Schedule a FREE onboarding and start making pipelines fast.

Adding Anchore Container Image Scanning to Your Codefresh Pipelines

Security-Testing | November 20, 2018

Editor’s note –This is a guest blog post by Christian Wiens from Anchore, an open container compliance platform for discovering, analyzing, and certifying container images.

Codefresh and Anchore will be hosting a webinar on how you can integrate tools like the open-source Anchore Engine into your Codefresh pipeline to automate image scanning and policy management. RSVP here.


Background

Docker images bound for production should always come from a build and continuous integration tool like Codefresh. As with any CI pipeline building an artifact, it’s important to employ the proper security testing tools to ensure a higher level of confidence when deploying. In the case of Docker images, we need a mechanism for scanning and inspecting these artifacts.

Anchore is a service that conducts static analysis on container images and applies user-defined acceptable policies to allow automated container image validation and certification. This means that not only can Anchore users gain deep insight into the OS and non-OS packages contained within an image, but they have the ability to create governance around the artifact and its contents via customizable policies.

Example

In this post, we will walk through how to configure a Codefresh pipeline to build an image from a Dockerfile, conduct an Anchore scan, evaluate the scanned image against an Anchore policy, and push it to a Docker registry.

Codefresh pipelines are the core component of the Codefresh platform. These pipelines are workflows that contain user-defined steps that are all executed inside user-chosen Docker containers. These steps are defined using a codefresh.yaml file.

The Anchore scanning step takes place prior to the image being pushed to a Docker registry. Depending on the output of the policy evaluation and pipeline configuration, the image may not be pushed into the registry.

Setup

Prior to setting up our Codefresh pipeline, an Anchore Engine service needs to be accessible from the pipeline. Typically this is on port 8228. In this example, I have an Anchore Engine service on AWS EC2 with standard configuration. I also have a Dockerfile in a Github repository that I will use to build an image in the first step of the pipeline. In the final step, I will push the built image to an image repository in my personal Dockerhub via Codefresh’s built-in integration to external registries.

Typically, we advise using a staging registry and production registry. Meaning, being able to push and pull images freely from the staging/dev registry while maintaining more control over images being pushed to the production registry. In this example, Codefresh is the staging/dev registry as every image we build will automatically be stored there.

In the configuration section of the Codefresh pipeline, I’ve added the following environment variables:

If ANCHORE_FAIL_ON_POLICY is set to true, the pipeline will fail, and the image will not be pushed to the registry.

  • dockerhubUsername
  • dockerhubPassword
  • ANCHORE_CLI_URL
  • ANCHORE_CLI_USER
  • ANCHORE_CLI_PASS
  • ANCHORE_CLI_IMAGE
  • ANCHORE_RETRIES
  • ANCHORE_FAIL_ON_POLICY

You can also set these values as a shared configuration that can be reused in multiple pipelines by going to Settings -> Integrations -> Shared Configuration.

Build Image

In the first step of the pipeline, we build a sample Docker image from a Dockerfile as defined in our codefresh.yaml:


Conduct Anchore Scan

In the second step of the pipeline, we scan the image with Anchore as defined in our codefresh.yaml:


In the future, we plan to eliminate the need for any commands as they will be built into a Docker image.

Depending on the output of the policy evaluation, the pipeline may or may not fail. In this case, I have set ANCHORE_FAIL_ON_POLICY to true and exposed port 22. This is in violation of a policy rule, so the build will fail during this step.

Push image

In the final step of the pipeline, we push the Docker image to a registry as defined in the codefresh.yaml:

If our scan fails, the image will remain stored in the Codefresh registry so we can pull it, debug it etc. If the scan doesn’t raise any red flags, the pipeline will push the image to our Dockerhub. Here we’re using the inline Docker push if you’ve added your registry under Settings -> Integration -> Docker Registry, then you can just reference the registry by name.

Conclusion

By following along with the example above, we can see how simply Anchore scanning can be configured and added to a Codefresh pipeline in order to immediately bolster the security of the built container images.

We’d recommend adjusting the policy bundles and evaluation to align with your current organization’s security and compliance requirements.

Our main documentation is located here.

More info around policy bundles, in particular, can be found here.

Additionally, we advise having clearly separated Docker registries for images that are being scanned with Anchore, and images that have passed an Anchore scan. This will allow you to keep one registry for dev/test images (thanks Codefresh registry!), and another for your certified, trusted production-ready images.

You can find and download the open source Anchore engine at anchore.com/opensource.

New to Codefresh? Create Your Free Account Today!

About Dan Garfield

Dan is a full-stack web developer and VP of the Marketing at Codefresh. Dan is a *nix native and all around technology enthusiast.

Reader Interactions

Enjoy this article? Don't forget to share.

Comments

Your email address will not be published. Required fields are marked *

Follow me on Twitter