Editor’s note –This is a guest blog post by Christian Wiens from Anchore, an open container compliance platform for discovering, analyzing, and certifying container images.
Codefresh hosted a webinar featuring Anchore showing how you can integrate tools like the open-source Anchore Engine into your Codefresh pipeline to automate image scanning and policy management.
Background
Docker images bound for production should always come from a build and continuous integration tool like Codefresh. As with any CI pipeline building an artifact, it’s important to employ the proper security testing tools to ensure a higher level of confidence when deploying. In the case of Docker images, we need a mechanism for scanning and inspecting these artifacts.
Anchore is a service that conducts static analysis on container images and applies user-defined acceptable policies to allow automated container image validation and certification. This means that not only can Anchore users gain deep insight into the OS and non-OS packages contained within an image, but they have the ability to create governance around the artifact and its contents via customizable policies.
Example
In this post, we will walk through how to configure a Codefresh pipeline to build an image from a Dockerfile, conduct an Anchore scan, evaluate the scanned image against an Anchore policy, and push it to a Docker registry.
Codefresh pipelines are the core component of the Codefresh platform. These pipelines are workflows that contain user-defined steps that are all executed inside user-chosen Docker containers. These steps are defined using a codefresh.yaml file.
The Anchore scanning step takes place prior to the image being pushed to a Docker registry. Depending on the output of the policy evaluation and pipeline configuration, the image may not be pushed into the registry.
Setup
Prior to setting up our Codefresh pipeline, an Anchore Engine service needs to be accessible from the pipeline. Typically this is on port 8228. In this example, I have an Anchore Engine service on AWS EC2 with standard configuration. I also have a Dockerfile in a Github repository that I will use to build an image in the first step of the pipeline. In the final step, I will push the built image to an image repository in my personal Dockerhub via Codefresh’s built-in integration to external registries.
Typically, we advise using a staging registry and production registry. Meaning, being able to push and pull images freely from the staging/dev registry while maintaining more control over images being pushed to the production registry. In this example, Codefresh is the staging/dev registry as every image we build will automatically be stored there.
In the configuration section of the Codefresh pipeline, I’ve added the following environment variables:
If ANCHORE_FAIL_ON_POLICY is set to true, the pipeline will fail, and the image will not be pushed to the registry.
- dockerhubUsername
- dockerhubPassword
- ANCHORE_CLI_URL
- ANCHORE_CLI_USER
- ANCHORE_CLI_PASS
- ANCHORE_CLI_IMAGE
- ANCHORE_RETRIES
- ANCHORE_FAIL_ON_POLICY
You can also set these values as a shared configuration that can be reused in multiple pipelines by going to Settings -> Integrations -> Shared Configuration.
Build Image
In the first step of the pipeline, we build a sample Docker image from a Dockerfile as defined in our codefresh.yaml:
build_image: title: Building Docker Image type: build image_name: jvalance/sampledockerfiles working_directory: ./ dockerfile: Dockerfile
Conduct Anchore Scan
In the second step of the pipeline, we scan the image with Anchore as defined in our codefresh.yaml:
anchore_scan:
title: Scanning Docker Image
image: anchore/engine-cli:latest
description: Analyzing Image with Anchore...
commands:
- echo "Adding image to Anchore engine"
- anchore-cli image add ${{ANCHORE_SCAN_IMAGE}}
- echo "Waiting for image analysis to complete"
- counter=0
- while (! (anchore-cli image get ${{ANCHORE_SCAN_IMAGE}} | grep 'Status: analyzed') ) ; do echo -n "." ; sleep 10 ; if [ $counter -eq ${{ANCHORE_RETRIES}} ] ; then echo " Timeout waiting for analysis" ; exit 1 ; fi ; counter=$(($counter+1)) ; done
- echo "Analysis complete"
- if [ "${{ANCHORE_FAIL_ON_POLICY}}" == "true" ] ; then anchore-cli evaluate check ${{ANCHORE_SCAN_IMAGE}} ; fi
In the future, we plan to eliminate the need for any commands as they will be built into a Docker image.
Depending on the output of the policy evaluation, the pipeline may or may not fail. In this case, I have set ANCHORE_FAIL_ON_POLICY to true and exposed port 22. This is in violation of a policy rule, so the build will fail during this step.
Push image
In the final step of the pipeline, we push the Docker image to a registry as defined in the codefresh.yaml:
push_image:
title: Push Docker Image
description: Pushing Docker Image...
type: push
candidate: '${{build_image}}'
tag: latest
registry: docker.io
credentials:
username: '${{dockerhubUsername}}'
password: '${{dockerhubPassword}}'
If our scan fails, the image will remain stored in the Codefresh registry so we can pull it, debug it etc. If the scan doesn’t raise any red flags, the pipeline will push the image to our Dockerhub. Here we’re using the inline Docker push if you’ve added your registry under Settings -> Integration -> Docker Registry, then you can just reference the registry by name.
Conclusion
By following along with the example above, we can see how simply Anchore scanning can be configured and added to a Codefresh pipeline in order to immediately bolster the security of the built container images.
We’d recommend adjusting the policy bundles and evaluation to align with your current organization’s security and compliance requirements.
Our main documentation is located here.
More info around policy bundles, in particular, can be found here.
Additionally, we advise having clearly separated Docker registries for images that are being scanned with Anchore, and images that have passed an Anchore scan. This will allow you to keep one registry for dev/test images (thanks Codefresh registry!), and another for your certified, trusted production-ready images.
You can find and download the open source Anchore engine at anchore.com/opensource.
New to Codefresh? Create Your Free Account Today!
