In Anchore, the process of assessing whether or not a container image complies with organizational policy is called image evaluation. Organizational policies typically address the presence of vulnerabilities along with other security concerns such as the permissions of the user running the container and any credentials stored in the image. Policies may also dictate requirements such as the presence of healthchecks in Docker files, the use of a specific base image, or which software licenses are acceptable to the organization.
It is important to understand the difference between vulnerability scanning and policy evaluation in Anchore. Vulnerability scanning provides a full report of vulnerable artifacts discovered in an image but makes no determination of whether a vulnerability is acceptable or not. The determination of the acceptability of vulnerabilities and other image attributes is the role of policy evaluation.
Organizational policies are represented in Anchore as policy bundles. A policy bundle includes specific requirements in the form of rules, mappings which apply appropriate rules to individual images, as well as allowlists and blocklists for specific vulnerabilities and images. The policy bundle is applied to images during the evaluation process. The result of evaluation is Pass (the image complies with all policies) or Fail (the image does not comply with one or more policies).
You can create a new policy bundle by copying an existing bundle and then editing the copy. This is often much easier than creating a new bundle from scratch. Policy bundles can also be exported in JSON format for offline editing or for importing into another Anchore account.
Policy Bundle Components
A rule is a specific policy requirement. An example rule may state that no vulnerability with a severity of medium or higher may be present in an image if a fix is available for that vulnerability. However, rules are not limited to vulnerabilities—a rule may state that the Dockerfile for the image must include a healthcheck, or that an image cannot contain the curl package.
A rule consists of a gate, a trigger, parameters, and an action. The gate specifies the general category the rule applies to, such as vulnerabilities, secret scans, packages, and so on.
The trigger specifies which aspect of the gate will be evaluated. For example, for the "vulnerabilities" gate, available triggers are "package", "blacklist", "stale feed data", and "vulnerability data unavailable".
Parameters further refine the selected gate and trigger which enables rules to be as granular as necessary.
The action determines what will result when the rule matches an image. There are three options available for action: Stop, Warn, and Go. A Stop action will result in an overall evaluation result of Fail.
In Anchore, a policy is a collection of one or more rules. A policy bundle must contain at least one policy, but more often contains multiple policies. Policies provide a way to organize related rules into a logical group. More importantly, policies are referenced by mappings to determine which rules should apply to which images.
Policy bundles include one or more allowlists which provide a means of excluding specific CVEs from policy evaluation. If you know a specific CVE may be detected in your image but have determined that it does not present a security concern, you can add the CVE to an allowlist so the presence of the CVE will not cause image evaluation to fail.
As mentioned previously, mappings determine which policies and allowlists apply to which images. A policy bundle may contain multiple mappings, and each mapping may contain multiple policies and allowlists.
Target images for the mapping are identified by registry, repository and tag. Globbing is supported.
When an image is submitted for evaluation, it is compared to each mapping in order until a match is found. The evaluation proceeds based on the matched mapping, and no further matching is attempted.
If specific images should always pass, or always fail, evaluation, they can be added to the policy bundle's image allowlist and blocklist, respectively. No specific policy evaluations are made for images on these lists.
Each account in an Anchore deployment may have multiple policy bundles. However, only a single bundle, the active bundle, is used for policy evaluation. When an image is evaluated, policies are applied to the image based on mappings. All rules which match image contents are listed in the compliance report along with their respective actions.
If any matched rule has a Stop action, the Policy Result is Failed and the Final Action is Stop. If no matched rules has a Stop action, but at least one has a Warn action, the Policy Result is Passed and the Final Action is Warn. Finally, if no matched rules have a Stop or Warn action, the Policy Result is Passed and the Final Action is Go.
- Policy rules should align directly with the compliance methodology or framework your organization has adopted, such as FedRAMP or RMF (NIST 800-190).
- Closely related rules should belong to a single policy. This will simplify policy management as well as allow for straightforward mapping of rules to images.
- Create as many policy bundles as necessary, but keep in mind that only the currently active bundle will be used for image evaluation
- If you find you must frequently change the active bundle depending on the image being evaluated, consider creating additional Anchore accounts, each with a different active bundle.