Ecosyste.ms: Awesome
An open API service indexing awesome lists of open source software.
https://github.com/anchore/anchore-engine
A service that analyzes docker images and scans for vulnerabilities
https://github.com/anchore/anchore-engine
anchore-engine containers docker docker-image dockerhub python security static-analysis vulnerabilities whitelist
Last synced: 3 months ago
JSON representation
A service that analyzes docker images and scans for vulnerabilities
- Host: GitHub
- URL: https://github.com/anchore/anchore-engine
- Owner: anchore
- License: apache-2.0
- Archived: true
- Created: 2017-09-06T18:47:20.000Z (over 7 years ago)
- Default Branch: master
- Last Pushed: 2023-01-26T23:58:18.000Z (almost 2 years ago)
- Last Synced: 2024-09-25T01:33:16.077Z (3 months ago)
- Topics: anchore-engine, containers, docker, docker-image, dockerhub, python, security, static-analysis, vulnerabilities, whitelist
- Language: Python
- Homepage:
- Size: 178 MB
- Stars: 1,580
- Watchers: 53
- Forks: 271
- Open Issues: 249
-
Metadata Files:
- Readme: README.md
- Changelog: CHANGELOG.md
- Contributing: CONTRIBUTING.rst
- License: LICENSE
Awesome Lists containing this project
- DevSecOps - https://github.com/anchore/anchore-engine - engine?style=for-the-badge) | (Containers)
- awesome-repositories - anchore/anchore-engine - A service that analyzes docker images and scans for vulnerabilities (Python)
- awesome-cloud-security - Anchore Engine
README
# Anchore Engine [![CircleCI](https://circleci.com/gh/anchore/anchore-engine/tree/master.svg?style=svg)](https://circleci.com/gh/anchore/anchore-engine/tree/master)
**IMPORTANT NOTE**
As of 2023, Anchore Engine is no longer maintained. There will be no future versions released. Users are advised to use [Syft](https://github.com/anchore/syft) and [Grype](https://github.com/anchore/grype).
For users interested in a supported commercial solution for container scanning and complaiance, [schedule a demo](https://get.anchore.com/demo-request/) to see Anchore Enterprise’s broad set of enterprise capabilities including SBOM management, vulnerability management, and compliance management.
**About**
Anchore Engine is an open-source project that provides a centralized service for inspection, analysis, and certification of container images. Anchore Engine is provided as a Docker container image that can be run standalone or within an orchestration platform such as Kubernetes, Docker Swarm, Rancher, Amazon ECS, and other container orchestration platforms.
With a deployment of Anchore Engine running in your environment, container images are downloaded and analyzed from Docker V2 compatible container registries and then evaluated against a vulnerability database.
Historical documentation is available at [Anchore Documentation](https://engine.anchore.io).
Anchore Engine can be accessed directly through a RESTful API or via the Anchore [CLI](https://github.com/anchore/anchore-cli).
**Supported Operating Systems**
- Alpine
- Amazon Linux 2
- CentOS
- Debian
- Google Distroless
- Oracle Linux
- Red Hat Enterprise Linux
- Red Hat Universal Base Image (UBI)
- Ubuntu**Supported Packages**
- GEM
- Java Archive (jar, war, ear)
- NPM
- Python (PIP)
- Go Modules## Installation
There are several ways to get started with Anchore Engine, for the latest information on quickstart and full production installation with docker-compose, Helm, and other methods, please visit:
- [Anchore Engine Installation](https://engine.anchore.io/docs/install/)
The Anchore Engine is distributed as a [Docker Image](https://hub.docker.com/r/anchore/anchore-engine/) available from DockerHub.
## Quick Start (TLDR)
See [documentation](https://engine.anchore.io/docs/quickstart/) for the full quickstart guide.
To quickly bring up an installation of Anchore Engine on a system with docker (and docker-compose) installed, follow these simple steps:
```
curl https://engine.anchore.io/docs/quickstart/docker-compose.yaml > docker-compose.yaml
docker-compose up -d
```Once the Engine is up and running, you can begin to interact with the system using the CLI.
## Getting Started using the CLI
The [Anchore CLI](https://github.com/anchore/anchore-cli) is an easy way to control and interact with the Anchore Engine.
The Anchore CLI can be installed using the Python pip command, or by running the CLI from the [Anchore Engine CLI](https://hub.docker.com/r/anchore/engine-cli) container image. See the [Anchore CLI](https://github.com/anchore/anchore-cli) project on Github for code and more installation options and usage.
## CLI Quick Start (TLDR)
By default, the Anchore CLI tries to connect to the Anchore Engine at http://localhost:8228/v1 with no authentication.
The username, password, and URL for the server can be passed to the Anchore CLI as command-line arguments:--u TEXT Username eg. admin
--p TEXT Password eg. foobar
--url TEXT Service URL eg. http://localhost:8228/v1Rather than passing these parameters for every call to the tool, they can also be set as environment variables:
ANCHORE_CLI_URL=http://myserver.example.com:8228/v1
ANCHORE_CLI_USER=admin
ANCHORE_CLI_PASS=foobarAdd an image to the Anchore Engine:
anchore-cli image add docker.io/library/debian:latest
Wait for the image to move to the 'analyzed' state:
anchore-cli image wait docker.io/library/debian:latest
List images analyzed by the Anchore Engine:
anchore-cli image list
Get image overview and summary information:
anchore-cli image get docker.io/library/debian:latest
List feeds and wait for at least one vulnerability data feed sync to complete. The first sync can take some time (20-30 minutes) after that syncs will only merge deltas.
anchore-cli system feeds list
anchore-cli system waitObtain the results of the vulnerability scan on an image:
anchore-cli image vuln docker.io/library/debian:latest os
List operating system packages present in an image:
anchore-cli image content docker.io/library/debian:latest os
## API
For the external API definition (the user-facing service), see [External API Swagger Spec](https://github.com/anchore/anchore-engine/blob/master/anchore_engine/services/apiext/swagger/swagger.yaml). If you have Anchore Engine running, you can also review the Swagger by directing your browser at http://:8228/v1/ui/ (NOTE: the trailing slash is required for the embedded swagger UI browser to be viewed properly).
Each service implements its own API, and all APIs are defined in Swagger/OpenAPI spec. You can find each in the _anchore_engine/services/\/api/swagger_ directory.
## More Information
For further details on the use of the Anchore CLI with the Anchore Engine, please refer to the [Anchore Engine Documentation](https://engine.anchore.io/)
## Developing
This repo was reformatted using [Black](https://black.readthedocs.io/en/stable/) in Nov. 2020. This commit can
be ignored in your local environment when using `git blame` since it impacted so many files. To ignore the commit you need
to configure git-blame to use the provided file: .git-blame-ignore-revs as a list of commits to ignore for blame.Set your local git configuration to use the provided file by running this from within the root of this source tree:
`git config blame.ignoreRevsFile .git-blame-ignore-revs`