Reporting and Remediation

Once you have identified vulnerabilities against software in a container image, the next step is to remediation. This section covers typical usage patterns for reporting on vulnerabilities and running possible workflows for remediation.

Matching

On occasion, you may see a vulnerability identified by GHSA (GitHub Security Advisory) instead of CVE (Common Vulnerability Enumeration). The reason for this is that Anchore Enterprise uses an order of precedence to match vulnerabilities from feeds. Anchore Enterprise gives precedence to OS and third-party package feeds which often contain more up-to-date information and provide more accurate matches with image content. However, these feeds may provide GHSA vulnerability IDs instead of CVEs as provided by NVD (National Vulnerability Database) feeds.

The vulnerability ID Anchore Enterprise reports depends on how the vulnerability is matched. The order of precedence is packages installed by OS package managers, then third-party packages (java, python, node), and then NVD. The GHSA feeds tend to be ahead of the NVD feeds, so there may be some vulnerabilities that match a GHSA before they match a CVE from NVD.

We are working to unify the presentation of vulnerability IDs to keep things more consistent. Currently our default is to report the CVE unless the GHSA provides a more accurate match.

Reporting

The Reports tab is your gateway to producing insights into the collective status of your container image environment based on the back-end Enterprise Reporting Service.

Note: Because the reporting data cycle is configurable, the results shown in this view may not precisely reflect actual analysis output at any given time.

For more information on how to modify this cycle or the Reporting Service in general, please refer to the Reporting Service documentation.

Custom Reports

The Report feature provides the tools to create custom reports, set a report to run on a schedule (or store the report for future use), and get notified when they’re executed in order to receive the insights you’re interested in for account-wide artifacts.

In addition, you can create user templates (also known as custom templates) that use any of the preconfigured system templates offered with the application as their basis, or create your own templates from scratch. Templates provide the structure and filter definitions the application uses in order to generate reports.

To jump to a particular guide, select from the following below:

• New Reports
• Saved Reports
• Templates

Action Plans

Action plans group the remediation steps required to address the vulnerabilities and policy failures found on a particular image. They are created and managed from the Action Workbench on an image’s Artifact Analysis view in the Enterprise UI, and are also available via the API.

Currently, Anchore Enterprise supports one type of action plan — notification — which sends the collected resolutions to a preconfigured notification endpoint (for example, SMTP or Slack). This makes it easy to communicate required actions to the team responsible for a given image.

Action Plan Payload

An action plan is submitted as a JSON document with the following fields:

• type — the type of action plan. Currently only notification is supported.
• image_tag — the full image tag the action plan targets.
• image_digest — the image digest the action plan targets.
• bundle_id — the ID of the policy bundle that surfaced the findings.
• resolutions — a list of resolution objects, each combining a set of trigger_ids with the remediation content that should be sent.
• subject — the subject line applied to the generated notification.
• message — the message body applied to the generated notification.
• endpoint — the notification endpoint type the action plan is delivered through.
• configuration_id — the UUID of the notification configuration registered for the chosen endpoint.

Example payload:

{
    "type": "notification",
    "image_tag": "docker.io/alpine:latest",
    "image_digest": "sha256:c0e9560cda118f9ec63ddefb4a173a2b2a0347082d7dff7dc14272e7841a5b5a",
    "bundle_id": "anchore_default_bundle",
    "resolutions": [
        {
            "trigger_ids": ["CVE-2020-11-09-fake"],
            "content": "This is a Resolution for the CVE"
        }
    ],
    "subject": "Actions required for image: alpine:latest",
    "message": "These are some issues Anchore found in alpine:latest, and how to resolve them",
    "endpoint": "smtp",
    "configuration_id": "cda118f9ec63ddefb4a173a2b2a03"
}

Access to action plans requires the getActions permission. For details on reaching Action Workbench in the UI, see Work with Applications Generated from Image Containers.