SafeSCARF Anchore

What is Anchore (Container security scanner)

Anchore is an inspection and analysis system, coded in Python. It provides you with control over the contents of your containers by allowing you to run queries, produce reports and define policies that can be used in your CI/CD pipelines.

It is trusted by leading organizations like: Nvidia, GitHub, eBay, GitLab, etc.

Anchore basic features:

Snippets for Anchore

Don’t forget to read as well general instructions. This snippet uses the variable FULL_PATH which refers to the image which we would like to scan by Anchore. It is dynamically created from BASE_PATH, IMAGE_NAME, and IMAGE_TAG (all of them are required because they are used by a snippet).

---
scan_docker_image_anchore:
  stage: test
  image: registry.safescarf.in.pan-net.eu/anchore-inline-scan:latest
  services:
    - name: registry.safescarf.in.pan-net.eu/anchore-inline-scan:latest
      alias: anchore-engine
      command: ["start"]
  variables:
    SAFESCARF_HOST: "customer.safescarf.pan-net.cloud"
    SAFESCARF_ENG_ID: "xx"
    BASE_PATH: customer.docker.registry.foo/bar
    IMAGE_NAME: vulnerable-image
    IMAGE_TAG: latest
    FULL_PATH: $BASE_PATH/$IMAGE_NAME:$IMAGE_TAG
    ANCHORE_CLI_URL: "http://anchore-engine:8228/v1"
    REPORT: anchore-reports/${IMAGE_NAME}_${IMAGE_TAG}-vuln.json
  script:
    - anchore-cli system wait
    - anchore_ci_tools.py --analyze --report --timeout 600 --type vuln --image $FULL_PATH
    - "[ ! -f $REPORT ] || ci-connector upload-scan --scanner 'Anchore Engine Scan' -e $SAFESCARF_ENG_ID -f $REPORT"
    - "[   -f $REPORT ] || ci-connector upload-scan --scanner 'Anchore Engine Scan' -e $SAFESCARF_ENG_ID -f /empty_report.json"