Checking Enabled Feed Configuration
Documentation: How to Check Enabled ecosystem Feed Configuration Settings in config.yaml
Overview
This guide explains how to check enabled ecosystem feed configuration settings in the config.yaml file for Anchore. These settings determine features like CPE (Common Platform Enumeration) matching for specific packages. We will explore how to check these configurations manually from within the container, which can be useful for verifying that your changes have been applied.
Use Case Example
If you have disabled certain settings (e.g., CPE matching for Go and Java packages) and want to verify these changes without running an image scan, follow the steps below.
Checking Configuration in Kubernetes (K8s)
Access the Container
- If Anchore is running inside a kubernetes pod, you can access the
config.yamlfile following the steps below: List the running pods in your K8 namespace
kubectl get pods -n <namespace>
Exec into the policy pod to display your anchore-config file
kubectl exec -n <namespace> -ti <pod-name> -- /scripts/anchore-configscroll through the anchore-config file to see if the desired ecosystem matching is enabled or disabled (Note to match on ecosystems you will want search by_cpe to be false)
policy_engine: vulnerabilities: matching: default: search: by_cpe: enabled: true ecosystem_specific: dotnet: search: by_cpe: enabled: true golang: search: by_cpe: enabled: true java: search: by_cpe: enabled: true javascript: search: by_cpe: enabled: false python: search: by_cpe: enabled: true ruby: search: by_cpe: enabled: true stock: search: by_cpe: # Disabling search by CPE for the stock matcher will entirely disable binary-only matches # and is NOT ADVISED enabled: true