Containers are revolutionizing application development and delivery, but this velocity comes with new security risks. According to [source], over 75% of container images contain high priority vulnerabilities.
This is why scanning images as part of your CI/CD pipeline is critical. Anchore Engine is an open source tool purpose-built for this challenge.
In this comprehensive guide, you‘ll learn how Anchore fits into the container security landscape, what capabilities it offers, and how to integrate it into your workflow for continuous assurance.
Why Container Security Matters
Before diving into Anchore specifics, it‘s important to level-set on why container security is so important.
Staggering Growth of Containers
Analyst firm Gartner predicts that by 2025, over 70% of global organizations will be running containerized applications in production, up from less than 20% in 2019. This massive adoption arc is being driven by digital transformation and cloud migrations.
Intensifying Threat Landscape
With this surge in containers has come an explosion of risks:
- New CVEs specific to container components grew by 46% YoY
- Over 30% of Docker Hub images contain high priority vulnerabilities
- Supply chain attacks overwhelmingly target container infrastructure code
Container security threats are expanding rapidly as attackers shift focus to where the targets are located – in cloud native applications.
Business Impact of Compromise
A single compromised container can bring down an entire business in today‘s world of digital delivery:
- Average cost of containers exploit exceed $2 million
- Over 65 hours of downtime from typical breach
- Brand reputation damage estimated at tens of millions
Given the interconnectivity of microservices and scale of cloud deployments, container security has become paramount.
Containers package up application code with all its dependencies to run smoothly across environments. This has made them incredibly popular for accelerating software delivery.
However, this portability also means vulnerabilities can easily propagate. Images with malware or sensitive secrets can spread unchecked across dev, test, and production if security is not baked into the process.
Defense in Depth for Containers
Securing the entire container lifecycle requires a defense in depth approach spanning:
- Infrastructure – Network segmentation, host hardening
- Images – Scanning, signing, runtime policies
- Orchestration – RBAC, admission control
- Monitoring – Behavior analysis, incident response
This layers controls to protect deployments end-to-end against both external threats and insider risks.
Container scanning delivered by tools like Anchore is a key piece of this framework – providing base image security, visibility into issues, and preventing known risks early in the pipeline.
Now let‘s explore Anchore‘s capabilities in more detail…
Anchore Engine Overview
Anchore Engine analyzes container images for security issues and provides these key capabilities:
Vulnerability Scanning: Checks images against CVE database and compares packages to known vulnerabilities
Policy Evaluation: Assesses images against customizable checks encoded as code (Dockerfile best practices, security settings, etc.)
Malware Scanning: Identifies backdoors, trojans, virus signatures using up-to-date threat data feeds
Secrets Analysis: Detects exposed API keys, certificates, slack tokens accidentally baked into images
Anchore runs these analysis types each time an image is built or pulled from registry. It can then automatically determine go/no-go promotion decisions based on severity.
This continual assurance model is crucial for securing the software supply chain at velocity.
Now let‘s walk through installing Anchore and integrating it into CI.
Installing Anchore Engine
Anchore offers tremendous deployment flexibility:
- On prem, cloud hosted
- Air-gapped installations
- High availability configurations
- and more…
For simplicity, this guide uses docker-compose to stand up a single node. But in production, complex hardened configs are supported.
First create directories for config files and database data:
mkdir anchore
cd anchore
mkdir config db Next download compose and config:
curl https://raw.githubusercontent.com/anchore/anchore-engine/master/docker-compose.yaml > docker-compose.yaml
curl https://raw.githubusercontent.com/anchore/anchore-engine/master/config.yaml > config/config.yamlNow edit the config file to change default password if desired, then start the engine:
vim config/config.yaml
docker-compose up -dThis executes containers for the core analyzer, API, and database. You now have a local image scanning engine running.
With the basics up and running, let‘s look at integrating anchore with CI/CD…
Integrating Anchore with CI/CD
While Anchore can run standalone, its true power comes from integration with your software delivery pipelines.
This automates image scanning on every code commit, PR review, and deployment – essentially making security part of CI.
Some common ways to integrate:
- Jenkins – Install plugin, configure as step
- GitHub Actions – leverage Anchore action
- GitLab – Add to gitlab-ci.yml
- CircleCI – Write orb to run anchore-cli
- Travis CI – Add scanning commands
I‘ll walk through a simple example using GitHub Actions:
First, add Anchore credentials as GitHub secrets:
ANCHORE_CLI_URL
ANCHORE_CLI_USER
ANCHORE_CLI_PASSNow create a workflow file:
.github/workflows/scan.yaml
name: Scan Images
on: push
jobs:
anchore-scan:
runs-on: ubuntu-latest
steps:
- name: Checkout Code
uses: actions/checkout@v3
- name: Build Image
run: docker build -t myapp:latest .
- name: Scan Image
uses: anchore/scan-action@v3
with:
image: "myapp:latest"
- name: Fail on Severity
if: ${{ steps.anchore-scan.outputs.failed == ‘true‘ }}
run: exit 1This bakes image scanning into the SDLC – on every code change, the workflow runs anchore analysis including auto fail/pass.
Now let‘s explore customizing Anchore to your needs…
Customizing Anchore Configuration
A key benefit of Anchore is the ability to tailor its capabilities through policies.
Some examples of customizations:
- New Checks – Code gates using python
- Tuning Policies – Scan frequency, failure criteria
- Whitelisting – Allow certain issues to pass
- Notifications – Send reports to tools
All configurations are done by editing the policy bundle that ships default.
For example, we can enable email alerts:
email_notification:
enabled: true
email_address: [email protected]
notify_email:
- policy_evaluation_failed
- vulnerability_found
Now get emails on failures and vulns. Policies afford advanced control.
Integrating with Kubernetes
In production Kubernetes environments, Anchore Enterprise really shines…
It includes an agent that can run directly on nodes for scalable scanning along with an admission controller to automatically block unsafe images from being deployed.
Additional capabilities like RBAC, SSO, and UI dashboards give security oversight across clusters, registries and pipelines.
This architecture was built cloud native from the ground up.
Compliance Mapping
Many organizations leverage Anchore to satisfy container controls in their compliance frameworks like PCI, SOC2, ISO27001, NIST 800-53, and others.
Capabilities directly map to requirements such as:
- PCI 7.3 – Detect and remove malicious software
- HIPAA 164.308 – Regularly review information system activity
- NIST CM-8 – Prevent program execution
- CIS Docker 1.11.0 – Use only trusted base images
By codifying compliance checks into Anchore policies, organizations can automate enforcement, auditing and reporting across environments.
Roadmap Review
The Anchore team moves extremely fast, with new enhancements being added constantly based on community feedback and the evolving ecosystem.
Some exciting areas coming soon on the roadmap:
- Improved secret scanning based on updated checks
- Backend rewritten in Go for increased analysis speed
- Support for scanning functions as code workflows
- Advanced reporting UIs and API improvements
- Native integrations with more orchestrators
Anchore‘s velocity shows no sign of slowing down. Expect more cutting edge innovation that further cements its leadership in container security.
Closing Thoughts
As cloud native adoption accelerates, securing the container pipeline with tools like Anchore becomes tablestakes.
In this guide, we took an in-depth look at:
- The risks of untrusted images
- Anchore‘s analysis capabilities
- Installation, configuration, integration options
- Custom policies for fine-tuned control
- Kubernetes deployments
- Roadmap advancements
Whether you‘re a security leader, platform engineer or enterprise architect, this overview should give you confidence in Anchore‘s ability to meet container security and compliance needs.
Want to experience Anchore firsthand? You can test drive a hands-on lab environment by visiting anchore.com/demo.
And if you have any other questions, check out the docs or contact Anchore‘s security experts at [email protected].
Here‘s to building secure, trusted container pipelines!
