Container Security Using Anchore Toolbox
The Anchore Toolbox is a collection of lightweight, single-purpose, easy-to-use, open-source DevSecOps tools. It helps identify critical vulnerabilities.
Join the DZone community and get the full member experience.Join For Free
Anchore provides open-source tools for deep image inspection and vulnerability scanning that allow users to perform a detailed analysis of container workloads, producing reports, and defining policies that can be used in the software delivery lifecycle stack.
The Anchore Toolbox is a collection of lightweight, single-purpose, easy-to-use, open-source DevSecOps tools. This will help us to identify the critical vulnerabilities and enforce software container compliance.
- Syft: an open-source analyzer CLI tool for generating a Software Bill of Materials (SBOM) from container images and filesystems. In simple words, we can say it will provide a list of the installed packages with the version.
Install the latest version of Syft to /usr/local/bin:
curl -sSfL https://raw.githubusercontent.com/anchore/syft/main/install.sh | sh -s -- -b /usr/local/bin
Pull docker image to analyze:
docker pull nodered/node-red-docker:slim-v8
Execute the Syft command to initiate analyzing:
➜ ~ syft packages nodered/node-red-docker:slim-v8 ✔ Loaded image ✔ Parsed image ✔ Cataloged packages [746 packages] NAME VERSION TYPE @babel/runtime 7.6.0 npm @node-red/editor-api 0.20.8 npm @node-red/editor-client 0.20.8 npm @node-red/nodes 0.20.8 npm @node-red/registry 0.20.8 npm @node-red/runtime 0.20.8 npm @node-red/util 0.20.8 npm JSONStream 1.3.4 npm abbrev 1.1.1 npm accepts 1.3.7 npm addressparser 1.0.1 npm agent-base 4.2.0 npm agent-base 4.3.0 npm agentkeepalive 3.4.1 npm ajv 5.5.2 npm ajv 6.10.0 npm alpine-baselayout 3.1.0-r3 apk alpine-keys 2.1-r1 apk
This command will generate a catalog report of all the packages (OS + npm). By default, this output is in table format. We have the option to change the output to JSON, spdx, text, etc.
- Grype: an open-source project to scan your project or container for known vulnerabilities.
And major operating system packages: (Alpine Amazon Linux, BusyBox, CentOS, Debian, Distroless, Oracle Linux, Red Hat (RHEL), Ubuntu)
Grype pulls a database of vulnerabilities derived from the publicly available Anchore Feed Service. This database is updated at the beginning of each scan, but an update can also be triggered manually:
grype db update
# install the latest version to /usr/local/bin:
curl -sSfL https://raw.githubusercontent.com/anchore/grype/main/install.sh | sh -s -- -b /usr/local/bin
#Scan a docker image:
➜ ~ grype nodered/node-red-docker:slim-v8 ✔ Vulnerability DB [updated] ✔ Loaded image ✔ Parsed image ✔ Cataloged packages [746 packages] ✔ Scanned image [101 vulnerabilities] NAME INSTALLED FIXED-IN VULNERABILITY SEVERITY @node-red/runtime 0.20.8 1.2.8 GHSA-xp9c-82x8-7f67 High @node-red/runtime 0.20.8 1.2.8 GHSA-m33v-338h-4v9f Low bin-links 1.1.2 1.1.5 GHSA-gqf6-75v8-vr26 Low bin-links 1.1.2 1.1.5 GHSA-2mj8-pj3j-h362 Low bin-links 1.1.2 1.1.6 GHSA-v45m-2wcp-gg98 Low bl 1.2.2 1.2.3 GHSA-pp7h-53gx-mx7r High chownr 1.0.1 (fixes indeterminate) CVE-2017-18869 Low cookie 0.3.1 (fixes indeterminate) CVE-2017-18589 High cookie 0.4.0 (fixes indeterminate) CVE-2017-18589 High cron 1.7.1 (fixes indeterminate) CVE-2017-9525 Medium cron 1.7.1 (fixes indeterminate) CVE-2019-9704 Medium
You can also pipe in Syft JSON directly:
syft yourimage:tag -o json | grype
We will soon publish a blog on Anchore's toolbox that includes:
- Modules that add continuous compliance to any development toolchain
Opinions expressed by DZone contributors are their own.