Container Images Scanning using Anchore Engine

Scanning alpine and distroless images

Start Minikube cluster

minikube start --driver=virtualbox (or)
minikube start --cpus=4 --memory=4096 --driver=virtualbox

Anchore Engine links

https://github.com/anchore/
https://github.com/anchore/anchore-engine
https://github.com/anchore/anchore-cli

Distroless Images

https://github.com/GoogleContainerTools/distroless
https://github.com/GoogleContainerTools/jib
https://github.com/GoogleContainerTools/distroless/blob/main/examples/java/Dockerfile

Docker compose download link

https://github.com/docker/compose/releases

Installing Anchore CLI

apt-get install python3-pip –y
pip install anchorecli
anchore-cli --help

Installing Anchore engine

curl https://engine.anchore.io/docs/quickstart/docker-compose.yaml > docker-compose.yaml
docker-compose up -d
docker-compose ps
docker-compose exec api anchore-cli system status

Using Anchore CLI

minikube ip
192.168.99.133

curl http://192.168.99.133:8228/v1
"v1"

anchore-cli --u admin --p foobar --url http://192.168.99.133:8228/v1 system status
"Unauthorized"

export ANCHORE_CLI_URL=http://192.168.99.133:8228/v1
export ANCHORE_CLI_USER=admin
export ANCHORE_CLI_PASS=foobar

anchore-cli image add kunchalavikram/maven-single
anchore-cli image list
anchore-cli image wait kunchalavikram/maven-single
anchore-cli image vuln kunchalavikram/maven-single os
anchore-cli evaluate check kunchalavikram/maven-single --detail

Scanning Maven Images

anchore-cli image add kunchalavikram/maven-single
anchore-cli image add kunchalavikram/maven-alpine
anchore-cli image add kunchalavikram/maven-ms
anchore-cli image add kunchalavikram/maven-distroless

anchore-cli image wait kunchalavikram/maven-single
anchore-cli image wait kunchalavikram/maven-alpine
anchore-cli image wait kunchalavikram/maven-ms
anchore-cli image wait kunchalavikram/maven-distroless

anchore-cli image vuln kunchalavikram/maven-single os
anchore-cli image vuln kunchalavikram/maven-alpine os
anchore-cli image vuln kunchalavikram/maven-ms os
anchore-cli image vuln kunchalavikram/maven-distroless os

anchore-cli evaluate check kunchalavikram/maven-single
anchore-cli evaluate check kunchalavikram/maven-alpine
anchore-cli evaluate check kunchalavikram/maven-ms
anchore-cli evaluate check kunchalavikram/maven-distroless

Note: Use --detail for extended info
anchore-cli evaluate check kunchalavikram/maven-distroless --detail

Scanning NodeJS Images

anchore-cli image add kunchalavikram/node-single
anchore-cli image add kunchalavikram/node-alpine
anchore-cli image add kunchalavikram/node-ms
anchore-cli image add kunchalavikram/node-distroless

anchore-cli image wait kunchalavikram/node-single
anchore-cli image wait kunchalavikram/node-alpine
anchore-cli image wait kunchalavikram/node-ms
anchore-cli image wait kunchalavikram/node-distroless

anchore-cli image vuln kunchalavikram/node-single os
anchore-cli image vuln kunchalavikram/node-alpine os
anchore-cli image vuln kunchalavikram/node-ms os
anchore-cli image vuln kunchalavikram/node-distroless os

anchore-cli evaluate check kunchalavikram/node-single
anchore-cli evaluate check kunchalavikram/node-alpine
anchore-cli evaluate check kunchalavikram/node-ms
anchore-cli evaluate check kunchalavikram/node-distroless

Note: Use --detail for extended info
anchore-cli evaluate check kunchalavikram/node-distroless --detail

Scanning standard images

anchore-cli image add python
anchore-cli image add python:3-slim-buster
anchore-cli image add node:8
anchore-cli image add gcr.io/distroless/nodejs
anchore-cli image add openjdk:11-jdk-slim
anchore-cli image add gcr.io/distroless/java:11
  
anchore-cli image vuln python
anchore-cli image vuln python:3-slim-buster
anchore-cli image vuln node:8
anchore-cli image vuln gcr.io/distroless/nodejs
anchore-cli image vuln openjdk:11-jdk-slim
anchore-cli image vuln gcr.io/distroless/java:11

anchore-cli evaluate check python
anchore-cli evaluate check python:3-slim-buster
anchore-cli evaluate check node:8
anchore-cli evaluate check gcr.io/distroless/nodejs
anchore-cli evaluate check openjdk:11-jdk-slim
anchore-cli evaluate check gcr.io/distroless/java:11

Alpine vs Distroless Scanning(Absence of shell)

docker run -d -it --name node node:8
docker exec -it node bash
root@7c0948de6e1e:/#

docker run -d -it --name node gcr.io/distroless/nodejs:16
docker exec -it node bash
OCI runtime exec failed: exec failed: container_linux.go:380: starting container process caused: exec: "bash": executable file not found in $PATH: unknown

docker exec -it node sh
OCI runtime exec failed: exec failed: container_linux.go:380: starting container process caused: exec: "sh": executable file not found in $PATH: unknown

Jenkins Service Path(Next Video)

kubectl patch svc jenkins -p '{"spec": {"type": "NodePort"}}' -n jenkins

Authors

• Vikram K (www.youtube.com/c/devopsmadeeasy)

#use this anchore-cli --u admin --p foobar image add docker.io/library/openjdk:8-jre-alpine

After the image is downloaded, Anchore CLI will begin the process of analyzing the image. This will take some time. If you issue the command:

anchore-cli --u admin --p foobar image list anchore-cli --u admin --p foobar image vuln docker.io/library/openjdk:8-jre-alpine all anchore-cli --u admin --p foobar evaluate check docker.io/library/debian:latest --detail ####You can even subscribe to receive notifications when new CVEs are added to an update with the command:

anchore-cli --u admin --p foobar subscription activate vuln_update docker.io/library/debian:latest

https://thenewstack.io/anchore-scan-your-container-images-for-vulnerabilities-from-the-command-line/