{"id":18524574,"url":"https://github.com/stelligent/aws-anchore-engine-scanner","last_synced_at":"2025-04-09T12:30:57.209Z","repository":{"id":145834882,"uuid":"218666574","full_name":"stelligent/aws-anchore-engine-scanner","owner":"stelligent","description":"This guide details steps and procedures you can follow to create, launch and implement your own standalone container scanning solution within AWS ecosystem. This approach uses an opensource container scanning tool called Anchore Engine as a proof-of-concept and provides examples of how Anchore integrates with your favorite CI/CD systems orchestration platforms.","archived":false,"fork":false,"pushed_at":"2020-01-17T20:05:59.000Z","size":984,"stargazers_count":9,"open_issues_count":0,"forks_count":3,"subscribers_count":4,"default_branch":"master","last_synced_at":"2025-03-24T05:34:47.982Z","etag":null,"topics":["anchore-cli","anchore-engine","aws","container-security","devops","devsecops","docker","ecs"],"latest_commit_sha":null,"homepage":"","language":"Python","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/stelligent.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":null,"funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":null,"security":null,"support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null}},"created_at":"2019-10-31T02:19:00.000Z","updated_at":"2023-11-01T09:33:58.000Z","dependencies_parsed_at":"2023-05-05T19:36:06.933Z","dependency_job_id":null,"html_url":"https://github.com/stelligent/aws-anchore-engine-scanner","commit_stats":null,"previous_names":[],"tags_count":0,"template":false,"template_full_name":null,"repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stelligent%2Faws-anchore-engine-scanner","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stelligent%2Faws-anchore-engine-scanner/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stelligent%2Faws-anchore-engine-scanner/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/stelligent%2Faws-anchore-engine-scanner/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/stelligent","download_url":"https://codeload.github.com/stelligent/aws-anchore-engine-scanner/tar.gz/refs/heads/master","host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":248040100,"owners_count":21037815,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["anchore-cli","anchore-engine","aws","container-security","devops","devsecops","docker","ecs"],"created_at":"2024-11-06T17:42:32.491Z","updated_at":"2025-04-09T12:30:57.203Z","avatar_url":"https://github.com/stelligent.png","language":"Python","readme":"# aws-anchore-engine-scanner\n\nThis guide details steps and procedures you can follow to create, launch and implement your own standalone container scanning solution within AWS ecosystem.  This approach uses an opensource container scanning tool called [Anchore Engine](https://anchore.com/) as a proof-of-concept and provides examples of how Anchore integrates with your favorite CI/CD systems orchestration platforms.\n\nFor more detailed understanding of concepts and overview on Anchore Engine, visit [anchore overview](https://docs.anchore.com/current/docs/overview/)\n\n## Architecture\n\nHere’s how to install Anchore Engine on AWS. The below diagram shows the high-level architecture of Anchore Engine.\n\n![Anchore-Engine High-Level Architecture](https://github.com/stelligent/aws-anchore-engine-scanner/blob/master/docs/AWS%20anchore%20engine.jpg)\n\n\n## Getting Started\n\nBefore running any commands review the [prerequisites](#Prerequisites) section to ensure you have required packages and installed needed software.\n\n### Prerequisites\n\nEnsure that the following are installed or configured on your workstation before deploying Anchore Engine:\n\n- [Docker](https://www.docker.com/)\n- Git\n- AWS CLI\n- [Make](https://www.gnu.org/software/make/manual/html_node/index.html#Top)\n- Github Personal Token (Stored as an ssm parameter)\n\n### Installation\n\nClone this [github repository](https://github.com/stelligent/aws-anchore-engine-scanner). Configure and Setup your AWS CLI.\n\n#### Setup Credentials\n\nIf you have MFA configure with your AWS account, run the following commands and provide appropriate parameters to each environment variables. Else, configure your AWS session on your workstation as described in [Configuring the AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/cli-chap-configure.html).\n\n```make\nmake get-cred \\\n    ACCOUNT_ID=\u003cyour-aws-account-id\u003e \\\n    USERNAME=\u003cyour-aws-username\u003e \\\n    PROFILE=\u003cyour-aws-profile\u003e \\\n    REGION=\u003caws-target-region\u003e \\\n    TOKEN=\u003cauth-generated-token\u003e\n\n```\n\n##### Example\n\n```make\nmake get-cred \\\n    ACCOUNT_ID=123456789012 \\\n    USERNAME=johndoe \\\n    PROFILE=stelligent \\\n    REGION=us-east-2 \\\n    TOKEN=123456\n\n```\n\n#### Setup production environment\n\nBuild your deployment environment with docker.\n\n```make\nmake build\n```\n\nThis build your local dockerized image for deploying and launching Anchore-Engine. It installs various packages as defined within the `Dockerfile` and python packages listed within the `requirements.pip` file.\n\n#### Setup test environment\n\nBuild a testing environment within docker by running:\n\n```make\nmake build-test\n```\n\nThis testing image provide a local environment to run all your local testing and helps with launching a quick development environment for troubleshooting. It installs additional python packages as stipulated within `requirements-test.pip` file.\n\n### Deployments\n\nThis deployment comprises of the various AWS resources:\n\n 1. Amazon Elastic Container Registry (ECR) Repository\n 2. Amazon VPC\n    - Two public subnets\n    - Two private subnets\n    - NAT gateways to allow internet access for services in private subnets\n    - Internet Gateway\n    - Security Groups\n 3. Amazon Application Load Balancer\n    - Load Balancer\n    - Listeners\n    - Target Groups\n 4. Amazon EC2\n    - AutoScaling Group\n    - CloudWatch\n    - AWS IAM\n 5. Amazon Elastic Container Service\n    - Cluster\n    - Services\n    - Task Definitions\n 6. AWS CodePipeline\n\nThe application launches Anchore-Engine and sets up CodePipeline for automatic image vulnerability scan and detection.\n\n#### Build the Anchore-Engine Docker Image\n\nFirst, create an Amazon Elastic Container Registry repository to host your Anchore Engine Docker image. Then, build the anchore-engine image on your workstation and push it to the ECR repository. This can be achieved by running the following make command.\n\n```make\nmake push-image ACCOUNT_ID=\u003cyour-aws-account-id\u003e\n```\n\n#### Deploy Anchore-Engine Server\n\nThe following command utilizes `index.py` python module as entrypoint to create CloudFormation templates using [troposphere](https://github.com/cloudtools/troposphere/tree/master/troposphere) template generator and launches all stacks for each of these AWS resources: VPC, ALB, EC2, and ECS.\n\nRun this make command\n\n```make\nmake deploy-stacks\n```\n\nEach of these stack parameters are extracted from an accompanying configuration `YAML` templates within the `configs` folder. These `YAML` templates provides each CloudFormation stack's parameters at the point of deployment as shown below.\n\n```yaml\n---\n# VPC\n- region: us-east-2\n  resource_name: ANCHORE-VPC\n  template_file: anchore_vpc.yml\n  parameters:\n    Environment: DEMO\n    VPCCIDRBlock: 10.0.0.0/16\n    PublicSubnet1CIDRBlock: 10.0.0.0/24\n    PrivateSubnet1CIDRBlock: 10.0.1.0/24\n    PublicSubnet2CIDRBlock: 10.0.2.0/24\n    PrivateSubnet2CIDRBlock: 10.0.3.0/24\n\n# ALB\n- region: us-east-2\n  resource_name: ANCHORE-ALB\n  template_file: anchore_alb.yml\n  parameters:\n    Environment: DEMO\n    Subnet1: PUBLIC-SUBNET-1\n    Subnet2: PUBLIC-SUBNET-2\n    VpcId: VPCID\n    CIDRBLK: 10.0.0.0/8\n\n# EC2\n- region: us-east-2\n  resource_name: ANCHORE-EC2-INSTANCE\n  template_file: anchore_ec2_cluster.yml\n  parameters:\n    Environment: DEMO\n    AmiId: ami-0653e888ec96eab9b\n    ClusterSize: '2'\n    InstanceType: m4.large\n    KeypairName: anchore_demo\n    CIDRBLK: 10.0.0.0/8\n    OpenCIDR: 0.0.0.0/0\n\n# ECS\n- region: us-east-2\n  resource_name: ANCHORE-ECS\n  template_file: anchore_ecs.yml\n  parameters:\n    Environment: DEMO\n    TargetGroup: TARGETGROUP-ARN\n    AnchoreEngineImage: anchore-engine-Image\n    ArchoreDatabaseImage: 'postgres:9'\n    PGDATA: '/var/lib/postgresql/data/pgdata/'\n    AnchoreDBPassword: mypgpassword\n\n```\n\n#### Launch a sample pipeline to integrate Anchore-Engine scanning using CodePipeline\n\nDeploying your pipeline to scan either publicly available images or private registry images can be achieved by configuring your client environment with `anchore-cli` client. For detailed information on installation, setup and CLI commnands visit [anchore-cli github repository](https://github.com/anchore/anchore-cli).\n\nFor quick implementation using AWS CodePipeline with Codebuild project as a stage within your pipeline, follow examples available within the `examples` folder. The content of this directory can be copied and saved along with your application source control into a repository targeted by AWS CodePipeline as source stage.\n\nTo launch a sample pipeline to test Anchore-Engine functionality, run the following commands:\n\n```make\nmake pipeline\n```\n\nThis command utilizes `pipeline.py` python module to launch a CloudfFormation stack using template `pipeline.yml` with a configuration `YAML` template that defines CloudFormation parameters. Modify and update the provided configuration template in `examples/aws-codepipeline/pipeline_configs.yml` directory with information for your target application and repository using the snippet example below.\n\n```yaml\n---\n# Example CodePipeline\n- region: us-east-2\n  resource_name: ANCHORE-CLI-PIPELINE\n  template_file: examples/aws-codepipeline/pipeline.yml\n  parameters:\n    Environment: DEMO\n    GitHubAccountName: \u003creplace-with-your-github-account-name\u003e\n    GitHubRepoName: \u003creplace-with-your-github-application-repository\u003e\n    GitHubBranchName: \u003cyour-target-branch\u003e (i.e master)\n    GitWebHookToken: \u003cyour-stored-ssm-parameter-token-name\u003e (i.e /demo/github/token)\n    BucketName: \u003cdemo-anchore-engine-pipeline-store\u003e\n\n```\n\nThis stack contains a codebuild job as a `Test` Stage which executes set of defined commands within a Codebuild using a `buidlspec.yml` as shown below. This defines a collection of build commands and related settings for automating building of your application image, scanning for CVEs and issuing a **PASS/FAIL** status based on scan results. If each each result passes, then each image is tagged and pushed to a staging repository.\n\n```yaml\n# Test Anchore Engine scanning functionality within a pipeline stage\nversion: 0.2\n\nenv:\n  variables:\n    TAG: latest\n    SOURCE_IMAGE: nginx:latest\n    STAGE_REPO_NAME: tested/nginx\n    TESTED_SAMPLE_IMAGE: ${ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/${STAGE_REPO_NAME}\n\nphases:\n  install:\n    runtime-versions:\n      python: 3.7\n      docker: 18\n    commands:\n      - nohup /usr/local/bin/dockerd --host=unix:///var/run/docker.sock --host=tcp://127.0.0.1:2375 --storage-driver=overlay2\u0026\n      - timeout 15 sh -c \"until docker info; do echo .; sleep 1; done\"\n      - echo Entering the install phase..... \n      - apt-get update -y\n      - apt-get -y install python-pip -y\n      - pip3 install awscli --upgrade --user\n      - pip install boto3\n      - pip install anchorecli\n\n  pre_build:\n    commands:\n      - echo Image repository setup started on `date`\n      - echo ECR Setup...\n      - echo Logging into AWS ECR...\n      - $(aws ecr get-login --no-include-email --region ${AWS_DEFAULT_REGION})\n      - echo Configure Anchore Client...\n      - export ANCHORE_CLI_PASS=foobar\n      - export ANCHORE_CLI_USER=admin\n\n  build:\n    commands:\n      - echo Deployment started on `date`\n      - echo Testing...\n      - anchore-cli --version\n      - anchore-cli --debug system status\n      - anchore-cli --debug image add ${SOURCE_IMAGE}\n      - echo 'Waiting for image to finish analysis'\n      - anchore-cli image wait ${SOURCE_IMAGE}\n      - echo 'Analysis complete'\n      - anchore-cli image vuln ${SOURCE_IMAGE} os\n      - if [ '${ANCHORE_SCAN_POLICY}' = 'true' ] ; then anchore-cli evaluate check ${SOURCE_IMAGE}  ; fi\n      - echo Build started on `date`\n      - echo Building Tested Sample Image... \n      - docker build -t ${STAGE_REPO_NAME} .\n\n  post_build:\n    commands:\n      - echo \"Tag image to Docker Hub\"\n      - docker tag ${STAGE_REPO_NAME}:${TAG} ${ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/${STAGE_REPO_NAME}:${TAG}\n      - echo \"Pushing image to Docker Hub\"\n      - docker push ${ACCOUNT_ID}.dkr.ecr.${AWS_DEFAULT_REGION}.amazonaws.com/${STAGE_REPO_NAME}:${TAG}\n\n```\n\nThe pipeline is triggered after the AWS CloudFormation stack creation is complete. You can log in to AWS Management Console to monitor the status of the pipeline. The vulenrability scan information is avaialble both within the CodeBuild online terminal or CloudWatch Logs and a JSON formatted result can be extracted for further analysis.\n\n#### Deploy All\n\nRun the following commands to deploy all above mentioned resources needed for Anchore Engine.\n\n```make\nmake deploy ACCOUNT_ID=\u003cyour-aws-account-id\u003e\n```\n\nThis command combines all three above mentioned deployment and launches all resources with a click of a single command, provided all requirements are met as stated in [requirements](#Prerequisites).\n\n#### Clean-Up\n\nRun the following commands to teardown all deployed resources within AWS:\n\n```make\nmake teardown\n```\n\n### Testing\n\nRun all test locally:\n\n```make\nmake test\n```\n\nThis runs unit tests, linting and security checks for each of the deployments.\n\n#### Linting\n\n```make\nmake test-lint\n```\n\nRuns Pylint on every module created within this deployments.\n\n#### Template Validation\n\n```make\nmake test-validate\n```\n\nThis executes clouformation template linting uisng [`cfn-lint`](https://pypi.org/project/cfn-lint/), security scan using [`cfn-nag`](https://github.com/stelligent/cfn_nag), and template validation using [`cfn boto3 calls`](https://boto3.amazonaws.com/v1/documentation/api/latest/reference/services/cloudformation.html).\n\n#### Security Tests\n\n```make\nmake test-security\n```\n\nExecutes security linting of all python scripts and methods within your deployments files using a security tool - [`bandit`](https://pypi.org/project/bandit/).\n\n#### Unit Tests\n\n```make\nmake test-unit\n```\n\nRuns a Python Pytest test on each functions within `anchore` folder with a target coverage failure under *__95%__*\n\n#### End-to-End Tests\n\n```make\nmake test-e2e\n```\n\nThis test for successful deployment of each of your CloudFormation stacks and anchore-engine account lifecycle. This should be ran after your Anchore-Engine deployment is up and running.\n\n## Contributing\n\nNone yet\n\n## Versioning\n\nNone yet\n\n## License\n\nMIT Licencse\nCopyright (c) 2019 Mphasis-Stelligent, Inc. https://stelligent.com\n","funding_links":[],"categories":[],"sub_categories":[],"project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstelligent%2Faws-anchore-engine-scanner","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fstelligent%2Faws-anchore-engine-scanner","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fstelligent%2Faws-anchore-engine-scanner/lists"}