1. anchore/anchore-engine@1.9.0

anchore/anchore-engine@1.9.0

Partner
Sections
Anchore Engine is a docker container static analysis and policy-based compliance tool that automates the inspection, analysis, and evaluation of images to allow high confidence in container deployments by ensuring workload content meets the required criteria.
Created: October 23, 2018Version Published: July 1, 2021Releases: 29
Org Usage:
< 25
Categories:

Orb Quick Start Guide

Use CircleCI version 2.1 at the top of your .circleci/config.yml file.

1 version: 2.1

Add the orbs stanza below your version, invoking the orb:

1 2 orbs: anchore-engine: anchore/anchore-engine@1.9.0

Use anchore-engine elements in your existing workflows and jobs.

Opt-in to use of uncertified orbs on your organization’s Security settings page.

Usage Examples

local_image_scan

Use the analyze_local_image command within a container build pipeline, it can be used to scan an image that hasn't been pushed to a registry yet. If Anchore policy evaluation gives 'fail' status, the CI job will be marked as a failure. A custom policy can be used for evaluation, add custom Anchore policy bundle to .circleci/.anchore/policy_bundle.json in your repository. The Dockerfile used for building your image can be passed for policy evaluation.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 jobs: local_image_scan: executor: anchore/anchore_engine steps: - setup_remote_docker - checkout - run: command: docker build -t "example/test:latest" . name: build container - anchore/analyze_local_image: dockerfile_path: ./Dockerfile image_name: example/test:latest policy_bundle_file_path: .circleci/.anchore/policy_bundle.json policy_failure: true timeout: '500' - anchore/parse_reports - store_artifacts: path: anchore-reports orbs: anchore: anchore/anchore-engine@1 version: 2.1

multiple_local_image_scan

Use the analyze_local_image command within a container build pipeline, it can be used to scan multiple images that haven't been pushed to a registry yet. If Anchore policy evaluation gives 'fail' status, the CI job will be marked as a failure. A custom policy can be used for evaluation, add custom Anchore policy bundle to .circleci/.anchore/policy_bundle.json in your repository. Scanning multiple images does not support passing a dockerfile.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 jobs: local_image_scan: executor: anchore/anchore_engine steps: - setup_remote_docker - checkout - run: command: | docker build -t "example/test:dev" dev/ docker build -t "example/test:staging" staging/ docker build -t "example/test:latest" prod/ name: build containers - anchore/analyze_local_image: image_name: example/test:dev example/test:staging example/test:latest policy_bundle_file_path: .circleci/.anchore/policy_bundle.json policy_failure: true timeout: '500' - anchore/parse_reports - store_artifacts: path: anchore-reports orbs: anchore: anchore/anchore-engine@1 version: 2.1

private_image_scan

Use this job to scan an image located in a private registry. A custom policy can be used for evaluation, add custom Anchore policy bundle to .circleci/.anchore/policy_bundle.json in your repository.

1 2 3 4 5 6 7 8 9 10 11 12 orbs: anchore: anchore/anchore-engine@1 version: 2.1 workflows: scan_image: jobs: - anchore/image_scan: image_name: docker.io/anchore/anchore-engine:latest private_registry: true registry_name: docker.io registry_pass: $DOCKER_PASS registry_user: $DOCKER_USER

standard_image_scan

Use this job to scan an image located in a public registry. A custom policy can be used for evaluation, add custom Anchore policy bundle to .circleci/.anchore/policy_bundle.json in your repository.

1 2 3 4 5 6 7 8 9 10 orbs: anchore: anchore/anchore-engine@1 version: 2.1 workflows: scan_image: jobs: - anchore/image_scan: image_name: docker.io/anchore/anchore-engine:latest policy_bundle_file_path: .circleci/.anchore/policy_bundle.json timeout: '300'

Jobs

image_scan

Performs a static security analysis of docker container with anchore engine. A custom policy can be used for evaluation, add custom Anchore policy bundle to .circleci/.anchore/policy_bundle.json in your repository. Anchore engine pulls image from public/private docker registries. Requires registry credentials to access private images, use ENV vars $DOCKER_USER & $DOCKER_PASS

Show job Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
after_analyze
Optional steps to run after analyzing the docker image.
No
[]
steps
after_checkout
Optional steps to run after checking out the code.
No
[]
steps
before_analyze
Optional steps to run before analyzing the docker image.
No
[]
steps
image_name
Image repository & tag (eg - docker.io/anchore/anchore-engine:latest).
Yes
-
string
policy_bundle_file_path
Specify file path to policy bundle.
No
${HOME}/project/.circleci/.anchore/policy_bundle.json
string
policy_failure
Set to True if pipeline should stop on policy evaluation status 'fail'.
No
false
boolean
private_registry
Set to True if image is only accessible from a private registry.
No
false
boolean
registry_name
Name of private registry (eg - docker.io)
No
docker.io
string
registry_pass
Password for private registry (use env var $DOCKER_PASS to populate).
No
$DOCKER_PASS
string
registry_user
Username for private registry (use env var $DOCKER_USER to populate).
No
$DOCKER_USER
string
timeout
Timeout used for Anchore Engine image scanning.
No
'300'
string

Commands

add_private_registry

Adds credentials for private registries to anchore engine. Set registry credentials with $DOCKER_USER & $DOCKER_PASS env vars. Must run on executor with anchore-engine running & anchore-cli installed.

Show command Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
registry_name
Name of private registry (eg - docker.io).
No
docker.io
string
registry_pass
Password for private registry (use env var to populate).
No
$DOCKER_PASS
string
registry_user
Username for private registry (use env var to populate).
No
$DOCKER_USER
string

analyze_image

Add image to anchore engine and start analyzing. image_name is required, timeout is optional.

Show command Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
image_name
Image repository & tag (eg - "docker.io/anchore/anchore-engine:latest").
Yes
-
string
timeout
Timeout used for Anchore Engine image scanning.
No
'300'
string

analyze_local_image

Pushes a local image to a temporary registry container. Image is then scanned with anchore engine. Stores all reports as artifacts. Must be run in job with setup_remote_docker & using an image with docker installed.

Show command Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
anchore_version
Version of anchore inline-scan image.
No
$ANCHORE_VERSION
string
dockerfile_path
Path to dockerfile used to build image
No
''
string
image_name
Image repository & tag (eg - "docker.io/anchore/anchore-engine:latest").
Yes
-
string
policy_bundle_file_path
Specify file path to policy bundle.
No
${HOME}/project/.circleci/.anchore/policy_bundle.json
string
policy_failure
Set to True if pipeline should stop on policy evaluation status 'fail'.
No
false
boolean
timeout
Timeout used for Anchore Engine image scanning.
No
'300'
string

parse_reports

Prints analysis report of package vulnerabilities using JQ.

Show command Source

policy_evaluation

Perform policy evaluation using Anchore Engine image analysis. A customized policy bundle can be utilized for evaluation. Custom policy bundles should be added to your repository at .circleci/.anchore/policy_bundle.json. If using multiple policy bundles, or if using executor other than anchore/anchore_engine a custom policy bundle path can be set as a parameter.

Show command Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
image_name
Image repository & tag (eg - "docker.io/anchore/anchore-engine:latest").
Yes
-
string
policy_bundle_file_path
Specify file path to policy bundle.
No
${HOME}/project/.circleci/.anchore/policy_bundle.json
string
policy_failure
Set to True if pipeline should stop on policy evaluation status 'fail'.
No
false
boolean

start_engine

Start & wait for Anchore Engine

Show command Source
PARAMETER
DESCRIPTION
REQUIRED
DEFAULT
TYPE
anchore_version
Version of anchore inline-scan image.
No
$ANCHORE_VERSION
string
timeout
Timeout used for Anchore Engine image scanning.
No
'300'
string

Executors

anchore_engine

Docker stable image with ANCHORE_VERSION environment variable set.

Show executor Source

Orb Source

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 # This code is licensed from CircleCI to the user under the MIT license. # See here for details: https://circleci.com/developer/orbs/licensing commands: add_private_registry: description: | Adds credentials for private registries to anchore engine. Set registry credentials with $DOCKER_USER & $DOCKER_PASS env vars. Must run on executor with anchore-engine running & anchore-cli installed. parameters: registry_name: default: docker.io description: Name of private registry (eg - docker.io). type: string registry_pass: default: $DOCKER_PASS description: Password for private registry (use env var to populate). type: string registry_user: default: $DOCKER_USER description: Username for private registry (use env var to populate). type: string steps: - run: command: | REGISTRY_NAME="<< parameters.registry_name >>" REGISTRY_USER="<< parameters.registry_user >>" REGISTRY_PASS="<< parameters.registry_pass >>" docker exec -e REGISTRY_NAME="$REGISTRY_NAME" -e REGISTRY_USER="$REGISTRY_USER" -e REGISTRY_PASS="$REGISTRY_PASS" -it anchore-engine bash -lc 'anchore-cli registry add --skip-validate "$REGISTRY_NAME" "$REGISTRY_USER" "$REGISTRY_PASS"' name: Add private registry credentials to anchore engine. analyze_image: description: | Add image to anchore engine and start analyzing. image_name is required, timeout is optional. parameters: image_name: description: Image repository & tag (eg - "docker.io/anchore/anchore-engine:latest"). type: string timeout: default: "300" description: Timeout used for Anchore Engine image scanning. type: string steps: - run: command: | IMAGE_NAME="<< parameters.image_name >>" TIMEOUT=<< parameters.timeout >> docker exec -e IMAGE_NAME="$IMAGE_NAME" -e TIMEOUT="$TIMEOUT" -it anchore-engine bash -lc 'anchore_ci_tools.py --analyze --report --image "$IMAGE_NAME" --timeout "$TIMEOUT"' docker exec -e IMAGE_NAME="$IMAGE_NAME" -it anchore-engine bash -lc 'anchore-cli image get "$IMAGE_NAME"' docker cp anchore-engine:/anchore-engine/anchore-reports/ ./ name: Analyze image with anchore engine. analyze_local_image: description: | Pushes a local image to a temporary registry container. Image is then scanned with anchore engine. Stores all reports as artifacts. Must be run in job with setup_remote_docker & using an image with docker installed. parameters: anchore_version: default: $ANCHORE_VERSION description: Version of anchore inline-scan image. type: string dockerfile_path: default: "" description: Path to dockerfile used to build image type: string image_name: description: Image repository & tag (eg - "docker.io/anchore/anchore-engine:latest"). type: string policy_bundle_file_path: default: ${HOME}/project/.circleci/.anchore/policy_bundle.json description: Specify file path to policy bundle. type: string policy_failure: default: false description: Set to True if pipeline should stop on policy evaluation status 'fail'. type: boolean timeout: default: "300" description: Timeout used for Anchore Engine image scanning. type: string steps: - run: command: | if [[ ! $(which bash) ]]; then (set +o pipefail; apk add bash || apt-get install -y bash || yum install -y bash) fi if [[ ! $(which curl) ]]; then (set +o pipefail; apk add curl || apt-get install -y curl || yum install -y curl) fi POLICY_FAILURE="<< parameters.policy_failure >>" ANCHORE_VERSION="<< parameters.anchore_version >>" TIMEOUT=<< parameters.timeout >> POLICY_BUNDLE_PATH="<< parameters.policy_bundle_file_path >>" DOCKERFILE_PATH="<< parameters.dockerfile_path >>" IMAGE_NAME="<< parameters.image_name >>" run_cmd="curl -s https://ci-tools.anchore.io/inline_scan-${ANCHORE_VERSION} | bash -s -- -r -t $TIMEOUT" if $POLICY_FAILURE; then run_cmd="$run_cmd -f" fi if [[ ! -z $POLICY_BUNDLE_PATH ]] && [[ -f $POLICY_BUNDLE_PATH ]]; then run_cmd="$run_cmd -b $POLICY_BUNDLE_PATH" else echo "ERROR - could not find policy bundle $POLICY_BUNDLE_PATH - using default policy bundle." fi if [[ ! -z $DOCKERFILE_PATH ]] && [[ -f $DOCKERFILE_PATH ]]; then run_cmd="$run_cmd -d $DOCKERFILE_PATH" else echo "ERROR - could not find Dockerfile $DOCKERFILE_PATH - Dockerfile not included in scan." fi run_cmd="$run_cmd $IMAGE_NAME" docker pull docker.io/anchore/inline-scan:${ANCHORE_VERSION} eval "$run_cmd" name: Scan local image. parse_reports: description: Prints analysis report of package vulnerabilities using JQ. steps: - run: command: | if [[ ! $(which jq) ]]; then (set +o pipefail; apk add jq || apt-get install -y jq || yum install -y jq) fi if ls anchore-reports/*content-os*.json >/dev/null 2>&1; then for f in anchore-reports/*content-os*.json; do printf "\n%s\n" "The following OS packages are installed in $f:" jq '[.content | sort_by(.package) | .[] | {package: .package, version: .version}]' $f done fi if ls anchore-reports/*vuln*.json >/dev/null 2>&1; then for f in anchore-reports/*vuln*.json; do printf "\n%s\n" "The following vulnerabilities were found in $f:" jq '[.vulnerabilities | group_by(.package) | .[] | {package: .[0].package, vuln: [.[].vuln]}]' $f done fi name: View parsed vulnerability analysis report. policy_evaluation: description: | Perform policy evaluation using Anchore Engine image analysis. A customized policy bundle can be utilized for evaluation. Custom policy bundles should be added to your repository at .circleci/.anchore/policy_bundle.json. If using multiple policy bundles, or if using executor other than anchore/anchore_engine a custom policy bundle path can be set as a parameter. parameters: image_name: description: Image repository & tag (eg - "docker.io/anchore/anchore-engine:latest"). type: string policy_bundle_file_path: default: ${HOME}/project/.circleci/.anchore/policy_bundle.json description: Specify file path to policy bundle. type: string policy_failure: default: false description: Set to True if pipeline should stop on policy evaluation status 'fail'. type: boolean steps: - run: command: | BUNDLE_PATH="<< parameters.policy_bundle_file_path >>" IMAGE_NAME="<< parameters.image_name >>" if [[ ! $(which jq) ]]; then (set +o pipefail; apk add jq || apt-get install -y jq || yum install -y jq) fi if [[ ! -z "$BUNDLE_PATH" ]] && [[ -f "$BUNDLE_PATH" ]]; then docker cp "$BUNDLE_PATH" anchore-engine:/anchore-engine/$(basename "$BUNDLE_PATH") (docker exec -e BUNDLE_PATH="$BUNDLE_PATH" -i anchore-engine bash -lc 'anchore-cli --json policy add /anchore-engine/$(basename "$BUNDLE_PATH")' | jq '.policyId' | xargs -I{} docker exec -i anchore-engine bash -lc 'anchore-cli policy activate {}') || \ printf "\n%s\n" "Failed to activate policy bundle $BUNDLE_PATH - using default policy." else printf "\n%s\n" "Unable to locate policy bundle $BUNDLE_PATH - using default policy." fi if << parameters.policy_failure >>; then docker exec -e IMAGE_NAME="$IMAGE_NAME" -it anchore-engine bash -lc 'anchore-cli evaluate check "$IMAGE_NAME" --detail' else (set +o pipefail; docker exec -e IMAGE_NAME="$IMAGE_NAME" -it anchore-engine bash -lc 'anchore-cli evaluate check "$IMAGE_NAME" --detail' | tee /dev/null) fi name: Evaluate image against desired policy bundle. start_engine: description: Start & wait for Anchore Engine parameters: anchore_version: default: $ANCHORE_VERSION description: Version of anchore inline-scan image. type: string timeout: default: "300" description: Timeout used for Anchore Engine image scanning. type: string steps: - run: command: | ANCHORE_VERSION="<< parameters.anchore_version >>" TIMEOUT=<< parameters.timeout >> docker pull "docker.io/anchore/inline-scan:${ANCHORE_VERSION}" docker run -d --name anchore-engine "docker.io/anchore/inline-scan:${ANCHORE_VERSION}" start docker exec -e TIMEOUT="$TIMEOUT" -it anchore-engine bash -lc 'anchore_ci_tools.py --wait --timeout "$TIMEOUT"' name: Start Anchore Engine description: | Anchore Engine is a docker container static analysis and policy-based compliance tool that automates the inspection, analysis, and evaluation of images to allow high confidence in container deployments by ensuring workload content meets the required criteria. display: home_url: https://github.com/anchore/anchore-engine source_url: https://github.com/anchore/circleci-orbs/blob/master/anchore-engine/src examples: local_image_scan: description: | Use the analyze_local_image command within a container build pipeline, it can be used to scan an image that hasn't been pushed to a registry yet. If Anchore policy evaluation gives 'fail' status, the CI job will be marked as a failure. A custom policy can be used for evaluation, add custom Anchore policy bundle to .circleci/.anchore/policy_bundle.json in your repository. The Dockerfile used for building your image can be passed for policy evaluation. usage: jobs: local_image_scan: executor: anchore/anchore_engine steps: - setup_remote_docker - checkout - run: command: docker build -t "example/test:latest" . name: build container - anchore/analyze_local_image: dockerfile_path: ./Dockerfile image_name: example/test:latest policy_bundle_file_path: .circleci/.anchore/policy_bundle.json policy_failure: true timeout: "500" - anchore/parse_reports - store_artifacts: path: anchore-reports orbs: anchore: anchore/anchore-engine@1 version: 2.1 multiple_local_image_scan: description: | Use the analyze_local_image command within a container build pipeline, it can be used to scan multiple images that haven't been pushed to a registry yet. If Anchore policy evaluation gives 'fail' status, the CI job will be marked as a failure. A custom policy can be used for evaluation, add custom Anchore policy bundle to .circleci/.anchore/policy_bundle.json in your repository. Scanning multiple images does not support passing a dockerfile. usage: jobs: local_image_scan: executor: anchore/anchore_engine steps: - setup_remote_docker - checkout - run: command: | docker build -t "example/test:dev" dev/ docker build -t "example/test:staging" staging/ docker build -t "example/test:latest" prod/ name: build containers - anchore/analyze_local_image: image_name: example/test:dev example/test:staging example/test:latest policy_bundle_file_path: .circleci/.anchore/policy_bundle.json policy_failure: true timeout: "500" - anchore/parse_reports - store_artifacts: path: anchore-reports orbs: anchore: anchore/anchore-engine@1 version: 2.1 private_image_scan: description: | Use this job to scan an image located in a private registry. A custom policy can be used for evaluation, add custom Anchore policy bundle to .circleci/.anchore/policy_bundle.json in your repository. usage: orbs: anchore: anchore/anchore-engine@1 version: 2.1 workflows: scan_image: jobs: - anchore/image_scan: image_name: docker.io/anchore/anchore-engine:latest private_registry: true registry_name: docker.io registry_pass: $DOCKER_PASS registry_user: $DOCKER_USER standard_image_scan: description: | Use this job to scan an image located in a public registry. A custom policy can be used for evaluation, add custom Anchore policy bundle to .circleci/.anchore/policy_bundle.json in your repository. usage: orbs: anchore: anchore/anchore-engine@1 version: 2.1 workflows: scan_image: jobs: - anchore/image_scan: image_name: docker.io/anchore/anchore-engine:latest policy_bundle_file_path: .circleci/.anchore/policy_bundle.json timeout: "300" executors: anchore_engine: description: | Docker stable image with ANCHORE_VERSION environment variable set. docker: - image: docker:stable-git environment: ANCHORE_VERSION: v0.10.0 jobs: image_scan: description: | Performs a static security analysis of docker container with anchore engine. A custom policy can be used for evaluation, add custom Anchore policy bundle to .circleci/.anchore/policy_bundle.json in your repository. Anchore engine pulls image from public/private docker registries. Requires registry credentials to access private images, use ENV vars $DOCKER_USER & $DOCKER_PASS executor: anchore_engine parameters: after_analyze: default: [] description: Optional steps to run after analyzing the docker image. type: steps after_checkout: default: [] description: Optional steps to run after checking out the code. type: steps before_analyze: default: [] description: Optional steps to run before analyzing the docker image. type: steps image_name: description: Image repository & tag (eg - docker.io/anchore/anchore-engine:latest). type: string policy_bundle_file_path: default: ${HOME}/project/.circleci/.anchore/policy_bundle.json description: Specify file path to policy bundle. type: string policy_failure: default: false description: Set to True if pipeline should stop on policy evaluation status 'fail'. type: boolean private_registry: default: false description: Set to True if image is only accessible from a private registry. type: boolean registry_name: default: docker.io description: Name of private registry (eg - docker.io) type: string registry_pass: default: $DOCKER_PASS description: Password for private registry (use env var $DOCKER_PASS to populate). type: string registry_user: default: $DOCKER_USER description: Username for private registry (use env var $DOCKER_USER to populate). type: string timeout: default: "300" description: Timeout used for Anchore Engine image scanning. type: string steps: - setup_remote_docker: docker_layer_caching: true - checkout - when: condition: << parameters.after_checkout >> name: Run after_checkout life cycle hook steps. steps: << parameters.after_checkout >> - start_engine - when: condition: << parameters.before_analyze >> name: Run before_analyze life cycle hook steps. steps: << parameters.before_analyze >> - when: condition: << parameters.private_registry >> steps: - add_private_registry: registry_name: << parameters.registry_name >> registry_pass: << parameters.registry_pass >> registry_user: << parameters.registry_user >> - analyze_image: image_name: << parameters.image_name >> timeout: << parameters.timeout >> - when: condition: << parameters.after_analyze >> name: Run after_analyze life cycle hook steps. steps: << parameters.after_analyze >> - policy_evaluation: image_name: << parameters.image_name >> policy_bundle_file_path: << parameters.policy_bundle_file_path >> policy_failure: << parameters.policy_failure >> - parse_reports - store_artifacts: path: anchore-reports version: 2.1
Developer Updates
Get tips to optimize your builds
Or join our research panel and give feedback
By submitting this form, you are agreeing to ourTerms of UseandPrivacy Policy.