Anchore Inline Scanning

Warning: The Anchore Inline Scan script is deprecated and will reach EOL on Jan 10, 2022. Please update your integrations to use Grype for CI-based vulnerability scanning or Syft. We will be updating our integrations that use inline_scan during that time to use Grype directly. Until that time all integrations will continue to function and get updated vulnerability data.

Until Jan 10, 2022: we will continue building inline_scan images based on v0.10.x of Anchore Engine and they will be updated daily for latest feed data. On Jan 10, 2022, we will stop building new versions of the images with updated vulnerability data and the data will be stale.

After Jan 10, 2022: users should be transitioned to Grype or Grype-based integrations.


curl -s | bash -s -- -p alpine:latest

To make using our inline-scan container as easy as possible, we have provided a simple wrapper script called inline_scan. The only requirements to run the inline_scan script is the ability to execute Docker commands & bash. We host a versioned copy of this script that can be downloaded directly with curl and executed in a bash pipeline.

To run the script on your workstation, use the following command syntax.

curl -s | bash -s -- [options] IMAGE_NAME(s)

Inline Scan Options

-b <PATH>  [optional] Path to local Anchore policy bundle (ex: -b ./policy_bundle.json)
-d <PATH>  [optional] Path to local Dockerfile (ex: -d ./dockerfile)
-v <PATH>  [optional] Path to directory, all image archives in directory will be scanned (ex: -v /tmp/scan_images/)
-t <TEXT>  [optional] Specify timeout for image scanning in seconds. Defaults to 300s. (ex: -t 500)
-f  [optional] Exit script upon failed Anchore policy evaluation
-p  [optional] Pull remote docker images
-r  [optional] Generate analysis reports in your current working directory
-V  [optional] Increase verbosity


Pull multiple images from DockerHub, scan them all and generate individual reports in ./anchore-reports.

curl -s | bash -s -- -p -r alpine:latest ubuntu:latest centos:latest

Perform a local docker build, then pass the Dockerfile to anchore inline scan. Use a custom policy bundle to ensure Dockerfile compliance, failing the script if anchore policy evaluation does not pass.

docker build -t example-image:latest -f Dockerfile .
curl -s | bash -s -- -f -d Dockerfile -b .anchore-policy.json example-image:latest

Save multiple docker image archives to a directory, then mount the entire directory for analysis using a timeout of 500s.

cd example1/
docker build -t example1:latest .
cd ../example2
docker build -t example2:latest .
cd ..
mkdir images/
docker save example1:latest -o images/example1+latest.tar
docker save example2:latest -o images/example2+latest.tar
curl -s | bash -s -- -v ./images -t 500

CI Implementations

All of the following examples can be found in this Github repository -


This workflow requires the $DOCKER_USER & $DOCKER_PASS environment variables to be set in a context called dockerhub in your CircleCI account settings at settings -> context -> create

config.yml -

version: 2.1
    - image: docker:stable
      IMAGE_NAME: btodhunter/anchore-ci-demo
      IMAGE_TAG: circleci
    - checkout
    - setup_remote_docker
    - run:
        name: Build image
        command: docker build -t "${IMAGE_NAME}:ci" .
    - run:
        name: Scan image
        command: |
          apk add curl bash
          curl -s | bash -s -- -r "${IMAGE_NAME}:ci"
    - run:
        name: Push to DockerHub
        command: |
          echo "$DOCKER_PASS" | docker login -u "$DOCKER_USER" --password-stdin
          docker tag "${IMAGE_NAME}:ci" "${IMAGE_NAME}:${IMAGE_TAG}"
          docker push "${IMAGE_NAME}:${IMAGE_TAG}"
    - store_artifacts:
        path: anchore-reports/
    - build_scan_image:
        context: dockerhub


GitLab allows docker command execution through a docker:dind service container. This job pushes the image to the GitLab registry, using built-in environment variables for specifying the image name and registry login credentials.

.gitlab-ci.yml -


- build

  stage: build
  image: docker:stable
  - docker:stable-dind

    DOCKER_DRIVER: overlay2

  - echo "$CI_JOB_TOKEN" | docker login -u gitlab-ci-token --password-stdin "${CI_REGISTRY}"
  - docker build -t "$IMAGE_NAME" .
  - apk add bash curl 
  - curl -s | bash -s -- -r -t 500 "$IMAGE_NAME"
  - docker push "$IMAGE_NAME"

    - anchore-reports/*


This job requires creating an encrypted environment variable file for loading the $DOCKER_USER & $DOCKER_PASS variables into your job. See -

codeship-services.yml -

  add_docker: true
  image: docker:stable-git
    IMAGE_NAME: btodhunter/anchore-ci-demo
    IMAGE_TAG: codeship
  encrypted_env_file: env.encrypted

codeship-steps.yml -

- name: build-scan
  service: anchore
  command: sh -c 'apk add bash curl &&
    mkdir -p /build && 
    cd /build &&
    git clone . &&
    docker build -t "${IMAGE_NAME}:ci" . &&
    curl -s | bash -s -- -f -b .anchore_policy.json "${IMAGE_NAME}:ci" &&
    echo "$DOCKER_PASS" | docker login -u "$DOCKER_USER" --password-stdin &&
    docker tag "${IMAGE_NAME}:ci" "${IMAGE_NAME}:${IMAGE_TAG}" &&
    docker push "${IMAGE_NAME}:${IMAGE_TAG}"'

Jenkins pipeline

To allow pushing to a private registry, the dockerhub-creds credentials must be created in the Jenkins server settings at - Jenkins -> Credentials -> System -> Global credentials -> Add Credentials

This example was tested against the Jenkins installation detailed here, using the declarative pipeline syntax -

Jenkinsfile -

    agent {
        docker {
            image 'docker:stable'
    environment {
        IMAGE_NAME = 'btodhunter/anchore-ci-demo'
        IMAGE_TAG = 'jenkins'
    stages {
        stage('Build Image') {
            steps {
                sh 'docker build -t ${IMAGE_NAME}:ci .'
        stage('Scan') {
            steps {        
                sh 'apk add bash curl'
                sh 'curl -s | bash -s -- -d Dockerfile -b .anchore_policy.json ${IMAGE_NAME}:ci'
        stage('Push Image') {
            steps {
                withDockerRegistry([credentialsId: "dockerhub-creds", url: ""]){
                    sh 'docker tag ${IMAGE_NAME}:ci ${IMAGE_NAME}:${IMAGE_TAG}'
                    sh 'docker push ${IMAGE_NAME}:${IMAGE_TAG}'


The $DOCKER_USER & $DOCKER_PASS environment variables must be setup in the TravisCI console at repository -> settings -> environment variables

.travis.yml -

language: node_js

  - docker

  - IMAGE_NAME="btodhunter/anchore-ci-demo" IMAGE_TAG="travisci"

  - docker build -t "${IMAGE_NAME}:ci" .
  - curl -s | bash -s -- "${IMAGE_NAME}:ci"
  - echo "$DOCKER_PASS" | docker login -u "$DOCKER_USER" --password-stdin
  - docker tag "${IMAGE_NAME}:ci" "${IMAGE_NAME}:${IMAGE_TAG}"
  - docker push "${IMAGE_NAME}:${IMAGE_TAG}"

AWS CodeBuild

The $DOCKER_USER, $DOCKER_PASS, $IMAGE_NAME, & $IMAGE_TAG environment variables must be set in the CodeBuild console at Build Projects -> <PROJECT_NAME> -> Edit Environment -> Additional Config -> Environment Variables

buildspec.yml -

version: 0.2

      - docker build -t ${IMAGE_NAME}:${IMAGE_TAG} .

      - curl -s | bash -s -- ${IMAGE_NAME}:${IMAGE_TAG}
      - echo $DOCKER_PASS | docker login -u $DOCKER_USER --password-stdin
      - docker push ${IMAGE_NAME}:${IMAGE_TAG}
Last modified November 18, 2021