Docker Security with Anchore

Docker Security with Anchore

This article will provide details about Docker security. How can we detect security vulnerabilities before it goes into production. Automated method by integrating security vulnerabilities tools into the pipeline and details about how we can fix security vulnerabilities by modifying Dockerfiles

Why Docker security is more important ?

Vulnerable OS and non-OS packages and ensure that non-secure and non-compliant images are not promoted into trust production registries.

About anchore Engine security tool :
Docker Security with Anchore

How to check security vulnerabilities with anchore ?

  • Install anchore engine
  • add your docker image into anchore engine to scan and create security vulnerabilities report .
  • Fix vulnerabilities if there are as per anchore report , re-scan image in anchore engine and verify security report again .

Read Also-How to deal with Jenkins performance issues ?

Setup steps by step installation doc for anchore :

Before start with anchore installation , you should have basic idea about docker and docker-compose .

# mkdir ~/aevolume
# mkdir ~/aevolume/config
# mkdir ~/aevolume/db
# cd ~/aevolume

# Download docker-compose.yaml file on / from click here and copy in below path .

cp /docker-compose.yaml ~/aevolume/docker-compose.yaml

#Download config.yaml from click here and copy in below path

cp /config.yaml ~/aevolume/config/config.yaml

#cd ~/aevolume

#docker-compose pull

#docker-compose up -d

#docker-compose ps

Anchore cli useful commands :

The first time you run anchore-engine, it will take some time to perform its initial data feed sync (vulnerability data download)

#docker-compose exec anchore-engine anchore-cli — u admin — p foobar system feeds list

#add image to scan

#docker-compose exec anchore-engine anchore-cli — u admin — p foobar image add docker.io/library/debian:7

#check status
docker-compose exec anchore-engine anchore-cli — u admin — p foobar image get docker.io/library/debian:7 | grep ‘Analysis Status’

#docker-compose exec anchore-engine anchore-cli — u admin — p foobar image vuln docker.io/library/debian:7 all

#check pass or fail
#docker-compose exec anchore-engine anchore-cli — u admin — p foobar evaluate check docker.io/library/debian:7

Jenkins integration and plugins about docker security vulnerabilities :

You can also integrate Anchore in CI/CD pipeline , by adding anchore plugin into Jenkins setup . Add Anchore setup details and credentials in Jenkins admin config .

Pipeline code :

Add below pipeline code in your pipeline in new stage having name “anchore-scan“ and verify your builds :

writeFile file: ‘anchore_images’, text: env.DOCKER_IMAGE

anchore name: ‘anchore_images’ , bailOnFail: false, engineRetries: ‘1800′

Mahesh Wabale
Latest posts by Mahesh Wabale (see all)

Leave a Comment