Skip to main content
  1. Posts/

Setting up a secure Docker image scanning solution with Anchore and Drone CI

··616 words·3 mins·
DevOps Anchore Container Security Containers Docker
Table of Contents

A while back I had done a round up of a few container scanning solutions and had mentioned I wanted to take another look at Anchore. The past few days, I’ve been playing a bit with Anchore - this time, integrating it with Drone CI.

Drone is a “Container-Native, Continuous Delivery Platform” built using Go. It makes use of a YAML file, .drone.yml to define and execute the pipeline.

End Goal
#

For this project, we will be integrating Drone and Anchore. With the setup complete, every push to the remote repository will trigger the Docker image to be built. The built Docker image will then be added to Anchore Engine for analysis and scanning. Drone integrates with most popular SCM tools - and for this project, we will integrate with Github.

Setting up Drone
#

Follow the instruction listed on Drone’s Installation Guide to set up Drone. A sample Drone server configuration and the command to start Drone is listed below. Make sure to substitute the client id and secret with the one generated from the setup

Run Drone with the following command

Once Drone server is up and running, head over to the Drone UI and click on “Activate” on the repo which you wish to integrate Drone with. Clicking on “Activate” sets up a Webhook on the repo so any activity against the repo results in an event being generated and the event is then pushed to Drone.

Setting up Anchore Engine
#

Follow the instructions on Anchore’s website to install and run Anchore. Once Anchore is up and running, we can use anchore-cli to interact with the image. Specifically, to scan the image, we need to:

  • Submit the image to Anchore Engine for analysis
  • Wait till the Analysis Engine is complete
  • Evaluate the analysis against the policy engine

We can achieve this by the following sequence of commands

anchore-cli image add <image name>
anchore-cli image wait <image name>
anchore-cli evaluate check <image name>

Combining these commands with Drone’s pipeline we get this for the .drone.yml file

Commit the .drone.yml file and push the changes to the repository. This results in the commit and push event being delivered to Drone, kickstarting the Drone pipeline.

Navigating to the Drone UI will show the pipeline stages and result of each pipeline stage. An example screenshot is shown below

Comparing against the .drone.yml file, you can see that Drone created a new pipeline(boringly titled “default” consisting of 5 stages:

  • clone stage for cloning the repo. Although this isn’t listed in the .drone.yml file, Drone by default supports git and automatically adds the clone stage as the first stage
  • Build stage for building the Docker image and tagging it with the SHA of the commit.
  • Analyze stage for submitting the built Docker image to Anchore for image and vulnerability analysis
  • Policy Check stage for evaluating the Docker image and validating whether the image is good to deploy or not. In my earlier post I’d mentioned that creating and editing policies is a pain - but recently, Anchore has released a centralized repository of policies that can be downloaded and installed.

If the policy check (or any stage) fails, the pipeline ends and does not trigger subsequent stages.

You can extend the pipeline further, adding steps to retag the Docker Image and push it to Amazon Elastic Container Registry (ECR) - and Drone with its ECR plugin makes it very easy to do so.

What Next?

You can take a look at Drone’s Conditions and Triggers which lets you define and limit pipeline execution based on specific events/branches. Combined with writing your plugins, Drone can let you set up a complete, secure CI/CD platform for your Docker images.

Sathyajith Bhat
Author
Sathyajith Bhat
Author, AWS Container Hero and DevOps Specialist.

Related

On Securing Containers and Open Source tools for scanning vulnerabilities in Docker images
··46 words·1 min
DevOps Containers Docker Security
I recently published couple of articles elsewhere: How to Increase Container Security and Ward Off Threats - Adobe Tech Blog 5 OpenSource tools for container security - OpenSource.com Scanning Docker Images for Vulnerabilities with Aqua Microscanner - previously, on my blog Do give them a read.
Scanning Docker Image for Vulnerabilities with Aqua MicroScanner
··436 words·3 mins
DevOps Containers Docker Security
Containers are slowly becoming the standardized units of deployment. As containers become more popular, they also become the focus targets for attacking the system via vulnerabilities present in the packages within the image. There are quite a few container vulnerability scanning solutions (example: Clair, Twistlock, now Prisma Cloud, Aqua – however most of them are either commercial or require an elaborate setup, which makes it difficult for individual developers to involve them as part of the container build process.
So I wrote a book: presenting Practical Docker With Python
··223 words·2 mins
General Books Docker
So yeah that actually happened! I’ve always wanted to publish a book and thanks to Apress publishing - that is a reality now. The book is titled “Practical Docker With Python: Build, Release and Distribute your Python App with Docker” and is targeted at people who are new to Docker and want to containerize their application (with an example Python chat bot). The book starts with a brief introduction to containers and Docker, guides you on how to get started with Docker before diving into deeper topics such as Docker Networks, Volumes and Compose.