# All-in-one docker compose deployment of a full anchore-enterprise service system --- name: "anchore-5110" volumes: # Since this is for a quickstart, each minor version has its own db, to use a previous db and upgrade, change this to the db volume name you want to upgrade. e.g. "anchore-enterprise-5.9-db" if upgrading from a 5.9 quickstart deployment. anchore-enterprise-5.11-db: # Set this to 'true' to use an external volume. In which case, it must be created manually with "docker volume create anchore-db-volume" external: false services: # The primary API endpoint service api: image: docker.io/anchore/enterprise:v5.11.0 depends_on: anchore-db: condition: service_healthy catalog: condition: service_healthy volumes: - ./license.yaml:/license.yaml:ro #- ./config-enterprise.yaml:/config/config.yaml:z ports: - "8228:8228" logging: driver: "json-file" options: max-size: 100m environment: - ANCHORE_ENDPOINT_HOSTNAME=api - ANCHORE_DB_HOST=anchore-db - ANCHORE_DB_PASSWORD=mysecretpassword - ANCHORE_ENABLE_METRICS=false - ANCHORE_LOG_LEVEL=INFO - ANCHORE_OAUTH_ENABLED=true - ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS=true - ANCHORE_AUTH_SECRET=supersharedsecret command: ["anchore-enterprise-manager", "service", "start", "apiext"] # Catalog is the primary persistence and state manager of the system catalog: image: docker.io/anchore/enterprise:v5.11.0 depends_on: anchore-db: condition: service_healthy volumes: - ./license.yaml:/license.yaml:ro #- ./config-enterprise.yaml:/config/config.yaml:z logging: driver: "json-file" options: max-size: 100m expose: - 8228 environment: - ANCHORE_ENDPOINT_HOSTNAME=catalog - ANCHORE_DB_HOST=anchore-db - ANCHORE_DB_PASSWORD=mysecretpassword - ANCHORE_ADMIN_PASSWORD= - ANCHORE_ENABLE_METRICS=false - ANCHORE_LOG_LEVEL=INFO - ANCHORE_CATALOG_NOTIFICATION_INTERVAL_SEC=0 - ANCHORE_OAUTH_ENABLED=true - ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS=true - ANCHORE_AUTH_SECRET=supersharedsecret command: ["anchore-enterprise-manager", "service", "start", "catalog"] queue: image: docker.io/anchore/enterprise:v5.11.0 depends_on: anchore-db: condition: service_healthy catalog: condition: service_healthy volumes: - ./license.yaml:/license.yaml:ro #- ./config-enterprise.yaml:/config/config.yaml:z expose: - 8228 logging: driver: "json-file" options: max-size: 100m environment: - ANCHORE_ENDPOINT_HOSTNAME=queue - ANCHORE_DB_HOST=anchore-db - ANCHORE_DB_PASSWORD=mysecretpassword - ANCHORE_ENABLE_METRICS=false - ANCHORE_LOG_LEVEL=INFO - ANCHORE_OAUTH_ENABLED=true - ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS=true - ANCHORE_AUTH_SECRET=supersharedsecret command: ["anchore-enterprise-manager", "service", "start", "simplequeue"] policy-engine: image: docker.io/anchore/enterprise:v5.11.0 depends_on: anchore-db: condition: service_healthy catalog: condition: service_healthy data-syncer: condition: service_healthy volumes: - ./license.yaml:/license.yaml:ro #- ./config-enterprise.yaml:/config/config.yaml:z expose: - 8228 logging: driver: "json-file" options: max-size: 100m environment: - ANCHORE_ENDPOINT_HOSTNAME=policy-engine - ANCHORE_DB_HOST=anchore-db - ANCHORE_DB_PASSWORD=mysecretpassword - ANCHORE_ENABLE_METRICS=false - ANCHORE_LOG_LEVEL=INFO - ANCHORE_OAUTH_ENABLED=true - ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS=true - ANCHORE_AUTH_SECRET=supersharedsecret # The following environment variables can be used to tune the system-level vulnerability matching settings and will apply to all vulnerability scans across all accounts. # It is important to note that the github provider must be enabled in the feed service if search by cpe is disabled for any ecosystem or there will be no vulnerability matches at all for # that ecosystem. The below settings represent the current defaults if nothing else is specified. Searching by CPE is enabled for all configurable ecosystems except for javascript. # - ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED=${ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED:-true} # - ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_DOTNET_SEARCH_BY_CPE_ENABLED=${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_DOTNET_SEARCH_BY_CPE_ENABLED:-ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED:-true} # - ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_GOLANG_SEARCH_BY_CPE_ENABLED=${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_GOLANG_SEARCH_BY_CPE_ENABLED:-ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED:-true} # - ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVA_SEARCH_BY_CPE_ENABLED=${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVA_SEARCH_BY_CPE_ENABLED:-ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED:-true} # - ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVASCRIPT_SEARCH_BY_CPE_ENABLED=${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_JAVASCRIPT_SEARCH_BY_CPE_ENABLED:-ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED:-false} # - ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_PYTHON_SEARCH_BY_CPE_ENABLED=${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_PYTHON_SEARCH_BY_CPE_ENABLED:-ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED:-true} # - ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_RUBY_SEARCH_BY_CPE_ENABLED=${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_RUBY_SEARCH_BY_CPE_ENABLED:-ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED:-true} # The `stock` matcher is the default catch-all ecosystem and it is *STRONGLY DISCOURAGED* to disable search by cpe for this ecosystem. This will disable vulnerability matching for all # binaries that are not installed by a package manager (python interpreter, go tooling, ruby, etc) # - ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_STOCK_SEARCH_BY_CPE_ENABLED=${ANCHORE_VULN_MATCHING_ECOSYSTEM_SPECIFIC_STOCK_SEARCH_BY_CPE_ENABLED:-ANCHORE_VULN_MATCHING_DEFAULT_SEARCH_BY_CPE_ENABLED:-true} command: ["anchore-enterprise-manager", "service", "start", "policy_engine"] analyzer: image: docker.io/anchore/enterprise:v5.11.0 depends_on: anchore-db: condition: service_healthy catalog: condition: service_healthy expose: - 8228 logging: driver: "json-file" options: max-size: 100m environment: - ANCHORE_ENDPOINT_HOSTNAME=analyzer - ANCHORE_DB_HOST=anchore-db - ANCHORE_DB_PASSWORD=mysecretpassword - ANCHORE_ENABLE_METRICS=false - ANCHORE_LOG_LEVEL=INFO - ANCHORE_OAUTH_ENABLED=true - ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS=true - ANCHORE_AUTH_SECRET=supersharedsecret volumes: - ./license.yaml:/license.yaml:ro - /analysis_scratch #- ./config-enterprise.yaml:/config/config.yaml:z # To enable and configure malware and catalogers during centralized analysis/scans please review - https://docs.anchore.com/current/docs/configuration/malware. #- ./analyzer_config.yaml:/anchore_service/analyzer_config.yaml:z command: ["anchore-enterprise-manager", "service", "start", "analyzer"] anchore-db: image: docker.io/library/postgres:13 volumes: - anchore-enterprise-5.11-db:/var/lib/postgresql/data environment: - POSTGRES_PASSWORD=mysecretpassword expose: - 5432 logging: driver: "json-file" options: max-size: 100m healthcheck: test: ["CMD-SHELL", "pg_isready -U postgres"] reports: image: docker.io/anchore/enterprise:v5.11.0 volumes: - ./license.yaml:/license.yaml:ro #- ./config-enterprise.yaml:/config/config.yaml:z depends_on: anchore-db: condition: service_healthy catalog: condition: service_healthy ports: - "8558:8228" logging: driver: "json-file" options: max-size: 100m environment: - ANCHORE_ENDPOINT_HOSTNAME=reports - ANCHORE_DB_HOST=anchore-db - ANCHORE_DB_PASSWORD=mysecretpassword - ANCHORE_ENABLE_METRICS=false - ANCHORE_LOG_LEVEL=INFO - ANCHORE_OAUTH_ENABLED=true - ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS=true - ANCHORE_AUTH_SECRET=supersharedsecret command: ["anchore-enterprise-manager", "service", "start", "reports"] reports_worker: image: docker.io/anchore/enterprise:v5.11.0 volumes: - ./license.yaml:/license.yaml:ro #- ./config-enterprise.yaml:/config/config.yaml:z depends_on: anchore-db: condition: service_healthy catalog: condition: service_healthy expose: - 8228 logging: driver: "json-file" options: max-size: 100m environment: - ANCHORE_ENDPOINT_HOSTNAME=reports_worker - ANCHORE_DB_HOST=anchore-db - ANCHORE_DB_PASSWORD=mysecretpassword - ANCHORE_ENABLE_METRICS=false - ANCHORE_LOG_LEVEL=INFO - ANCHORE_OAUTH_ENABLED=true - ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS=true - ANCHORE_AUTH_SECRET=supersharedsecret command: ["anchore-enterprise-manager", "service", "start", "reports_worker"] notifications: image: docker.io/anchore/enterprise:v5.11.0 volumes: - ./license.yaml:/license.yaml:ro #- ./config-enterprise.yaml:/config/config.yaml:z depends_on: anchore-db: condition: service_healthy catalog: condition: service_healthy ports: - "8668:8228" logging: driver: "json-file" options: max-size: 100m environment: - ANCHORE_ENDPOINT_HOSTNAME=notifications - ANCHORE_DB_HOST=anchore-db - ANCHORE_DB_PASSWORD=mysecretpassword - ANCHORE_ENABLE_METRICS=false - ANCHORE_LOG_LEVEL=INFO - ANCHORE_ENTERPRISE_UI_URL=http://localhost:3000 - ANCHORE_OAUTH_ENABLED=true - ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS=true - ANCHORE_AUTH_SECRET=supersharedsecret command: ["anchore-enterprise-manager", "service", "start", "notifications"] data-syncer: image: docker.io/anchore/enterprise:v5.11.0 volumes: - ./license.yaml:/license.yaml:ro depends_on: anchore-db: condition: service_healthy catalog: condition: service_healthy ports: - "8778:8228" logging: driver: "json-file" options: max-size: 100m environment: - ANCHORE_ENDPOINT_HOSTNAME=data-syncer - ANCHORE_DB_HOST=anchore-db - ANCHORE_DB_PASSWORD=mysecretpassword - ANCHORE_ENABLE_METRICS=false - ANCHORE_LOG_LEVEL=INFO - ANCHORE_OAUTH_ENABLED=true - ANCHORE_AUTH_SECRET=supersharedsecret - ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED=true command: ["anchore-enterprise-manager", "service", "start", "data_syncer"] ui-redis: image: docker.io/library/redis:7 expose: - 6379 logging: driver: "json-file" options: max-size: 100m healthcheck: test: ["CMD-SHELL", "redis-cli PING"] ui: image: docker.io/anchore/enterprise-ui:v5.11.0 volumes: - ./license.yaml:/license.yaml:ro #- ./config-ui.yaml:/config/config-ui.yaml:z depends_on: api: condition: service_healthy ui-redis: condition: service_healthy anchore-db: condition: service_healthy ports: - "3000:3000" logging: driver: "json-file" options: max-size: 100m environment: - ANCHORE_ENTERPRISE_URI=http://api:8228/v2 - ANCHORE_REDIS_URI=redis://ui-redis:6379 - ANCHORE_APPDB_URI=postgres://postgres:mysecretpassword@anchore-db:5432/postgres - ANCHORE_ENABLE_METRICS=false # # Uncomment this section to add a prometheus instance to gather metrics. This is mostly for quickstart to demonstrate prometheus metrics exported # # You will also need to set metrics env variable to true foreach Anchore service "ANCHORE_ENABLE_METRICS=true" in this file. # prometheus: # image: docker.io/prom/prometheus:latest # depends_on: # api: # condition: service_healthy # volumes: # - ./anchore-prometheus.yml:/etc/prometheus/prometheus.yml:z # logging: # driver: "json-file" # options: # max-size: 100m # ports: # - "9090:9090" # # Uncomment this section to run a swagger UI service, for inspecting and interacting with the anchore enterprise API via a browser (http://localhost:8080 by default, change if needed in both sections below) # swagger-ui-nginx: # image: docker.io/nginx:latest # depends_on: # api: # condition: service_healthy # swagger-ui: # condition: service_healthy # ports: # - "8080:8080" # volumes: # - ./anchore-swaggerui-nginx.conf:/etc/nginx/nginx.conf:z # logging: # driver: "json-file" # options: # max-size: 100m # swagger-ui: # image: docker.io/swaggerapi/swagger-ui # environment: # - URL=http://localhost:8080/v2/openapi.json # logging: # driver: "json-file" # options: # max-size: 100m