Older versions of this plugin may not be safe to use. Please review the following warnings before using an older version:
Anchore is a container inspection and analytics platform that enables operators to analyze, inspect, perform security scans, and evaluate custom policies against container images. The Anchore plugin can be used in a Pipeline job or added as a build step to a Freestyle job to automate the process of running an anchore analysis, evaluating custom anchore policies against images, and performing image anchore security scans.
Anchore has been designed to plug seamlessly into the CI/CD workflow. A developer commits code into the source code management system. This change triggers Jenkins to start a build which creates a container image.
In the typical workflow this container image is then run through automated testing. If an image does not meet your organization’s requirements for security or compliance then it makes little sense to invest the time required to perform automated tests on the image, it would be better to “learn fast” by failing the build and returning the appropriate reports back to the developer to allow the issue to be addressed.
The plugin uses Anchore Engine to scan a container image. It interacts with Anchore Engine over the published API. The usage model generally conforms to the following flow:
- A Jenkins job will build a container image, and push the image to a registry that is pre-configured in the Anchore Engine (see pre-requisites below)
- The anchore build step will interact with the Anchore Engine by 'adding' the image (which instructs the Anchore Engine to pull the image from the registry), and then performing a policy evaluation check on the image. The build step can optionally be configured to fail the build if the policy evaluation results in a 'STOP' action.
- the plugin will store the resulting policy evaluation results with the job, for later inspection/review
The plugin can be used in Freestyle and Pipeline jobs.
Before getting started
- Anchore Engine must be installed within your environment, with its service API being accessible from all Jenkins workers. Click here to get started with Anchore Engine
- A docker registry must exist and be configured within Anchore Engine, as the plugin will be instructing the Anchore Engine to pull images from a registry.
- All authentication credentials/Anchore Engine API endpoint information must be available as input to the plugin at configuration time.
Once the plugin is installed, configure the plugin to interact with Anchore Engine in Jenkins global settings or at build time.
Anchore plugin is published in the Jenkins plugin registry. Follow this guide and install Anchore Container Image Scanner Plugin
Configuring the plugin in Jenkins global settings makes it available to any Jenkins build using the plugin. The plugin can also be configured at the build time which overrides the global settings if any. The build time overrides are applicable only to the specific build
For global settings, go to the Manage Jenkins > Configure System view and look for Anchore Container Image Scanner section
- Input Engine URL to point to your Anchore Engine installation
Note: Ensure that the /v1 route is included in the URL
- Input Anchore Engine account username and password for Engine Username and Engine Password respectively
- (Optional) If the Anchore Engine uses a user created certificate that is not signed by a standard certificate authority then select uncheck Verify SSL
- (Optional) For a verbose log of plugin execution check Enable DEBUG logging
The Anchore plugin can be added a build step for a Freestyle or Pipeline build. Typically the flow is as follows.
A Jenkins job will:
- Build a container image
- Push the image to a Docker Registry, typically a staging registry for QA
- Use Anchore plugin in a Pipeline job or add Anchore Container Image
Scanner build step to a Freestyle job to instruct the Anchore Engine
to analyze the image
- Anchore Engine downloads (pulls) the image layers from the staging registry
- Anchore Engine performs analysis on the image
- Anchore Engine performs a policy evaluation on the image. 4.The Anchore plugin polls the Anchore Engine for a user defined period until the analysis and policy evaluation is complete 5.Based on user configuration, the Anchore pkygub may fail the build in the case of a Policy violation or allow the built to continue with warnings.
When run, the Anchore plugin will look for a file named anchore_images in the project workspace. This file should contain the name(s) of containers to be scanned and optionally include the Dockerfile.
In the example below an Execute Shell build step is used to build and push a container image to a local registry.
TAG=$(date "+%H%M%S%d%m%Y")
IMAGENAME=build.example.com/myapp
docker build -t $IMAGENAME:$TAG .
docker push $IMAGENAME:$TAG
We will add a single line to create the anchore_images file that is read by the Anchore plugin
Note: Multiple lines can be added if the build produces more than a single container image.
TAG=$(date "+%H%M%S%d%m%Y")
IMAGENAME=build.example.com/myapp
docker build -t $IMAGENAME:$TAG .
docker push $IMAGENAME:$TAG
# Line added to create anchore_images file
echo "$IMAGENAME:$TAG ${WORKSPACE}/Dockerfile " > anchore_images
After the image has been built and pushed to the staging registry the Anchore plugin should be invoked.
Dropdown Add build step and select the Anchore Container Image Scanner
A new build step labeled Anchore Build Options will appear in your job
The plugin creates an Anchore Report directory that includes a JSON file with the results of the policy evaluation.
The status of the scan status is indicated in the build summary (GO = Pass, STOP = Fail, WARN=Warning)
Clicking on the Anchore Report link will render the vulnerabilities and policy evaluation in the Jenkins web UI
Following is a sample code snippet for using Anchore plugin in a pipeline script. For more options refer to Pipeline Syntax and try the Snippet Generator
node {
def imageLine = 'debian:latest'
writeFile file: 'anchore_images', text: imageLine
anchore name: 'anchore_images'
}