for more information on how “Base Image” is calculated.

Trigger NameDescriptionParameterDescriptionExample
allowed_base_image_digestChecks to see if base image is approvedbase_digestList of approved base image digests.sha256:123abc
allowed_base_image_tagChecks to see if base image is approvedbase_tagList of approved base image tags.docker.io/debian:latest
no_ancestors_analyzedChecks to see if the image has a known ancestor

Gate: Distro

Checks against the image distro metadata. This can be used to denylist versions of a distro, such as versions that are EOL.

Trigger NameDescriptionParameterDescriptionExample
denyTriggers if the image distro and version match the criteriadistroName of the distribution to matchdebian
denyTriggers if the image distro and version match the criteriaversionVersion of distribution to compare against9
denyTriggers if the image distro and version match the criteriacheckThe comparison to use in the evaluation<
Last modified July 30, 2024