Anchor Setup using Docker-Compose

by

Introduction:

Anchore provides an open-source container security and compliance solution that helps scan container images for vulnerabilities and misconfigurations. In this guide, we’ll walk you through setting up Anchore Engine using Docker Compose. This setup allows you to analyze your Docker images and ensure their security before pushing them to production.

Prerequisites:

Before we start, ensure you have the following installed on your machine:

  1. Docker:
  2. Docker Compose:

Step 1: Clone the Anchore Docker Compose Repository

First, you’ll need to clone the Anchore Engine’s official Docker Compose repository. Open your terminal and run the following command:

git clone https://github.com/anchore/anchore-engine.git
cd anchore

This repository contains all the necessary files to run Anchore with Docker Compose.

Step 2: Modify the docker-compose.yaml

sudo nano docker-compose.yaml
 #This is a docker-compose file for development purposes. It refereneces unstable developer builds from the HEAD of master branch in https://github.com/anchore/anchore-engine
# For a compose file intended for use with a released version, see https://engine.anchore.io/docs/quickstart/
#
---
version: '2.1'
volumes:
  anchore-db-volume:
    # Set this to 'true' to use an external volume. In which case, it must be created manually with "docker volume create anchore-db-volume"
    external: false

services:
  # The primary API endpoint service
  api:
    image: anchore/anchore-engine:v1.0.0
    depends_on:
      - db
      - catalog
    ports:
      - "8228:8228"
    logging:
      driver: "json-file"
      options:
        max-size: 100m
    environment:
      - ANCHORE_API=True
      - ANCHORE_ENDPOINT_HOSTNAME=api
      - ANCHORE_ADMIN_PASSWORD=foobar
      - ANCHORE_DB_HOST=db
      - ANCHORE_DB_PASSWORD=mysecretpassword
    command: ["anchore-manager", "service", "start", "apiext"]

  # Catalog is the primary persistence and state manager of the system
  catalog:
    image: anchore/anchore-engine:v1.0.0
    depends_on:
      - db
    logging:
      driver: "json-file"
      options:
        max-size: 100m
    expose:
      - 8228
    environment:
      - ANCHORE_ENDPOINT_HOSTNAME=catalog
      - ANCHORE_ADMIN_PASSWORD=foobar
      - ANCHORE_DB_HOST=db
      - ANCHORE_DB_PASSWORD=mysecretpassword
    command: ["anchore-manager", "service", "start", "catalog"]
  queue:
    image: anchore/anchore-engine:v1.0.0
    depends_on:
 - db
      - catalog
    expose:
      - 8228
    logging:
      driver: "json-file"
      options:
        max-size: 100m
    environment:
      - ANCHORE_ENDPOINT_HOSTNAME=queue
      - ANCHORE_ADMIN_PASSWORD=foobar
      - ANCHORE_DB_HOST=db
      - ANCHORE_DB_PASSWORD=mysecretpassword
    command: ["anchore-manager", "service", "start", "simplequeue"]
  policy-engine:
    image: anchore/anchore-engine:v1.0.0
    depends_on:
      - db
      - catalog
    expose:
      - 8228
    logging:
      driver: "json-file"
      options:
        max-size: 100m
    environment:
      - ANCHORE_ENDPOINT_HOSTNAME=policy-engine
      - ANCHORE_ADMIN_PASSWORD=foobar
      - ANCHORE_DB_HOST=db
      - ANCHORE_DB_PASSWORD=mysecretpassword
      - ANCHORE_VULNERABILITIES_PROVIDER=grype
    command: ["anchore-manager", "service", "start", "policy_engine"]
  analyzer:
    image: anchore/anchore-engine:v1.0.0
    depends_on:
      - db
      - catalog
    expose:
      - 8228
    logging:
      driver: "json-file"
      options:
        max-size: 100m
    environment:
      - ANCHORE_ENDPOINT_HOSTNAME=analyzer
      - ANCHORE_ADMIN_PASSWORD=foobar
      - ANCHORE_DB_HOST=db
      - ANCHORE_DB_PASSWORD=mysecretpassword
    volumes:
      - /analysis_scratch
    command: ["anchore-manager", "service", "start", "analyzer"]
  db:
    image: "postgres:9"
    volumes:
      - anchore-db-volume:/var/lib/postgresql/data
    environment:
      - POSTGRES_PASSWORD=mysecretpassword
    expose:
      - 5432
    logging:
      driver: "json-file"
      options:
        max-size: 100m
    healthcheck:
      test: ["CMD-SHELL", "pg_isready -U postgres"]

Step 3: Launch Anchore Engine Using Docker Compose

docker-compose up -d

You can check if the containers are up and running by using:

docker-compose ps

Step 4: Verify Anchore Engine Setup

Anchore Engine should now be running on your local machine. You can verify its status by using the following command:

curl http://localhost:8228/v1/health
Steps to Scan an Image Locally:

Install Anchore CLI: If you haven’t installed the Anchore CLI, you can install it by using the following command:

pip install anchorecli

Set Anchore CLI configuration: You need to configure the Anchore CLI to connect to the Anchore Engine API. Set the environment variables for the Anchore Engine API URL, username, and password.

export ANCHORE_CLI_URL=http://localhost:8228/v1
export ANCHORE_CLI_USER=admin    # replace with your username
export ANCHORE_CLI_PASS=foobar   # replace with your password

Add the testhello Image to Anchore: Use the following command to add your testhello Docker image for scanning. If the image is stored locally or on DockerHub, use the correct tag (e.g., testhello:latest):

anchore-cli image add testhello:latest

Wait for the Image Analysis to Complete: The analysis may take a little while. You can check its progress or wait for completion with:

anchore-cli image wait testhello:latest

Scan for Vulnerabilities: Once the analysis is complete, scan the image for vulnerabilities with:

anchore-cli image vuln testhello:latest all

Mahesh Wabale
Latest posts by Mahesh Wabale (see all)

Leave a Comment