In Anchore, image scanning is the process of comparing the contents of a container image with vulnerability information to determine if any vulnerabilities are present in the image. Specific vulnerabilities are identified by CVE (Common Vulnerabilities and Exposures) and affected image artifacts are identified by CPE (Common Platform Enumeration). The output of the scanning process is a list of all vulnerable image artifacts and their corresponding CVEs.
It is important to keep in mind that, in Anchore, image scanning (the identification of vulnerable artifacts in a container image) is distinct from image evaluation (the determination of whether an image complies with organizational policies). See this Knowledge Base article for more information about image evaluation.
Software Bill of Materials
Scanning is not performed against the image container image itself. Instead, the scan is run against the Software Bill of Materials (SBOM) that has been generated from the image. In Anchore, the process of creating an SBOM from a container image is called analysis. To create the SBOM, Anchore unpacks the image and its individual layers in order to identify and categorize every artifact the image contains. The resulting catalog of artifacts, the SBOM, is optimized for scanning and stored in Anchore's catalog database. Anchore's SBOM provides two major benefits:
- The SBOM only needs to be created once per image digest. Once created, the same SBOM can be scanned repeatedly as vulnerability information is updated without the need to re-analyze the image.
- Creating an SBOM from an image can be a slow and resource-intensive process. But scanning an existing SBOM for vulnerabilities is a quick and light weight process.
In Anchore, a feed is an external source of vulnerability information. Anchore Open Source provides information from multiple public feeds. Anchore Enterprise provides information from public as well as proprietary feeds. Anchore polls feed sources for updates on a regular interval (every six hours by default) to ensure the latest vulnerability data is available for image scanning. Users may customize feed settings by editing Anchore's config.yaml file.
Anchor Enterprise Feed Design
- Drivers – communicate with upstream sources and fetch data and normalize it for Anchore
- Database – stores the current state of the normalized data for serving via api
- API – serves the data to client services, supporting update-only fetches
Specific feed sources include:
- Security advisories from specific Linux distribution vendors for distribution-specific packages:
- Alpine Linux
- Oracle Linux
- Red Hat Enterprise Linux
- Red Hat Universal Base Image (UBI)
- Amazon Linux 2
- Google Distroless
- Software Package Repositories:
- NIST National Vulnerability Database (NVD)
- Because they provide a detailed catalog of image artifacts, SBOMs are very useful in a Configuration Management context.
- In rare situations, it may be desirable to override or augment the list of artifacts Anchore discovers during image analysis. Anchore provides a content hints feature that allows you to make such modifications to the image SBOM. For more information, review this document.
- Monitor feed status to ensure all feed sources remain available and are updated regularly. Feeds may be monitored using the web UI, the API, or the CLI.