AnchoreCTL Release Notes - Version 5.19.0
Note: AnchoreCTL v5.19.x versions are compatible with Enterprise v5.19.x deployments.
AnchoreCTL v5.19.0
Improvements
- Anchore STIG - Anchore now has support for running STIG evaluations against container images.
- The feature provides the ability to download STIG profiles, generate STIG evaluations and upload them to your
Anchore Enterprise deployment. This feature requires the
cinc-auditortool to be installed on the system whereanchorectlis being run. This feature is available through a new entitlement called Static STIG AddOn. - The following new commands and command updates are added in support of this workflow:
- New command
anchorectl image stig write-profiles <path to write profiles> [--include-experimental]allows users to download the Anchore STIG profiles and write them to a specified directory. This command also allows users to download experimental profiles that are not yet formally supported. - New command
anchorectl image stig run <image reference> <-p path to profile file>generates and uploads a STIG evaluation to Anchore Enterprise. - New command
anchorectl image stig list <image digest>returns the metadata for all STIG evaluations uploaded to Anchore Enterprise for the specified image digest. - New command
anchorectl image stig delete <image digest> <stig evaluation uuid>deletes a STIG evaluation for the specified image digest and STIG evaluation UUID. - New command
anchorectl image stig add <image digest> <path to stig evaluation>uploads a STIG evaluation for the specified image digest. - New command
anchorectl image stig download <image digest> <stig evaluation uuid>downloads a STIG evaluation for the specified image digest and STIG evaluation UUID. - Updated command
anchorectl image addto support the--stigand--stig-profileflags to allow users to generate and upload a STIG evaluation during the image add workflow. - For more detail on this feature, please see the Anchore STIG documentation.
- New command
- The feature provides the ability to download STIG profiles, generate STIG evaluations and upload them to your
Anchore Enterprise deployment. This feature requires the
- Anchore One Time Scan - A stateless scan feature that allows users to scan images without persisting the data in the Anchore Enterprise deployment.
- New command
anchorectl image one-time-scan <pull string>allows users to submit an image for a one time scan. - The command will return the policy evaluation summary and vulnerabilities found in the image. If provided with a
destination directory, the command will output three documents in the specified directory:
- SBOM
- policy evaluation
- vulnerability list
- The policy evaluation will be performed against the active policy bundle in the account provided with the Secure Module Gates of vulnerabilities and secret_scans.
- New command
- The
anchorectl system integration listcommand has been updated to include the name of each integration. - Various package updates to improve security and performance.
Fixes
- When running
anchorectl airgap feed downloadwith debug logging enabled, the command will no longer print any tokens.