Anchore: Container Security Starts with the Images
Amid the debate about where to put the focus on container security, for Anchore, it’s clear the energy should go toward images.
“We strongly believe that security starts with prevention versus remediation,” said CEO Saïd Ziouani. “If you’re pre-runtime, you have the ability to go into these containers and cover everything about these containers — everything from vulnerabilities to secrets and credentials down to misconfigurations down to the file system and be able to uncover all this information. That’s what Anchore does — it’s about discovering issues and problems before you go into runtime.”
The Santa Barbara, Calif.-based company, which claims a couple of dozen Fortune 100 companies among its customers, has no plans to tackle security at runtime, orchestration or elsewhere, he said.
“We now have the ability to take an image and find out everything about that image and hold that information locally over time, even a year from now, and if something comes about, either a vulnerability or a policy that gets broken, we’re able to notify you and say, ‘Hey, this image, which was compliant is no longer secure or compliant and here’s why,’” he said.
Tuesday, the company revealed new features beyond its initial open source command-line query tools for Anchore Enterprise.
Ziouani, a co-founder of the automation engine Ansible (acquired by Red Hat), teamed up with Daniel Nurmi, co-founder of private cloud vendor Eucalyptus (acquired by HP) to create Anchore in 2016.
Built on the open source project, Anchore Engine provides a centralized on-premise tool to analyze container images for vulnerabilities, policy, compatibility and configuration to ensure only trusted containers are deployed. Anchore Engine can analyze any Linux-based image and will produce a ‘”bill of materials” covering every artifact in the image including official operating system packages, unofficial packages, configuration files, language modules and artifacts such as package managers NPM, PiP, RubyGems, and Java archives.
It supports any Docker V2-compatible registry including Amazon ECR, CoreOS Quay DockerHub, Google GCR, JFrog Artifactory, Microsoft Azure ACR, SuSE Portus and VMware Harbor.
Anchore Cloud is a SaaS offering for analyzing images sitting in public container registries such as DockerHub, allowing users to inspect and write policies on top of those images. Anchore provides detailed data about these images including information typically not available from public registries including image digest, operating system and labels. It provides history, such as how often an image has been updated and the history of image tags, including a change log to show which packages and files changed between images. Its graphical policy editor allows users to create their own custom policies and define which policies are used with specific images.
In addition, the premium offering allows scans of an organization’s private repositories stored on DockerHub or Amazon EC2 Container Registry (ECR).
The company did a soft launch of Anchore Enterprise earlier in the year. It’s releasing version 1.1 this week, which includes:
- A web-based UI with container registry/repository and image dashboard views, with historic reporting,
- On-premise vulnerability data feed service for air-gapped deployments and control over the vulnerability data provenance,
- Prometheus, S3, Swift integration,
- A comprehensive and simple-to-use graphical policy editor and manager,
- System audit and event logs.
It gives users the ability to create custom policies covering operating systems packages, configuration files, user-supplied binaries and third-party software libraries, including Node.JS, Ruby GEMs, Python modules and Java packages.
The upcoming version 1.2, due out in a couple of months will add rule-based access control, LDAP support and other things enterprise users have been asking for, Zioani said.
In a research post for The New Stack, analyst Lawrence Hecht noted the difference between image scanners tied to specific technology, such as CoreOS’s Clair scans of Quay.io, or Docker Security Scanning that works with Docker Trusted Registry.
Others, including Anchore, Aqua Peekr and Twistlock Trust work independently of specific registries, which may be valuable if you use container images from multiple sources.
Anchore sets itself apart from other image-scanning offerings, according to the company, by being open source; by covering more than just common vulnerabilities, such as secrets and misconfigurations; and by offering policy-based compliance tooling.
“Building policy is not a simple task,” Zioani said. “You need to know what those policies should look like and how to map those policies into actual images, how to blacklist and whitelist, so we had to build a UI that can give you that power.”
Anchore is tightly integrated with Jenkins through a CI/CD plugin that can also be installed on-prem, but is designed to be part of any CI/CD pipeline, Zioani said.
The Jenkins blog contains a post by Nurmi explaining how the two work together.
“Anchore is flexible enough you can tap into it directly with CLI, an API interface or tap into it through CI/CD. … If you download an image, before it goes to test, Anchore goes in the middle. It becomes a gate, if there are CVs or policy broken, Anchore will say stop or go or warn based on the outcome of inspecting those images,” he said.
In April, Anchore announced a strategic partnership with stackArmor, a Washington, DC-based company focused on cloud migration, management and cybersecurity and compliance services for highly regulated industries such as government, healthcare and financial services.
Feature image via Pixabay.