Testing Policies

Introduction

The Evaluation Preview feature allows you to perform a test evaluation on an image to verify the mapping, policies and allowlists used to evaluate an image.

alt text

To test an image you should enter the name of the image, optionally including the registry if the image is not stored on docker.io In the example below an evaluate was requested for library/debian:latest because no registry was specified the default, docker.io registry was used.

alt text

Here we can see that the image was evaluated against the policy named “anchore_security_only” and failed, resulting in a STOP action.

Clicking the “View Policy Test Details” will show a more detailed report.

alt text

The image was evaluated using the mapping named alt text and the evaluation failed as the image was found in a denylist. alt text

The next line explains that the image had been denylisted by the Deny CentOS denylist rule, however if the image was not denylisted, it would only have produced a WARN instead of a failure.

alt text

The subsequent table lists the policy checks that resulted in any Warn or Stop (failure) checks.

The policy checks are performed on images already analyzed and recorded in Anchore Enterprise. If an image has been added to the system but has not yet completed analysis, then the system will display the following error:

alt text

If the evaluation test is re-run after a few minutes, the image will likely have completed analysis and a policy evaluation result will be returned.

If the image specified has not been analyzed by the system and has not been submitted for analysis, then the following error message will be displayed.

alt text

Last modified June 11, 2024