Working with Subscriptions

Introduction

Anchore Enterprise supports 7 types of subscriptions.

  • Tag Update
  • Policy Update
  • Vulnerability Update
  • Analysis Update
  • Alerts
  • Repository Update
  • Runtime Inventory

For detail information about Subscriptions please see Subscriptions

Managing Subscriptions

Subscriptions can be managed using AnchoreCTL.

Listing Subscriptions

Running the subscription list command will output a table showing the type and status of each subscription.


# anchorectl subscription list | more
 ✔ Fetched subscriptions
┌──────────────────────────────────────────────────────────────────────┬─────────────────┬────────┐
│ KEY                                                                  │ TYPE            │ ACTIVE │
├──────────────────────────────────────────────────────────────────────┼─────────────────┼────────┤
│ docker.io/alpine:latest                                              │ policy_eval     │ false  │
│ docker.io/alpine:3.12.4                                              │ policy_eval     │ false  │
│ docker.io/alpine:latest                                              │ vuln_update     │ false  │
│ docker.io/redis:latest                                               │ policy_eval     │ false  │
│ docker.io/centos:8                                                   │ policy_eval     │ false  │
│ docker.io/alpine:3.8.4                                               │ policy_eval     │ false  │
│ docker.io/centos:8                                                   │ vuln_update     │ false  │
...
└──────────────────────────────────────────────────────────────────────┴─────────────────┴────────┘

Note: Tag Subscriptions are tied to registry/repo:tag and not to image IDs.

Activating Subscriptions

The subscription activate command is used to enable a subscription type for a given image. The command takes the following form:

anchorectl subscription activate SUBSCRIPTION_KEY SUBSCRIPTION_TYPE

SUBSCRIPTION_TYPE should be either:

  • tag_update
  • vuln_update
  • policy_eval
  • analysis_update

SUBSCRIPTION_KEY should be the name of the subscribed tag. eg. docker.io/ubuntu:latest

For example:


# anchorectl subscription activate docker.io/ubuntu:latest tag_update
 ✔ Activate subscription
Key: docker.io/ubuntu:latest
Type: tag_update
Id: 04f0e6d230d3e297acdc91ed9944278d
Active: true

and to de-activate:

# anchorectl subscription deactivate docker.io/ubuntu:latest tag_update
 ✔ Deactivate subscription
Key: docker.io/ubuntu:latest
Type: tag_update
Id: 04f0e6d230d3e297acdc91ed9944278d
Active: false

Tag Update Subscription

Any new tag added to Anchore Enterprise by AnchoreCTL will, by default, enable the Tag Update Subscription.

If you do to need this functionality, you can use the flag --no-auto-subscribe or set the environment variable ANCHORECTL_IMAGE_NO_AUTO_SUBSCRIBE when adding new tags.

# ./anchorectl image add docker.io/ubuntu:latest --no-auto-subscribe

Runtime Inventory Subscription

AnchoreCTL provides commands to help navigate the runtime_inventory Subscription. The subscription will monitor a specify runtime inventory context and add its images to the system for analysis.

Listing Inventory Watchers

# ./anchorectl inventory watch list                             
 ✔ Fetched watches                                                                                                                                                                                                                                               
┌──────────────────────────┬───────────────────┬────────┐
│ KEY                      │ TYPE              │ ACTIVE │
├──────────────────────────┼───────────────────┼────────┤
│ cluster-one/my-namespace │ runtime_inventory │ false   │
└──────────────────────────┴───────────────────┴────────┘

Activating an Inventory Watcher

Note: This command will create the subscription is one does not already exist.

# ./anchorectl inventory watch activate cluster-one/my-namespace
 ✔ Activate watch                                                                                                                                                                                                                                                
┌──────────────────────────┬───────────────────┬────────┐
│ KEY                      │ TYPE              │ ACTIVE │
├──────────────────────────┼───────────────────┼────────┤
│ cluster-one/my-namespace │ runtime_inventory │ true   │
└──────────────────────────┴───────────────────┴────────┘

Deactivating an Inventory Watcher

# ./anchorectl inventory watch deactivate cluster-one/my-namespace
 ✔ Deactivate watch                                                                                                                                                                                                                                              
┌──────────────────────────┬───────────────────┬────────┐
│ KEY                      │ TYPE              │ ACTIVE │
├──────────────────────────┼───────────────────┼────────┤
│ cluster-one/my-namespace │ runtime_inventory │ false  │
└──────────────────────────┴───────────────────┴────────┘

Webhook Configuration

Webhooks are configured in the Anchore Enterprise configuration file config.yaml In the sample configuration file webhooks are disabled (commented) out.

webhooks:
  webhook_user: 'user'
  webhook_pass: 'pass'
  ssl_verify: False

The webhooks can, optionally, pass basic credentials to the webhook endpoint, if these are not required the the webhook_user and webhool_pass entries can be commented out. By default TLS/SSL connections will validate the certificate provided. This can be suppressed by uncommenting the ssl_verify option.

    url: 'http://localhost:9090/general/<notification_type>/<userId>'

If configured, the general webook will receive all notifications (policy_eval, tag_update, vuln_update) for each user.In this case <notification_type> will be replaced by the appropriate type. will be replaced by the configured user which is, by default, admin. eg. http://localhost:9090/general/vuln_update/admin'

policy_eval:
    url: 'http://localhost:9090/somepath/<userId>'
    webhook_user: 'mehuser'
    webhook_pass: 'mehpass'

Specific endpoints for each event type can be configured, for example an endpoint for policy_eval notifications. In these cases the url, username, password and SSL/TLS verification can be specified.

error_event:
    url: 'http://localhost:9090/error_event/'

This webook, if configured, will send a webhook if any FATAL system events are logged.

Last modified February 13, 2024