Pipeline Image Analysis
Pipeline Image Analysis and Scanning
Anchore now supports analysis of images at build time with no requirement to push images up to a registry in order for them to be analyzed and added to the system.
This feature works by executing
anchorectl inside your pipeline and giving it an endpoint and credentials to upload the results to and Anchore deployment. It will analyze the image
locally for package artifacts and upload the analysis and container metadata to Anchore. The system then loads the result after which the image analysis is available for vulnerability queries
and policy evaluations using AnchoreCTL or direct API operations.
The analysis import is processed by the analyzer services, so you will see the image enter the
not_analyzed state when first uploaded, then
analyzed. Once in the
analyzing state the proces
is usually very fast (seconds) since it only is operating on the provided package manifest rather than having to pull any image data or perform significant IO to unpack an image.
❯ syft -o json ubuntu:latest | anchorectl image add ubuntu:latest --wait --from - ✔ Loaded image ✔ Parsed image ✔ Cataloged packages [101 packages] Image: status: analyzed (active) tag: docker.io/ubuntu:latest digest: sha256:33bca6883412038cc4cbd3ca11406076cf809c1dd1462a144ed2e38a7e79378a id: sha256:df5de72bdb3b711aba4eca685b1f42c722cc8a1837ed3fbd548a9282af2d836d distro: [email protected] (amd64) layers: 1 ❯ anchorectl image get ubuntu:latest Tag: docker.io/ubuntu:latest Digest: sha256:33bca6883412038cc4cbd3ca11406076cf809c1dd1462a144ed2e38a7e79378a ID: sha256:df5de72bdb3b711aba4eca685b1f42c722cc8a1837ed3fbd548a9282af2d836d Analysis: analyzed Status: active ❯ anchorectl image vulnerabilities ubuntu:latest -t all ...
Install anchorectl. to scan local images and generate software Bill-of-Materials to upload into your Anchore deployment.
After uploading the analysis, you’ll need to use AnchoreCTL or the UI to view vulnerabilities or policy evaluations using the enterprise feed data and policy features such as base-image diffs or false positive managementLast modified October 20, 2023