|
| 1 | +# Codefresh Anchore Plugin |
| 2 | + |
| 3 | +Anchore is a service that analyzes Docker images and generates a detailed manifest of the image, a virtual ‘bill of materials’ that includes official operating system packages, unofficial packages, configuration files, and language modules and artifacts. Anchore policies can they be defined to govern security vulnerabilities, package whitelists and blacklists, configuration file contents, presence of credentials in image, manifest changes, exposed ports or any user defined checks. These policies can be deployed site wide or customized for specific images or categories of applications. |
| 4 | + |
| 5 | +For more information view the github repo here: https://github.com/anchore/anchore-engine |
| 6 | + |
| 7 | +## Prerequisites |
| 8 | + |
| 9 | +- Codefresh subscription |
| 10 | +- Running Anchore Engine service |
| 11 | + |
| 12 | +### Reference |
| 13 | + |
| 14 | +- Example `codefresh.yml`: https://raw.githubusercontent.com/valancej/plugins/master/plugins/anchore/codefresh.yml |
| 15 | +- Github repo containing Dockerfile: https://github.com/valancej/node_critical_fail |
| 16 | +- Anchore Documentation: https://anchore.freshdesk.com/support/home |
| 17 | +- Anchore CLI Image: https://hub.docker.com/r/anchore/engine-cli/ |
| 18 | + |
| 19 | +## Example |
| 20 | + |
| 21 | +In this example, we will scan an image built by Codefresh. Depending on the result of the Anchore policy evaluation, we will choose to push the image to Dockerhub or not. |
| 22 | + |
| 23 | +### Setup |
| 24 | + |
| 25 | +The example setup is described below. |
| 26 | + |
| 27 | +### Environment Variables |
| 28 | + |
| 29 | +These environment variables can be set within Codefresh pipeline configuration. |
| 30 | + |
| 31 | +Name|Required|Description |
| 32 | +---|---|--- |
| 33 | +ANCHORE_CLI_URL|Yes|The address of the Anchore server |
| 34 | +ANCHORE_CLI_USER|Yes|Anchore account name |
| 35 | +ANCHORE_CLI_PASS|Yes|Anchore account password |
| 36 | +ANCHORE_FAIL_ON_POLICY|No|Fail build if policy evaluation fails |
| 37 | +QA_IMAGE|No|Image built and scanned |
| 38 | +dockerhubUsername|No|Dockerhub account name |
| 39 | +dockerhubPassword|No|Dockerhub account password |
| 40 | + |
| 41 | +### Codefresh.yml |
| 42 | + |
| 43 | +```yaml |
| 44 | +version: '1.0' |
| 45 | +steps: |
| 46 | + MyDockerImage: |
| 47 | + title: Building Docker Image |
| 48 | + type: build |
| 49 | + image_name: ${{QA_IMAGE}} |
| 50 | + working_directory: ./ |
| 51 | + tag: latest |
| 52 | + dockerfile: Dockerfile |
| 53 | + metadata: |
| 54 | + set: |
| 55 | + - QA: Pending Anchore scan before push to Dockerhub.. |
| 56 | + ScanMyImage: |
| 57 | + title: Scanning Docker Image |
| 58 | + image: anchore/engine-cli:latest |
| 59 | + commands: |
| 60 | + - echo "Scanning image with Anchore" |
| 61 | + - anchore-cli image add ${{QA_IMAGE}} |
| 62 | + - echo "Waiting for analysis to complete" |
| 63 | + - anchore-cli image wait ${{QA_IMAGE}} |
| 64 | + - echo "Analysis complete" |
| 65 | + - if [ "${{ANCHORE_FAIL_ON_POLICY}}" == "true" ] ; then anchore-cli evaluate check ${{QA_IMAGE}}; fi |
| 66 | + PushImage: |
| 67 | + title: Pushing Docker Image |
| 68 | + description: Pushing Docker Image to Dockerhub... |
| 69 | + type: push |
| 70 | + candidate: '${{MyDockerImage}}' |
| 71 | + image_name: jvalance/node_critical_fail |
| 72 | + tag: latest |
| 73 | + registry: docker.io |
| 74 | + credentials: |
| 75 | + username: '${{dockerhubUsername}}' |
| 76 | + password: '${{dockerhubPassword}}' |
| 77 | +``` |
0 commit comments