Use CircleCI version 2.1 at the top of your .circleci/config.yml file.
1
version: 2.1
Add the orbs
stanza below your version, invoking the orb:
1
2
orbs:
anchore-engine: anchore/anchore-engine@1.9.0
Use anchore-engine
elements in your existing workflows and jobs.
Opt-in to use of uncertified orbs on your organization’s Security settings page.
Use the analyze_local_image command within a container build pipeline, it can be used to scan an image that hasn't been pushed to a registry yet. If Anchore policy evaluation gives 'fail' status, the CI job will be marked as a failure. A custom policy can be used for evaluation, add custom Anchore policy bundle to .circleci/.anchore/policy_bundle.json in your repository. The Dockerfile used for building your image can be passed for policy evaluation.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
jobs:
local_image_scan:
executor: anchore/anchore_engine
steps:
- setup_remote_docker
- checkout
- run:
command: docker build -t "example/test:latest" .
name: build container
- anchore/analyze_local_image:
dockerfile_path: ./Dockerfile
image_name: example/test:latest
policy_bundle_file_path: .circleci/.anchore/policy_bundle.json
policy_failure: true
timeout: '500'
- anchore/parse_reports
- store_artifacts:
path: anchore-reports
orbs:
anchore: anchore/anchore-engine@1
version: 2.1
Use the analyze_local_image command within a container build pipeline, it can be used to scan multiple images that haven't been pushed to a registry yet. If Anchore policy evaluation gives 'fail' status, the CI job will be marked as a failure. A custom policy can be used for evaluation, add custom Anchore policy bundle to .circleci/.anchore/policy_bundle.json in your repository. Scanning multiple images does not support passing a dockerfile.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
jobs:
local_image_scan:
executor: anchore/anchore_engine
steps:
- setup_remote_docker
- checkout
- run:
command: |
docker build -t "example/test:dev" dev/
docker build -t "example/test:staging" staging/
docker build -t "example/test:latest" prod/
name: build containers
- anchore/analyze_local_image:
image_name: example/test:dev example/test:staging example/test:latest
policy_bundle_file_path: .circleci/.anchore/policy_bundle.json
policy_failure: true
timeout: '500'
- anchore/parse_reports
- store_artifacts:
path: anchore-reports
orbs:
anchore: anchore/anchore-engine@1
version: 2.1
Use this job to scan an image located in a private registry. A custom policy can be used for evaluation, add custom Anchore policy bundle to .circleci/.anchore/policy_bundle.json in your repository.
1
2
3
4
5
6
7
8
9
10
11
12
orbs:
anchore: anchore/anchore-engine@1
version: 2.1
workflows:
scan_image:
jobs:
- anchore/image_scan:
image_name: docker.io/anchore/anchore-engine:latest
private_registry: true
registry_name: docker.io
registry_pass: $DOCKER_PASS
registry_user: $DOCKER_USER
Use this job to scan an image located in a public registry. A custom policy can be used for evaluation, add custom Anchore policy bundle to .circleci/.anchore/policy_bundle.json in your repository.
1
2
3
4
5
6
7
8
9
10
orbs:
anchore: anchore/anchore-engine@1
version: 2.1
workflows:
scan_image:
jobs:
- anchore/image_scan:
image_name: docker.io/anchore/anchore-engine:latest
policy_bundle_file_path: .circleci/.anchore/policy_bundle.json
timeout: '300'
Performs a static security analysis of docker container with anchore engine. A custom policy can be used for evaluation, add custom Anchore policy bundle to .circleci/.anchore/policy_bundle.json in your repository. Anchore engine pulls image from public/private docker registries. Requires registry credentials to access private images, use ENV vars $DOCKER_USER & $DOCKER_PASS
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
after_analyze | Optional steps to run after analyzing the docker image. | No | [] | steps |
after_checkout | Optional steps to run after checking out the code. | No | [] | steps |
before_analyze | Optional steps to run before analyzing the docker image. | No | [] | steps |
image_name | Image repository & tag (eg - docker.io/anchore/anchore-engine:latest). | Yes | - | string |
policy_bundle_file_path | Specify file path to policy bundle. | No | ${HOME}/project/.circleci/.anchore/policy_bundle.json | string |
policy_failure | Set to True if pipeline should stop on policy evaluation status 'fail'. | No | false | boolean |
private_registry | Set to True if image is only accessible from a private registry. | No | false | boolean |
registry_name | Name of private registry (eg - docker.io) | No | docker.io | string |
registry_pass | Password for private registry (use env var $DOCKER_PASS to populate). | No | $DOCKER_PASS | string |
registry_user | Username for private registry (use env var $DOCKER_USER to populate). | No | $DOCKER_USER | string |
timeout | Timeout used for Anchore Engine image scanning. | No | '300' | string |
Adds credentials for private registries to anchore engine. Set registry credentials with $DOCKER_USER & $DOCKER_PASS env vars. Must run on executor with anchore-engine running & anchore-cli installed.
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
registry_name | Name of private registry (eg - docker.io). | No | docker.io | string |
registry_pass | Password for private registry (use env var to populate). | No | $DOCKER_PASS | string |
registry_user | Username for private registry (use env var to populate). | No | $DOCKER_USER | string |
Add image to anchore engine and start analyzing. image_name is required, timeout is optional.
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
image_name | Image repository & tag (eg - "docker.io/anchore/anchore-engine:latest"). | Yes | - | string |
timeout | Timeout used for Anchore Engine image scanning. | No | '300' | string |
Pushes a local image to a temporary registry container. Image is then scanned with anchore engine. Stores all reports as artifacts. Must be run in job with setup_remote_docker & using an image with docker installed.
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
anchore_version | Version of anchore inline-scan image. | No | $ANCHORE_VERSION | string |
dockerfile_path | Path to dockerfile used to build image | No | '' | string |
image_name | Image repository & tag (eg - "docker.io/anchore/anchore-engine:latest"). | Yes | - | string |
policy_bundle_file_path | Specify file path to policy bundle. | No | ${HOME}/project/.circleci/.anchore/policy_bundle.json | string |
policy_failure | Set to True if pipeline should stop on policy evaluation status 'fail'. | No | false | boolean |
timeout | Timeout used for Anchore Engine image scanning. | No | '300' | string |
Perform policy evaluation using Anchore Engine image analysis. A customized policy bundle can be utilized for evaluation. Custom policy bundles should be added to your repository at .circleci/.anchore/policy_bundle.json. If using multiple policy bundles, or if using executor other than anchore/anchore_engine a custom policy bundle path can be set as a parameter.
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
image_name | Image repository & tag (eg - "docker.io/anchore/anchore-engine:latest"). | Yes | - | string |
policy_bundle_file_path | Specify file path to policy bundle. | No | ${HOME}/project/.circleci/.anchore/policy_bundle.json | string |
policy_failure | Set to True if pipeline should stop on policy evaluation status 'fail'. | No | false | boolean |
Start & wait for Anchore Engine
PARAMETER | DESCRIPTION | REQUIRED | DEFAULT | TYPE |
---|---|---|---|---|
anchore_version | Version of anchore inline-scan image. | No | $ANCHORE_VERSION | string |
timeout | Timeout used for Anchore Engine image scanning. | No | '300' | string |
Docker stable image with ANCHORE_VERSION environment variable set.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
# This code is licensed from CircleCI to the user under the MIT license.
# See here for details: https://circleci.com/developer/orbs/licensing
commands:
add_private_registry:
description: |
Adds credentials for private registries to anchore engine.
Set registry credentials with $DOCKER_USER & $DOCKER_PASS env vars.
Must run on executor with anchore-engine running & anchore-cli installed.
parameters:
registry_name:
default: docker.io
description: Name of private registry (eg - docker.io).
type: string
registry_pass:
default: $DOCKER_PASS
description: Password for private registry (use env var to populate).
type: string
registry_user:
default: $DOCKER_USER
description: Username for private registry (use env var to populate).
type: string
steps:
- run:
command: |
REGISTRY_NAME="<< parameters.registry_name >>"
REGISTRY_USER="<< parameters.registry_user >>"
REGISTRY_PASS="<< parameters.registry_pass >>"
docker exec -e REGISTRY_NAME="$REGISTRY_NAME" -e REGISTRY_USER="$REGISTRY_USER" -e REGISTRY_PASS="$REGISTRY_PASS" -it anchore-engine bash -lc 'anchore-cli registry add --skip-validate "$REGISTRY_NAME" "$REGISTRY_USER" "$REGISTRY_PASS"'
name: Add private registry credentials to anchore engine.
analyze_image:
description: |
Add image to anchore engine and start analyzing.
image_name is required, timeout is optional.
parameters:
image_name:
description: Image repository & tag (eg - "docker.io/anchore/anchore-engine:latest").
type: string
timeout:
default: "300"
description: Timeout used for Anchore Engine image scanning.
type: string
steps:
- run:
command: |
IMAGE_NAME="<< parameters.image_name >>"
TIMEOUT=<< parameters.timeout >>
docker exec -e IMAGE_NAME="$IMAGE_NAME" -e TIMEOUT="$TIMEOUT" -it anchore-engine bash -lc 'anchore_ci_tools.py --analyze --report --image "$IMAGE_NAME" --timeout "$TIMEOUT"'
docker exec -e IMAGE_NAME="$IMAGE_NAME" -it anchore-engine bash -lc 'anchore-cli image get "$IMAGE_NAME"'
docker cp anchore-engine:/anchore-engine/anchore-reports/ ./
name: Analyze image with anchore engine.
analyze_local_image:
description: |
Pushes a local image to a temporary registry container.
Image is then scanned with anchore engine. Stores all reports as artifacts.
Must be run in job with setup_remote_docker & using an image with docker installed.
parameters:
anchore_version:
default: $ANCHORE_VERSION
description: Version of anchore inline-scan image.
type: string
dockerfile_path:
default: ""
description: Path to dockerfile used to build image
type: string
image_name:
description: Image repository & tag (eg - "docker.io/anchore/anchore-engine:latest").
type: string
policy_bundle_file_path:
default: ${HOME}/project/.circleci/.anchore/policy_bundle.json
description: Specify file path to policy bundle.
type: string
policy_failure:
default: false
description: Set to True if pipeline should stop on policy evaluation status 'fail'.
type: boolean
timeout:
default: "300"
description: Timeout used for Anchore Engine image scanning.
type: string
steps:
- run:
command: |
if [[ ! $(which bash) ]]; then
(set +o pipefail; apk add bash || apt-get install -y bash || yum install -y bash)
fi
if [[ ! $(which curl) ]]; then
(set +o pipefail; apk add curl || apt-get install -y curl || yum install -y curl)
fi
POLICY_FAILURE="<< parameters.policy_failure >>"
ANCHORE_VERSION="<< parameters.anchore_version >>"
TIMEOUT=<< parameters.timeout >>
POLICY_BUNDLE_PATH="<< parameters.policy_bundle_file_path >>"
DOCKERFILE_PATH="<< parameters.dockerfile_path >>"
IMAGE_NAME="<< parameters.image_name >>"
run_cmd="curl -s https://ci-tools.anchore.io/inline_scan-${ANCHORE_VERSION} | bash -s -- -r -t $TIMEOUT"
if $POLICY_FAILURE; then
run_cmd="$run_cmd -f"
fi
if [[ ! -z $POLICY_BUNDLE_PATH ]] && [[ -f $POLICY_BUNDLE_PATH ]]; then
run_cmd="$run_cmd -b $POLICY_BUNDLE_PATH"
else
echo "ERROR - could not find policy bundle $POLICY_BUNDLE_PATH - using default policy bundle."
fi
if [[ ! -z $DOCKERFILE_PATH ]] && [[ -f $DOCKERFILE_PATH ]]; then
run_cmd="$run_cmd -d $DOCKERFILE_PATH"
else
echo "ERROR - could not find Dockerfile $DOCKERFILE_PATH - Dockerfile not included in scan."
fi
run_cmd="$run_cmd $IMAGE_NAME"
docker pull docker.io/anchore/inline-scan:${ANCHORE_VERSION}
eval "$run_cmd"
name: Scan local image.
parse_reports:
description: Prints analysis report of package vulnerabilities using JQ.
steps:
- run:
command: |
if [[ ! $(which jq) ]]; then
(set +o pipefail; apk add jq || apt-get install -y jq || yum install -y jq)
fi
if ls anchore-reports/*content-os*.json >/dev/null 2>&1; then
for f in anchore-reports/*content-os*.json; do
printf "\n%s\n" "The following OS packages are installed in $f:"
jq '[.content | sort_by(.package) | .[] | {package: .package, version: .version}]' $f
done
fi
if ls anchore-reports/*vuln*.json >/dev/null 2>&1; then
for f in anchore-reports/*vuln*.json; do
printf "\n%s\n" "The following vulnerabilities were found in $f:"
jq '[.vulnerabilities | group_by(.package) | .[] | {package: .[0].package, vuln: [.[].vuln]}]' $f
done
fi
name: View parsed vulnerability analysis report.
policy_evaluation:
description: |
Perform policy evaluation using Anchore Engine image analysis. A customized policy bundle can be utilized for evaluation.
Custom policy bundles should be added to your repository at .circleci/.anchore/policy_bundle.json. If using multiple policy
bundles, or if using executor other than anchore/anchore_engine a custom policy bundle path can be set as a parameter.
parameters:
image_name:
description: Image repository & tag (eg - "docker.io/anchore/anchore-engine:latest").
type: string
policy_bundle_file_path:
default: ${HOME}/project/.circleci/.anchore/policy_bundle.json
description: Specify file path to policy bundle.
type: string
policy_failure:
default: false
description: Set to True if pipeline should stop on policy evaluation status 'fail'.
type: boolean
steps:
- run:
command: |
BUNDLE_PATH="<< parameters.policy_bundle_file_path >>"
IMAGE_NAME="<< parameters.image_name >>"
if [[ ! $(which jq) ]]; then
(set +o pipefail; apk add jq || apt-get install -y jq || yum install -y jq)
fi
if [[ ! -z "$BUNDLE_PATH" ]] && [[ -f "$BUNDLE_PATH" ]]; then
docker cp "$BUNDLE_PATH" anchore-engine:/anchore-engine/$(basename "$BUNDLE_PATH")
(docker exec -e BUNDLE_PATH="$BUNDLE_PATH" -i anchore-engine bash -lc 'anchore-cli --json policy add /anchore-engine/$(basename "$BUNDLE_PATH")' | jq '.policyId' | xargs -I{} docker exec -i anchore-engine bash -lc 'anchore-cli policy activate {}') || \
printf "\n%s\n" "Failed to activate policy bundle $BUNDLE_PATH - using default policy."
else
printf "\n%s\n" "Unable to locate policy bundle $BUNDLE_PATH - using default policy."
fi
if << parameters.policy_failure >>; then
docker exec -e IMAGE_NAME="$IMAGE_NAME" -it anchore-engine bash -lc 'anchore-cli evaluate check "$IMAGE_NAME" --detail'
else
(set +o pipefail; docker exec -e IMAGE_NAME="$IMAGE_NAME" -it anchore-engine bash -lc 'anchore-cli evaluate check "$IMAGE_NAME" --detail' | tee /dev/null)
fi
name: Evaluate image against desired policy bundle.
start_engine:
description: Start & wait for Anchore Engine
parameters:
anchore_version:
default: $ANCHORE_VERSION
description: Version of anchore inline-scan image.
type: string
timeout:
default: "300"
description: Timeout used for Anchore Engine image scanning.
type: string
steps:
- run:
command: |
ANCHORE_VERSION="<< parameters.anchore_version >>"
TIMEOUT=<< parameters.timeout >>
docker pull "docker.io/anchore/inline-scan:${ANCHORE_VERSION}"
docker run -d --name anchore-engine "docker.io/anchore/inline-scan:${ANCHORE_VERSION}" start
docker exec -e TIMEOUT="$TIMEOUT" -it anchore-engine bash -lc 'anchore_ci_tools.py --wait --timeout "$TIMEOUT"'
name: Start Anchore Engine
description: |
Anchore Engine is a docker container static analysis and policy-based compliance tool that
automates the inspection, analysis, and evaluation of images to allow high confidence in
container deployments by ensuring workload content meets the required criteria.
display:
home_url: https://github.com/anchore/anchore-engine
source_url: https://github.com/anchore/circleci-orbs/blob/master/anchore-engine/src
examples:
local_image_scan:
description: |
Use the analyze_local_image command within a container build pipeline,
it can be used to scan an image that hasn't been pushed to a registry yet.
If Anchore policy evaluation gives 'fail' status, the CI job will be marked
as a failure. A custom policy can be used for evaluation, add custom Anchore
policy bundle to .circleci/.anchore/policy_bundle.json in your repository.
The Dockerfile used for building your image can be passed for policy evaluation.
usage:
jobs:
local_image_scan:
executor: anchore/anchore_engine
steps:
- setup_remote_docker
- checkout
- run:
command: docker build -t "example/test:latest" .
name: build container
- anchore/analyze_local_image:
dockerfile_path: ./Dockerfile
image_name: example/test:latest
policy_bundle_file_path: .circleci/.anchore/policy_bundle.json
policy_failure: true
timeout: "500"
- anchore/parse_reports
- store_artifacts:
path: anchore-reports
orbs:
anchore: anchore/anchore-engine@1
version: 2.1
multiple_local_image_scan:
description: |
Use the analyze_local_image command within a container build pipeline,
it can be used to scan multiple images that haven't been pushed to a registry yet.
If Anchore policy evaluation gives 'fail' status, the CI job will be marked
as a failure. A custom policy can be used for evaluation, add custom Anchore
policy bundle to .circleci/.anchore/policy_bundle.json in your repository.
Scanning multiple images does not support passing a dockerfile.
usage:
jobs:
local_image_scan:
executor: anchore/anchore_engine
steps:
- setup_remote_docker
- checkout
- run:
command: |
docker build -t "example/test:dev" dev/
docker build -t "example/test:staging" staging/
docker build -t "example/test:latest" prod/
name: build containers
- anchore/analyze_local_image:
image_name: example/test:dev example/test:staging example/test:latest
policy_bundle_file_path: .circleci/.anchore/policy_bundle.json
policy_failure: true
timeout: "500"
- anchore/parse_reports
- store_artifacts:
path: anchore-reports
orbs:
anchore: anchore/anchore-engine@1
version: 2.1
private_image_scan:
description: |
Use this job to scan an image located in a private registry. A custom
policy can be used for evaluation, add custom Anchore policy bundle to
.circleci/.anchore/policy_bundle.json in your repository.
usage:
orbs:
anchore: anchore/anchore-engine@1
version: 2.1
workflows:
scan_image:
jobs:
- anchore/image_scan:
image_name: docker.io/anchore/anchore-engine:latest
private_registry: true
registry_name: docker.io
registry_pass: $DOCKER_PASS
registry_user: $DOCKER_USER
standard_image_scan:
description: |
Use this job to scan an image located in a public registry. A custom
policy can be used for evaluation, add custom Anchore policy bundle to
.circleci/.anchore/policy_bundle.json in your repository.
usage:
orbs:
anchore: anchore/anchore-engine@1
version: 2.1
workflows:
scan_image:
jobs:
- anchore/image_scan:
image_name: docker.io/anchore/anchore-engine:latest
policy_bundle_file_path: .circleci/.anchore/policy_bundle.json
timeout: "300"
executors:
anchore_engine:
description: |
Docker stable image with ANCHORE_VERSION environment variable set.
docker:
- image: docker:stable-git
environment:
ANCHORE_VERSION: v0.10.0
jobs:
image_scan:
description: |
Performs a static security analysis of docker container with anchore engine.
A custom policy can be used for evaluation, add custom Anchore policy bundle
to .circleci/.anchore/policy_bundle.json in your repository. Anchore engine pulls
image from public/private docker registries. Requires registry credentials
to access private images, use ENV vars $DOCKER_USER & $DOCKER_PASS
executor: anchore_engine
parameters:
after_analyze:
default: []
description: Optional steps to run after analyzing the docker image.
type: steps
after_checkout:
default: []
description: Optional steps to run after checking out the code.
type: steps
before_analyze:
default: []
description: Optional steps to run before analyzing the docker image.
type: steps
image_name:
description: Image repository & tag (eg - docker.io/anchore/anchore-engine:latest).
type: string
policy_bundle_file_path:
default: ${HOME}/project/.circleci/.anchore/policy_bundle.json
description: Specify file path to policy bundle.
type: string
policy_failure:
default: false
description: Set to True if pipeline should stop on policy evaluation status 'fail'.
type: boolean
private_registry:
default: false
description: Set to True if image is only accessible from a private registry.
type: boolean
registry_name:
default: docker.io
description: Name of private registry (eg - docker.io)
type: string
registry_pass:
default: $DOCKER_PASS
description: Password for private registry (use env var $DOCKER_PASS to populate).
type: string
registry_user:
default: $DOCKER_USER
description: Username for private registry (use env var $DOCKER_USER to populate).
type: string
timeout:
default: "300"
description: Timeout used for Anchore Engine image scanning.
type: string
steps:
- setup_remote_docker:
docker_layer_caching: true
- checkout
- when:
condition: << parameters.after_checkout >>
name: Run after_checkout life cycle hook steps.
steps: << parameters.after_checkout >>
- start_engine
- when:
condition: << parameters.before_analyze >>
name: Run before_analyze life cycle hook steps.
steps: << parameters.before_analyze >>
- when:
condition: << parameters.private_registry >>
steps:
- add_private_registry:
registry_name: << parameters.registry_name >>
registry_pass: << parameters.registry_pass >>
registry_user: << parameters.registry_user >>
- analyze_image:
image_name: << parameters.image_name >>
timeout: << parameters.timeout >>
- when:
condition: << parameters.after_analyze >>
name: Run after_analyze life cycle hook steps.
steps: << parameters.after_analyze >>
- policy_evaluation:
image_name: << parameters.image_name >>
policy_bundle_file_path: << parameters.policy_bundle_file_path >>
policy_failure: << parameters.policy_failure >>
- parse_reports
- store_artifacts:
path: anchore-reports
version: 2.1