Enabling Windows Scanning
To enable windows support in the quickstart install docker-compose.yaml file you must:
Go to the directory where you have the quickstart docker-compose.yaml downloaded. Or, see Quickstart for download and setup instructions.
If your system is already running, shut it down:
docker-compose down(NOTE: do NOT use the
-voption or that will delete your database and reset the systeme entirely)
Enable the feeds service to run. Uncomment the feeds service and enterprise-feeds-db services in docker-compose.yaml
The following also includes the GitHub advisories feed for NuGet/.NET support and for parity with the hosted feed service.
Note that you will need to obtain and provide access tokens for MSRC and GitHub vulnerability feed configuration. See the comments inline for instructions on how to obtain these tokens.
services: ... # Uncomment this section to add an on-prem feed service to this deployment. This will incur first-time feed sync delay, but is included for completeness / review of enterprise service deployment options enterprise-feeds-db: image: "postgres:9" volumes: - enterprise-feeds-db-volume:/var/lib/postgresql/data environment: - POSTGRES_PASSWORD=mysecretpassword expose: - 5432 logging: driver: "json-file" options: max-size: 100m feeds: image: docker.io/anchore/enterprise:v3.1.0 volumes: - feeds-workspace-volume:/workspace - ./license.yaml:/license.yaml:ro #- ./config-enterprise.yaml:/config/config.yaml:z depends_on: - enterprise-feeds-db ports: - "8448:8228" logging: driver: "json-file" options: max-size: 100m environment: - ANCHORE_ENDPOINT_HOSTNAME=feeds - ANCHORE_DB_HOST=enterprise-feeds-db - ANCHORE_DB_PASSWORD=mysecretpassword - ANCHORE_ENABLE_METRICS=false - ANCHORE_LOG_LEVEL=INFO # Uncomment the following to enable Microsoft msrc driver. Follow https://portal.msrc.microsoft.com/en-us/developer to generate an API key - ANCHORE_ENTERPRISE_FEEDS_MSRC_DRIVER_ENABLED=true - ANCHORE_ENTERPRISE_FEEDS_MSRC_DRIVER_API_KEY=<INSERT YOUR MSRC KEY HERE> # Uncomment ANCHORE_ENTERPRISE_FEEDS_GITHUB_DRIVER_TOKEN for github driver. # Generate token with https://github.com/settings/tokens/new?scopes=user,public_repo,repo,repo_deployment,repo:status,read:repo_hook,read:org,read:public_key,read:gpg_key # and assign the value to environment variable - ANCHORE_ENTERPRISE_FEEDS_GITHUB_DRIVER_TOKEN=<INSERT YOUR GITHUB KEY HERE> command: ["anchore-enterprise-manager", "service", "start", "feeds"]
Note: Windows image analysis is not yet available for the tech preview Grype vulnerability scanner. It will be added in a future release.
Configure the policy engine to use the deployed feed service instead of the hosted feed service, and enable the microsoft feed by uncommenting the ANCHORE_FEEDS_MICROSOFT_ENABLED variable
Ensure the following environment variables are set in the docker-compose.yaml file:
services: ... policy-engine: ... environment: ... # Uncomment the ANCHORE_FEEDS_* environment variables (and uncomment the feeds db and service sections at the end of this file) to use the on-prem feed service - ANCHORE_FEEDS_URL=http://feeds:8228/v1/feeds - ANCHORE_FEEDS_CLIENT_URL=null - ANCHORE_FEEDS_TOKEN_URL=null # Uncomment the next variable in addition to enabling the on-prem feed service just above, to enable syncing of the MSRC data feeds for windows scanning support. - ANCHORE_FEEDS_MICROSOFT_ENABLED=true ...
Start/Restart the deployment:
docker-compose up -d
Wait for vulnerability data to sync. Now that your installation includes a local feed service, you must first wait for the local feed service to populate, and then for your Anchore Enterprise policy engine to synchronize its feeds with the new local service. This can take several hours for the initial sync, depending on network and local resource speeds. Eventually, executing the following command:
# docker-compose exec api anchore-cli system feeds list
will show ‘microsoft’ feed, with ‘msrc’ group data entries. In addition, you can verify with
anchore-cli event list to show a feed sync complete event for the ‘microsoft’ feed.
Scan windows images! Either via the UI, or CLI analyze windows-based images
Installed KBs available via the ‘OS’ content type:
anchore-cli image content <windows img> os
Was this page helpful?
Glad to hear it! Please tell us how we can improve.
Sorry to hear that. Please tell us how we can improve.