Setting up a secure Docker image scanning solution with Anchore and Drone CI
A while back I had done a round up of a few container scanning solutions and had mentioned I wanted to take another look at Anchore. The past few days, I’ve been playing a bit with Anchore – this time, integrating it with Drone CI.
Drone is a “Container-Native, Continuous Delivery Platform” built using Go. It makes use of a YAML file, .drone.yml to define and execute the pipeline.
For this project, we will be integrating Drone and Anchore. With the setup complete, every push to the remote repository will trigger the Docker image to be built. The built Docker image will then be added to Anchore Engine for analysis and scanning. Drone integrates with most popular SCM tools – and for this project, we will integrate with Github.
Setting up Drone
Follow the instruction listed on Drone’s Installation Guide to set up Drone. A sample Drone server configuration and the command to start Drone is listed below. Make sure to substitute the client id and secret with the one generated from the setup
Run Drone with the following command
Once Drone server is up and running, head over to the Drone UI and click on “Activate” on the repo which you wish to integrate Drone with. Clicking on “Activate” sets up a Webhook on the repo so any activity against the repo results in an event being generated and the event is then pushed to Drone.
Setting up Anchore Engine
Follow the instructions on Anchore’s website to install and run Anchore. Once Anchore is up and running, we can use anchore-cli to interact with the image. Specifically, to scan the image, we need to:
Submit the image to Anchore Engine for analysis
Wait till the Analysis Engine is complete
Evaluate the analysis against the policy engine
We can achieve this by the following sequence of commands
Combining these commands with Drone’s pipeline we get this for the.drone.yml file
Commit the .drone.yml file and push the changes to the repository. This results in the commit and push event being delivered to Drone, kickstarting the Drone pipeline.
Navigating to the Drone UI will show the pipeline stages and result of each pipeline stage. An example screenshot is shown below
Comparing against the .drone.yml file, you can see that Drone created a new pipeline(boringly titled “default” consisting of 5 stages:
clone stage for cloning the repo. Although this isn’t listed in the .drone.yml file, Drone by default supports git and automatically adds the clone stage as the first stage
Build stage for building the Docker image and tagging it with the SHA of the commit.
Analyze stage for submitting the built Docker image to Anchore for image and vulnerability analysis
Policy Check stage for evaluating the Docker image and validating whether the image is good to deploy or not. In my earlier post I’d mentioned that creating and editing policies is a pain – but recently, Anchore has released a centralized repository of policies that can be downloaded and installed.
If the policy check (or any stage) fails, the pipeline ends and does not trigger subsequent stages.
You can take a look at Drone’s Conditions and Triggers which lets you define and limit pipeline execution based on specific events/branches. Combined with writing your plugins, Drone can let you set up a complete, secure CI/CD platform for your Docker images.