Scanning Repositories

Introduction

Individual images can be added to Anchore Enterprise using the image add command. This may be performed by a CI/CD plugin such as Jenkins or manually by a user with the UI, AnchoreCTL or API.

Anchore Enterprise can also be configured to scan repositories and automatically add any tags found in the repository. This is referred to as a Repository Subscription. Once added, Anchore Enterprise will periodically check the repository for new tags and add them to Anchore Enterprise. For more details on the Repository Subscription, please see Subscriptions

Note When you add a registry to Anchore, no images are pulled automatically. This is to prevent your Anchore deployment from being overwhelmed by a very large number of images. Therefore, you should think of adding a registry as a preparatory step that allows you to then add specific repositories or tags without having to provide the access credentials for each. Because a repository typically includes a manageable number of images, when you add a repository to Anchore images, all tags in that repository are automatically pulled and analyzed by Anchore. For more information about managing registries, see Managing Registries.

Adding Repositories

The repo add command instructs Anchore Enterprise to add the specified repository watch list.


# anchorectl repo add docker.io/alpine
 ✔ Added repo
┌──────────────────┬─────────────┬────────┐
│ KEY              │ TYPE        │ ACTIVE │
├──────────────────┼─────────────┼────────┤
│ docker.io/alpine │ repo_update │ true   │
└──────────────────┴─────────────┴────────┘

Once added, Anchore Enterprise will identify the list of tags within the repository and add them to the catalog to be analyzed. There is an option to exclude existing tags from being added to the system. This is useful when you want to watch for and add only new tags to the system without adding tags that are already present. To do this, use the --exclude-existing-tags option.

Also by default Anchore Enterprise will automatically add the discovered tags to the list of subscribed tags ( see Working with Subscriptions ). However, this behavior can be overridden by passing the --auto-subscribe=<true|false> option.

Listing Repositories

The repo list command will show the repositories monitored by Anchore Enterprise.


# anchorectl repo list
 ✔ Fetched repos
┌─────────────────────────┬─────────────┬────────┐
│ KEY                     │ TYPE        │ ACTIVE │
├─────────────────────────┼─────────────┼────────┤
│ docker.io/alpine        │ repo_update │ true   │
│ docker.io/elasticsearch │ repo_update │ true   │
└─────────────────────────┴─────────────┴────────┘

Deleting Repositories

The del option can be used to instruct Anchore Enterprise to remove the repository from the watch list. Once the repository record has been deleted no further changes to the repository will be detected by Anchore Enterprise.

Note: No existing image data will be removed from Anchore Enterprise.

# anchorectl repo del docker.io/alpine
 ✔ Deleted repo
No results

Unwatching Repositories

When a repository is added, Anchore Enterprise will monitor the repository for new and updated tags. This behavior can be disabled preventing Anchore Enterprise from monitoring the repository for changes.

In this case the repo list command will show false in the Watched column for this registry.


# anchorectl repo unwatch docker.io/alpine
 ✔ Unwatch repo
┌──────────────────┬─────────────┬────────┐
│ KEY              │ TYPE        │ ACTIVE │
├──────────────────┼─────────────┼────────┤
│ docker.io/alpine │ repo_update │ false  │
└──────────────────┴─────────────┴────────┘

Watching Repositories

The repo watch command instructs Anchore Enterprise to monitor a repository for new and updated tags. By default repositories added to Anchore Enterprise are automatically watched. This option is only required if a repository has been manually unwatched.


# anchorectl repo watch docker.io/alpine
 ✔ Watch repo
┌──────────────────┬─────────────┬────────┐
│ KEY              │ TYPE        │ ACTIVE │
├──────────────────┼─────────────┼────────┤
│ docker.io/alpine │ repo_update │ true   │
└──────────────────┴─────────────┴────────┘

As of v3.0, Anchore Enterprise can be configured to have a size limit for images being added for analysis. This feature applies to the repo watcher. Images that exceed the max configured size in the repo being watched will not be added and a message will be logged in the catalog service. This feature is disabled by default so see documentation for additional details on the functionality of this feature and instructions on how to configure the limit

Removing a Repository and All Images

There may be a time when you wish to stop a repository analysis when the analysis is running (e.g., accidentally watching an image with a large number of tags). There are several steps in the process which are outlined below. We will use docker.io/library/alpine as an example.

Note: Be careful when deleting images. In this flow, Anchore deletes the image, not just the repository/tag combo. Because of this, deletes may impact more than the expected repository since an image may have tags in multiple repositories or even registries.

Check the State

Take a look at the repository list.


anchorectl repo list
 ✔ Fetched repos
┌──────────────────┬─────────────┬────────┐
│ KEY              │ TYPE        │ ACTIVE │
├──────────────────┼─────────────┼────────┤
│ docker.io/alpine │ repo_update │ true   │
└──────────────────┴─────────────┴────────┘

Also look at the image list.


anchorectl image list | grep docker.io/alpine
 ✔ Fetched images
│ docker.io/alpine:20220328                             │ sha256:c11c38f8002da63722adb5111241f5e3c2bfe4e54c0e8f0fb7b5be15c2ddca5f │ not_analyzed │ active │
│ docker.io/alpine:3.16.0                               │ sha256:4ff3ca91275773af45cb4b0834e12b7eb47d1c18f770a0b151381cd227f4c253 │ not_analyzed │ active │
│ docker.io/alpine:20220316                             │ sha256:57031e1a3b381fba5a09d5c338f7dbeeed2260ad5100c66b2192ab521ae27fc1 │ not_analyzed │ active │
│ docker.io/alpine:3.14.5                               │ sha256:aee6c86e12b609732a30526ddfa8194e4a54dc5514c463e4c2e41f5a89a0b67a │ not_analyzed │ active │
│ docker.io/alpine:3.15.5                               │ sha256:26284c09912acfc5497b462c5da8a2cd14e01b4f3ffa876596f5289dd8eab7f2 │ not_analyzed │ active │
...
...

Removing the Repository from the Watched List

Unwatch docker.io/library/alpine to prevent future automatic updates.


# anchorectl repo unwatch docker.io/alpine
 ✔ Unwatch repo
┌──────────────────┬─────────────┬────────┐
│ KEY              │ TYPE        │ ACTIVE │
├──────────────────┼─────────────┼────────┤
│ docker.io/alpine │ repo_update │ false  │
└──────────────────┴─────────────┴────────┘

Delete the Repository

Delete the repository. This may need to be done a couple times if the repository still shows in the repository list.


# anchorectl repo delete docker.io/alpine
 ✔ Deleted repo
No results

Forcefully Delete the Images

Delete the analysis/images. This may need to be done several times to remove all images depending on how many there are.


# for i in `anchorectl -q image list | grep docker.io/alpine | awk '{print $2}'`
> do
> anchorectl image delete ${i} --force
> done
┌─────────────────────────────────────────────────────────────────────────┬──────────┐
│ DIGEST                                                                  │ STATUS   │
├─────────────────────────────────────────────────────────────────────────┼──────────┤
│ sha256:c11c38f8002da63722adb5111241f5e3c2bfe4e54c0e8f0fb7b5be15c2ddca5f │ deleting │
└─────────────────────────────────────────────────────────────────────────┴──────────┘
┌─────────────────────────────────────────────────────────────────────────┬──────────┐
│ DIGEST                                                                  │ STATUS   │
├─────────────────────────────────────────────────────────────────────────┼──────────┤
│ sha256:4ff3ca91275773af45cb4b0834e12b7eb47d1c18f770a0b151381cd227f4c253 │ deleting │
└─────────────────────────────────────────────────────────────────────────┴──────────┘
...
...
...

Verify the Repository and All Images are Deleted

Check the repository list.


# anchorectl repo list
 ✔ Fetched repos
┌─────┬──────┬────────┐
│ KEY │ TYPE │ ACTIVE │
├─────┼──────┼────────┤
└─────┴──────┴────────┘

Check the image list.


# anchorectl image list | grep docker.io/alpine
 ✔ Fetched images
<no output>

Next Steps

Last modified September 4, 2024