Docker image scanning

Anchore Container Scanning.md

Anchore Quickstart

install

1. mkdir anchore-ce;cd anchore-ce
2. curl https://docs.anchore.com/current/docs/engine/quickstart/docker-compose.yaml > docker-compose.yaml
3. docker-compose up -d

initialize

Download vuln libs.

1. docker-compose exec api anchore-cli system status
2. docker-compose exec api anchore-cli system feeds list
3. docker-compose exec api anchore-cli system wait

create private registry

Not required for public registries.

1. docker run -d -p 5000:5000 --restart=always --name registry registry:2
2. cd <path/to/image targets/docker-compose.yaml
3. docker-compose up -d
4. docker tag docker.io/<something> localhost:5000/<something>
5. docker push localhost:5000/<something>

scanning

For any public docker hub images simply use docker.io/library/<image>:<tag> replacing the <something> tags below.

1. docker-compose exec api anchore-cli image add <something>
2. docker-compose exec api anchore-cli image wait <something>
3. docker-compose exec api anchore-cli image content <something> os
4. docker-compose exec api anchore-cli image vuln <something> all
5. docker-compose exec api anchore-cli evaluate check <something>

NOTE: If you are adding from a private registry use your external IP NOT localhost or 127.0.0.1 en lieu of docker.io

remove registry

1. docker container stop registry