Deploying AnchoreCTL

In this section you will learn how to deploy and configure AnchoreCTL, the Anchore Enterprise Command Line Interface.

AnchoreCTL is published as a simple binary that can be installed by downloading it or using provided packages for installation in different platforms.

Using AnchoreCTL, you can manage and inspect all aspects of your Anchore Enterprise deployments, either as a manual human-readable configuration/instrumentation/control tool or as a CLI that is designed to be used in scripted environments such as CI/CD and other automation environments.

Important Starting with Enterprise v4.9.0 and continuing forward, AnchoreCTL will be version-aligned with Anchore Enterprise for major/minor releases

Installation

AnchoreCTL’s release version coincides with the release version of Anchore Enterprise. For example,

  • Enterprise v5.3.0
  • AnchoreCTL v5.3.0

Important It is highly recommended that the version of AnchoreCTL you are using is supported by the deployed version of Enterprise. Please refer to the Enterprise Release Notes for the supported version of AnchoreCTL.

MacOS/Linux

Specify a release version and destination directory for the installation:

curl -sSfL  https://anchorectl-releases.anchore.io/anchorectl/install.sh  | sh -s -- -b <DESTINATION_DIR> v5.3.0

Alternatively, you can download a specific version without installation:

curl -o anchorectl.tar.gz https://anchorectl-releases.anchore.io/anchorectl/v5.3.0/anchorectl_5.3.0_linux_amd64.tar.gz

Windows

For windows, you must specify the version of AnchoreCTL to download if using a script.

curl -o anchorectl.zip https://anchorectl-releases.anchore.io/anchorectl/v5.3.0/anchorectl_5.3.0_windows_amd64.zip

Configuration

Anchorectl configuration search paths have the following precedence:

  1. .anchorectl.yaml
  2. anchorectl.yaml
  3. .anchorectl/config.yaml
  4. ~/.anchorectl.yaml
  5. ~/anchorectl.yaml
  6. $XDG_CONFIG_HOME/anchorectl/config.yaml

Required options:

  • url
  • username
  • password

Default options:

# the Anchore Enterprise account that the user is a part of (env var: "ANCHORECTL_ACCOUNT")
account: ""

# the Anchore Enterprise user's login password (env var: "ANCHORECTL_PASSWORD")
password: ""

# the Anchore Enterprise username (env var: "ANCHORECTL_USERNAME")
username: ""

# the URL to the Anchore Enterprise API (env var: "ANCHORECTL_URL")
url: ""

debug:
  # log HTTP requests, responses, headers, and body (requires log level debug or trace) (env var: "ANCHORECTL_DEBUG_API")
  api: false

  # log all events on the internal event bus and poll rich objects read from the bus (env var: "ANCHORECTL_DEBUG_EVENTS")
  events: false


http:
  # default HTTP headers to add to all HTTP requests (env var: "ANCHORECTL_HTTP_HEADERS")
  headers: {}

  # disable SSL certificate verification for all HTTP calls (not recommended) (env var: "ANCHORECTL_HTTP_TLS_INSECURE")
  tls-insecure: false

  # time in seconds before cancelling an HTTP request (env var: "ANCHORECTL_HTTP_TIMEOUT")
  timeout: 180


log:
  # error, warn, info, debug, trace (env var: "ANCHORECTL_LOG_LEVEL")
  level: "warn"

  # file to write all loge entries to (env var: "ANCHORECTL_LOG_FILE")
  file: ""


update:
  # check for a new version of anchorectl at startup (env var: "ANCHORECTL_UPDATE_CHECK")
  check: true

  # the URL used to check for application updates (env var: "ANCHORECTL_UPDATE_URL")
  url: "https://anchorectl-releases.anchore.io/anchorectl/releases/latest/metadata.json"

Usage

The anchorectl tool has extensive built-in help information for each command and operation, with many of the parameters allowing for environment overrides. To start with anchorectl, you can run the command with --help to see all the operation sections available:


# anchorectl --help
Usage:
   [flags]
   [command]

Application Config:

  (search locations: .anchorectl.yaml, anchorectl.yaml, .anchorectl/config.yaml, ~/.anchorectl.yaml, ~/anchorectl.yaml, $XDG_CONFIG_HOME/anchorectl/config.yaml)

  # the URL to the Anchore Enterprise API (env var: "ANCHORECTL_URL")
  url: ""

  # the Anchore Enterprise username (env var: "ANCHORECTL_USERNAME")
  username: ""

  # the Anchore Enterprise user's login password (env var: "ANCHORECTL_PASSWORD")
  password: ""

  # the Anchore Enterprise account that the user is a part of (env var: "ANCHORECTL_ACCOUNT")
  account: ""

  update:
    # check for a new version of anchorectl at startup (env var: "ANCHORECTL_UPDATE_CHECK")
    check: true

    # the URL used to check for application updates (env var: "ANCHORECTL_UPDATE_URL")
    url: "https://anchorectl-releases.anchore.io/anchorectl/releases/latest/metadata.json"

  # suppress logging output (env var: "ANCHORECTL_QUIET")
  quiet: false

  log:
    # error, warn, info, debug, trace (env var: "ANCHORECTL_LOG_LEVEL")
    level: "warn"

    # file to write all loge entries to (env var: "ANCHORECTL_LOG_FILE")
    file: ""

  debug:
    # log HTTP requests, responses, headers, and body (requires log level debug or trace) (env var: "ANCHORECTL_DEBUG_API")
    api: false

    # log all events on the internal event bus and poll rich objects read from the bus (env var: "ANCHORECTL_DEBUG_EVENTS")
    events: false

  http:
    # disable SSL certificate verification for all HTTP calls (not recommended) (env var: "ANCHORECTL_HTTP_TLS_INSECURE")
    tls-insecure: false

    # time in seconds before cancelling an HTTP request (env var: "ANCHORECTL_HTTP_TIMEOUT")
    timeout: 180

    # default HTTP headers to add to all HTTP requests (env var: "ANCHORECTL_HTTP_HEADERS")
    headers: map[]

Available Commands:
  account      Account related operations
  application  Application related operations
  archive      Archive rule and image operations
  completion   Generate the autocompletion script for the specified shell
  compliance   Compliance report operations
  correction   Correction related operations
  event        Event related operations
  feed         Feed related operations
  help         Help about any command
  image        Image related operations
  policy       Policy related operations
  registry     Registry credential operations
  repo         Repository related operations
  source       Source repository related operations
  subscription Subscription related operations
  system       System related operations
  user         User related operations
  version      show anchorectl version information

Global Flags:
  -c, --config string   application config file (env: ANCHORECTL_CONFIG)
  -h, --help            help for this command
  -q, --quiet           suppress all logging output (env: ANCHORECTL_QUIET)
  -v, --verbose count   increase verbosity (-v = info, -vv = debug) (env: ANCHORECTL_VERBOSITY)
      --version         version for this command

Use "[command] --help" for more information about a command.

Once installed and configured, a good way to quickly test that your anchorectl client is ready to use against a deployed and running Anchore Enterprise endpoint is to exercise the system status call, which will display status information fetched from your Enterprise deployment.

With ~/.anchorectl.yaml installed and populated correctly, no environment or parameters are required:


# anchorectl system status
 ✔ Status system
┌─────────────────┬────────────────────┬─────────────────────────────┬──────┬────────────────┬────────────┬──────────────┐
│ SERVICE         │ HOST ID            │ URL                         │ UP   │ STATUS MESSAGE │ DB VERSION │ CODE VERSION │
├─────────────────┼────────────────────┼─────────────────────────────┼──────┼────────────────┼────────────┼──────────────┤
│ rbac_authorizer │ anchore-quickstart │ http://rbac-authorizer:8228 │ true │ available      │ 530        │ 5.3.0        │
│ reports         │ anchore-quickstart │ http://reports:8228         │ true │ available      │ 530        │ 5.3.0        │
│ analyzer        │ anchore-quickstart │ http://analyzer:8228        │ true │ available      │ 530        │ 5.3.0        │
│ notifications   │ anchore-quickstart │ http://notifications:8228   │ true │ available      │ 530        │ 5.3.0        │
│ apiext          │ anchore-quickstart │ http://api:8228             │ true │ available      │ 530        │ 5.3.0        │
│ policy_engine   │ anchore-quickstart │ http://policy-engine:8228   │ true │ available      │ 530        │ 5.3.0        │
│ rbac_manager    │ anchore-quickstart │ http://rbac-manager:8228    │ true │ available      │ 530        │ 5.3.0        │
│ reports_worker  │ anchore-quickstart │ http://reports-worker:8228  │ true │ available      │ 530        │ 5.3.0        │
│ simplequeue     │ anchore-quickstart │ http://queue:8228           │ true │ available      │ 530        │ 5.3.0        │
│ catalog         │ anchore-quickstart │ http://catalog:8228         │ true │ available      │ 530        │ 5.3.0        │
└─────────────────┴────────────────────┴─────────────────────────────┴──────┴────────────────┴────────────┴──────────────┘

Without setting up ~/.anchorectl.yaml or any configuration file, you can interact using environment variables:


ANCHORECTL_URL="http://localhost:8228" ANCHORECTL_USERNAME="admin" ANCHORECTL_PASSWORD="foobar" anchorectl system status
 ✔ Status system
┌─────────────────┬────────────────────┬─────────────────────────────┬──────┬────────────────┬────────────┬──────────────┐
│ SERVICE         │ HOST ID            │ URL                         │ UP   │ STATUS MESSAGE │ DB VERSION │ CODE VERSION │
├─────────────────┼────────────────────┼─────────────────────────────┼──────┼────────────────┼────────────┼──────────────┤
│ rbac_authorizer │ anchore-quickstart │ http://rbac-authorizer:8228 │ true │ available      │ 530        │ 5.3.0        │
│ reports         │ anchore-quickstart │ http://reports:8228         │ true │ available      │ 530        │ 5.3.0        │
│ analyzer        │ anchore-quickstart │ http://analyzer:8228        │ true │ available      │ 530        │ 5.3.0        │
│ notifications   │ anchore-quickstart │ http://notifications:8228   │ true │ available      │ 530        │ 5.3.0        │
│ apiext          │ anchore-quickstart │ http://api:8228             │ true │ available      │ 530        │ 5.3.0        │
│ policy_engine   │ anchore-quickstart │ http://policy-engine:8228   │ true │ available      │ 530        │ 5.3.0        │
│ rbac_manager    │ anchore-quickstart │ http://rbac-manager:8228    │ true │ available      │ 530        │ 5.3.0        │
│ reports_worker  │ anchore-quickstart │ http://reports-worker:8228  │ true │ available      │ 530        │ 5.3.0        │
│ simplequeue     │ anchore-quickstart │ http://queue:8228           │ true │ available      │ 530        │ 5.3.0        │
│ catalog         │ anchore-quickstart │ http://catalog:8228         │ true │ available      │ 530        │ 5.3.0        │
└─────────────────┴────────────────────┴─────────────────────────────┴──────┴────────────────┴────────────┴──────────────┘

Next Steps

Once the AnchoreCTL has been installed and configured, learn about Vulnerability Management

Last modified February 19, 2024