Tech Preview - V2 Vulnerability Scanner

Tech Preview: V2 Vulnerability Scanner

A new vulnerability scanning engine, based on Grype improves performance, reduces database load, and provides better vulnerability matching results. It includes a new vulnerability feed sync process integrated into the enterprise feed service that also provides faster feed syncs from the feed service to the policy engine.

Tech Preview Status

Note: The v2 scanner is intended for use in sandbox or staging environments in the current release. It is not possible to run both vulnerability scanners at the same time. This configuration is picked up at bootstrap, and cannot be changed on a running system.

  1. The new mode must be set at deployment time, the scanner is configured at service startup.
  2. Switching modes in a deployment is not supported.
  3. Downgrading from the v2 scanner back to the legacy scanner is not supported.
  4. Some features of the policy system are not yet supported in this mode:
  5. vulnerability gate triggers not supported for the new scanner. They will return incorrect results when used.
    1. vulnerability_data_unavailable
    2. stale_feed_data policy
  6. Windows container scanning is not yet supported. Support will be added in the next feature release.
  7. Proprietary vulnerability feeds are not yet supported in this scanner. Support will be added in the next feature release.

Running with docker-compose

  1. Install or update to Anchore Enterprise 3.1.0
  2. Add the following environment variable to the policy engine container section of the docker compose file:
    policy-engine:
      ...
      environment:
      ...
      - ANCHORE_VULNERABILITIES_PROVIDER=grype
  1. Redeploy the services.

Running with helm

  1. Install or update to Anchore Engine 0.10.0.
  2. Update the following value in your values.yaml configuration file. See the chart README for more details on configuring this file:
    anchorePolicyEngine
      ...
      vulnerabilityProvider: grype
    
  1. Redeploy the services
    helm upgrade

After making the relevant change above and redeploying, the system will start up with the v2 vulnerability scanner enabled and will sync the latest version of grype db as built by your local feed service. Note that legacy feeds will no longer be synced while the v2 scanner is configured. All vulnerability data and scanning will now come from the ‘grypedb’ feed.

Vulnerability Feed Data and Syncs

The v2 scanner has its own feed sync mechanism that generates a Grype vulnerability DB from your locally installed feed service instead of https://ancho.re as used by Grype itself. This results in a much faster sync process since the DB is packaged as a single database file. It also reduces load on the Engine DB since the scanner matching and syncs do not require large amounts of writes into the Engine DB. The Grype vulnerability DB is built from the same sources as the legacy service, so there is no reduction in scan coverage or vulnerabilities sources supported.

The feed synced by the Grype provider is identified as feed name ‘grypedb’ when using the feed listing API or anchore-cli system feeds list CLI command.