SafeSCARF Anchore
What is Anchore (Container security scanner)
Anchore is an inspection and analysis system, coded in Python. It provides you with control over the contents of your containers by allowing you to run queries, produce reports and define policies that can be used in your CI/CD pipelines.
It is trusted by leading organizations like: Nvidia, GitHub, eBay, GitLab, etc.
Anchore basic features:
Anchore basic features
Snippets for Anchore
Don’t forget to read as well general instructions. This snippet uses the variable FULL_PATH which refers to the image which we would like to scan by Anchore. It is dynamically created from BASE_PATH, IMAGE_NAME, and IMAGE_TAG (all of them are required because they are used by a snippet).
---
scan_docker_image_anchore:
stage: test
image: registry.safescarf.pan-net.cloud/anchore-inline-scan:latest
services:
- name: registry.safescarf.pan-net.cloud/anchore-inline-scan:latest
alias: anchore-engine
command: ["start"]
variables:
SAFESCARF_HOST: "customer.safescarf.pan-net.cloud"
SAFESCARF_ENG_ID: "xx"
BASE_PATH: customer.docker.registry.foo/bar
IMAGE_NAME: vulnerable-image
IMAGE_TAG: latest
FULL_PATH: $BASE_PATH/$IMAGE_NAME:$IMAGE_TAG
ANCHORE_CLI_URL: "http://anchore-engine:8228/v1"
REPORT: anchore-reports/${IMAGE_NAME}_${IMAGE_TAG}-vuln.json
script:
- anchore-cli system wait
- anchore_ci_tools.py --analyze --report --timeout 600 --type vuln --image $FULL_PATH
- "[ ! -f $REPORT ] || ci-connector upload-scan --scanner 'Anchore Engine Scan' -e $SAFESCARF_ENG_ID -f $REPORT"
- "[ -f $REPORT ] || ci-connector upload-scan --scanner 'Anchore Engine Scan' -e $SAFESCARF_ENG_ID -f /empty_report.json"