Tips & How-To's

Setting up a secure Docker image scanning solution with Anchore and Drone CI

A while back I had done a round up of a few container scanning solutions and had mentioned I wanted to take another look at Anchore. The past few days, I’ve been playing a bit with Anchore – this time, integrating it with Drone CI.

Drone is a “Container-Native, Continuous Delivery Platform” built using Go. It makes use of a YAML file, .drone.yml to define and execute the pipeline.

End Goal

For this project, we will be integrating Drone and Anchore. With the setup complete, every push to the remote repository will trigger the Docker image to be built. The built Docker image will then be added to Anchore Engine for analysis and scanning. Drone integrates with most popular SCM tools – and for this project, we will integrate with Github.

Setting up Drone

Follow the instructions listed on Drone’s Installation Guide to set up Drone. A sample Drone server configuration and the command to start Drone is listed below. Make sure to substitute the client id and secret with the one generated from the setup

Run Drone with the following command

Once Drone server is up and running, head over to the Drone UI and click on “Activate” on the repo which you wish to integrate Drone with. Clicking on “Activate” sets up a Webhook on the repo so any activity against the repo results in an event being generated and the event is then pushed to Drone.

Setting up Anchore Engine

Follow the instructions on Anchore’s website to install and run Anchore. Once Anchore is up and running, we can use anchore-cli to interact with the image. Specifically, to scan the image, we need to:

  • Submit the image to Anchore Engine for analysis
  • Wait till the Analysis Engine is complete
  • Evaluate the analysis against the policy engine

We can achieve this by the following sequence of commands

anchore-cli image add <image name>
anchore-cli image wait <image name>
anchore-cli evaluate check <image name>

Combining these commands with Drone’s pipeline we get this for the.drone.yml file

Commit the .drone.yml file and push the changes to the repository. This results in the commit and push event being delivered to Drone, kickstarting the Drone pipeline.

Navigating to the Drone UI will show the pipeline stages and result of each pipeline stage. An example screenshot is shown below

Drone Pipeline UI

Comparing against the .drone.yml file, you can see that Drone created a new pipeline(boringly titled “default” consisting of 5 stages:

  • clone stage for cloning the repo. Although this isn’t listed in the .drone.yml file, Drone by default supports git and automatically adds the clone stage as the first stage
  • Build stage for building the Docker image and tagging it with the SHA of the commit.
  • Analyze stage for submitting the built Docker image to Anchore for image and vulnerability analysis
  • Policy Check stage for evaluating the Docker image and validating whether the image is good to deploy or not. In my earlier post I’d mentioned that creating and editing policies is a pain – but recently, Anchore has released a centralized repository of policies that can be downloaded and installed.

If the policy check (or any stage) fails, the pipeline ends and does not trigger subsequent stages.

You can extend the pipeline further, adding steps to retag the Docker Image and push it to Amazon Elastic Container Registry (ECR) – and Drone with its ECR plugin makes it very easy to do so.

What Next?

You can take a look at Drone’s Conditions and Triggers which lets you define and limit pipeline execution based on specific events/branches. Combined with writing your plugins, Drone can let you set up a complete, secure CI/CD platform for your Docker images.

Leave a Reply

Your email address will not be published. Required fields are marked *