Codefresh, profile picture
Uploaded byCodefresh
PDF, PPTX334 views

Adding Container Image Scanning to Your Codefresh Pipelines with Anchore

The document discusses the importance of scanning container images within CI/CD pipelines to enhance security by identifying vulnerabilities and configuration issues early in the development lifecycle. It outlines how Anchore tools analyze container images, generate manifests, and enforce user-defined policies through integration with Codefresh. Key takeaways include the necessity of mandatory image scanning, the creation of policies to govern image security, and the utilization of Anchore's capabilities in CI/CD processes.

Download as PDF, PPTX
Adding Container Image Scanning to your Codefresh Pipelines with JEREMY VALANCE
Jeremy Valance Solutions Architect
Agenda ● Introduction ● Container Security Models ● Scanning with Anchore in a CodeFresh Pipeline ● Live Demo ● Q&A
What should a container security model look like? Container Security ● Should involve securing all pieces of the container lifecycle (image, registry, container runtime, and host). ● Mandatory image scanning step in CI/CD process. ● “Shift left” to catch vulnerabilities early in the development lifecycle. ● Methods and tooling for notifications and remediation are available when vulnerabilities are found within a container image.
Why do we need to scan images?Container Security ● Container images greatly increase speed of development and release. ● Images are static archive files that include all components to run a given app or service. ● Libraries and components within the image may contain vulnerabilities. ● If not scanned, images with vulnerable packages can make their way into production environments. ● Developers may accidentally leave secrets or credentials within images. ● Image metadata and Dockerfiles may contain sensitive configurations like unused exposed ports or running as a root user.
What does container image scanning do?Container Security ● Anchore analysis tools will inspect container images and generate a detailed manifest of the image, a virtual ‘bill of materials’ that includes official operating system packages, unofficial packages, configuration files and language modules and artifacts. ● Policies rules can be created to govern security vulnerabilities,, configuration file contents, secrets, manifest changes, exposed ports or any user defined checks. ● Image scanning is focused on gaining a deep understanding of the contents of the images, and does not scan proprietary source code.
How do Anchore policies work?Anchore Policies ● Anchore first analyzes the container image, then conducts a policy evaluation on it. ● Anchore policies are made up of a set of user-defined rules such as: ○ Security vulnerabilities ○ Image manifest changes ○ Configuration file contents ○ Presence of credentials in an image ○ Exposed ports ○ Package whitelists and blacklists ● Policies can be created through API, CLI, or Enterprise UI. ● Policies can be enforced through CI/CD, API or CLI.
{ “id”: “48e6f7d6-1765-11e8-b5f9-8b6f228548b6”, “name”: “Example Policy”, “rules”: [ { “action”: “STOP”, “gate”: “dockerfile”, “id”:“ce7b8000-829b-4c27-8122-69cd59018400”, “params”: [ { “name”: “ports”, “value”: “22” } ] } ] Example Policy
Scanning with Anchore in a Codefresh pipeline Anchore & Codefresh ● All configuration detailed within codefresh.yml file. ● First step builds image from Dockerfile and pushes to Codefresh registry automatically. ● Second step scans image with Anchore and evaluates the policy rules against the analyzed data. ● Final step (depending on the result of step two), will push the image to Dockerhub.
How do I use it?Anchore ● Anchore Engine Open Source: https://github.com/anchore/anchore-engine ● Anchore Enterprise: https://anchore.com/enterprise ● Github examples: ○ Image Fail: https://github.com/valancej/node_critical_fail ○ Image Pass: https://github.com/valancej/node_critical_pass
INTEGRATION See our blog post complete with codefresh yaml at: Codefresh.io/blog https://codefresh.io/blog
Summary ● Container images should be scanned as a step in CI/CD process. ● Policies should be created and enforced at the CI/CD layer to increase confidence in deployments.
Schedule a 1:1 with our DevOps Experts -and- Sign up for FREE! 120 builds/month Q ? Codefresh.ioAnchore.com Get the open source at anchore.com/opensource
See our upcoming Codefresh Live events at: codefresh.io/events T Y

More Related Content

PPTX
Introduction to Anchore Engine
byMaarten Smeets
 
PPTX
Google jib: Building Java containers without Docker
byMaarten Smeets
 
PDF
Repository Management with JFrog Artifactory
byStephen Chin
 
PPTX
Maven Nexus
byericndunn
 
PDF
Play 2 Java Framework with TDD
byBasav Nagur
 
PPTX
Artifacts management with DevOps
byChen-Tien Tsai
 
PPTX
Introduction to Containers & Diving a little deeper into the benefits of Con...
bySynergetics Learning and Cloud Consulting
 
PDF
Artifactory Essentials Workshop on August 27, 2020 by JFrog
byCloud Study Network
 
Introduction to Anchore Engine
byMaarten Smeets
 
Google jib: Building Java containers without Docker
byMaarten Smeets
 
Repository Management with JFrog Artifactory
byStephen Chin
 
Maven Nexus
byericndunn
 
Play 2 Java Framework with TDD
byBasav Nagur
 
Artifacts management with DevOps
byChen-Tien Tsai
 
Introduction to Containers & Diving a little deeper into the benefits of Con...
bySynergetics Learning and Cloud Consulting
 
Artifactory Essentials Workshop on August 27, 2020 by JFrog
byCloud Study Network
 

What's hot

PPTX
Dev ops using Jenkins
bySynergetics Learning and Cloud Consulting
 
PDF
Docker container security
byThoughtworks
 
PPTX
Integrating Git, Gerrit and Jenkins/Hudson with Mylyn
bySascha Scholz
 
PDF
Swarm Update
byPerforce
 
PDF
You Want to Kubernetes? You MUST Know Containers!
byVMware Tanzu
 
PDF
A Deep Dive into Open Source Android Development
byDavid Wu
 
PDF
Automation CI CD with Gitlab, Java, docker on Hidora - Jelastic
byHidora
 
PDF
Enabling Cloud Native Buildpacks for Windows Containers
byVMware Tanzu
 
PPTX
Git Everyday
byPerforce
 
PDF
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
byVMware Tanzu
 
PPTX
Kubernetes for java developers
bySandro Giacomozzi
 
PDF
DCSF19 Adding a Modern API Layer to ‘Dockerized’ Legacy Apps
byDocker, Inc.
 
PPTX
Wellington MuleSoft Meetup 2021-02-18
byMary Joy Sabal
 
PPTX
4 Outcomes of an Advanced Repo Manager Strategy
bySonatype
 
PDF
Voxxed Athens 2018 - Java EE is dead Long live jakarta EE!
byVoxxed Athens
 
PDF
MicroProfile Devoxx.us
byjclingan
 
PPTX
DevOps in the Microsoft world part 2
byEvgeniy Savchenko
 
PPTX
Docker - A curtain raiser to the Container world
byzekeLabs Technologies
 
PDF
AQAvit: Vitality through Testing
byShelley Lambert
 
PDF
MicroProfile: Optimizing Java EE for a Microservices Architecture
byjclingan
 
Dev ops using Jenkins
bySynergetics Learning and Cloud Consulting
 
Docker container security
byThoughtworks
 
Integrating Git, Gerrit and Jenkins/Hudson with Mylyn
bySascha Scholz
 
Swarm Update
byPerforce
 
You Want to Kubernetes? You MUST Know Containers!
byVMware Tanzu
 
A Deep Dive into Open Source Android Development
byDavid Wu
 
Automation CI CD with Gitlab, Java, docker on Hidora - Jelastic
byHidora
 
Enabling Cloud Native Buildpacks for Windows Containers
byVMware Tanzu
 
Git Everyday
byPerforce
 
Automated Virtualized Testing (AVT) with Docker, Kubernetes, WireMock and Gat...
byVMware Tanzu
 
Kubernetes for java developers
bySandro Giacomozzi
 
DCSF19 Adding a Modern API Layer to ‘Dockerized’ Legacy Apps
byDocker, Inc.
 
Wellington MuleSoft Meetup 2021-02-18
byMary Joy Sabal
 
4 Outcomes of an Advanced Repo Manager Strategy
bySonatype
 
Voxxed Athens 2018 - Java EE is dead Long live jakarta EE!
byVoxxed Athens
 
MicroProfile Devoxx.us
byjclingan
 
DevOps in the Microsoft world part 2
byEvgeniy Savchenko
 
Docker - A curtain raiser to the Container world
byzekeLabs Technologies
 
AQAvit: Vitality through Testing
byShelley Lambert
 
MicroProfile: Optimizing Java EE for a Microservices Architecture
byjclingan
 

Similar to Adding Container Image Scanning to Your Codefresh Pipelines with Anchore

PDF
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
byZach Hill
 
PDF
Anchore Engine
byKnoldus Inc.
 
PDF
Anchore webinar thursday 21st july 2016
byChristian Wiens
 
PDF
Anchore webinar thursday 21st july 2016
byAnchore
 
PPTX
Open source security tools for Kubernetes.
byMichael Ducy
 
PDF
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
byNUS-ISS
 
PDF
Expert Series: Solving Real-World Challenges in FedRAMP Compliance
byAnchore
 
PDF
Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
byAmazon Web Services Korea
 
PDF
Navigating container technology for enhanced security by Niklas Saari
byMetosin Oy
 
PDF
Increase Supply Chain Transparency & Security with Harbor & Anchore
byAnchore
 
PDF
Secure_Container_Workload.pdf
byYu-Lin Huang
 
PDF
Webinar–Vulnerabilities in Containerised Production Environments
bySynopsys Software Integrity Group
 
PDF
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
byJuan Vicente Herrera Ruiz de Alejo
 
PDF
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
byAnchore
 
PPTX
Understanding docker ecosystem and vulnerabilities points
byAbdul Khan
 
PDF
Container Security: a toolchain for automatic image rebuilds
byRaphaël PINSON
 
PDF
AWS live hack: Docker + Snyk Container on AWS
byEric Smalling
 
PPTX
Csa container-security-in-aws-dw
byCloud Security Alliance, UK chapter
 
PDF
How to Secure Your Kubernetes Software Supply Chain at Scale
byAnchore
 
PDF
Discovering and Fixing Dependency Vulnerabilities for Kubernetes apps with Sn...
byCodefresh
 
Open Source Tools for Container Security and Compliance @Docker LA Meetup 2/13
byZach Hill
 
Anchore Engine
byKnoldus Inc.
 
Anchore webinar thursday 21st july 2016
byChristian Wiens
 
Anchore webinar thursday 21st july 2016
byAnchore
 
Open source security tools for Kubernetes.
byMichael Ducy
 
Supply Chain Security for Containerised Workloads - Lee Chuk Munn
byNUS-ISS
 
Expert Series: Solving Real-World Challenges in FedRAMP Compliance
byAnchore
 
Amazon Container 환경의 보안 – 최인영, AWS 솔루션즈 아키텍트:: AWS 온라인 이벤트 – 클라우드 보안 특집
byAmazon Web Services Korea
 
Navigating container technology for enhanced security by Niklas Saari
byMetosin Oy
 
Increase Supply Chain Transparency & Security with Harbor & Anchore
byAnchore
 
Secure_Container_Workload.pdf
byYu-Lin Huang
 
Webinar–Vulnerabilities in Containerised Production Environments
bySynopsys Software Integrity Group
 
Santander DevopsandCloudDays 2021 - Hardening containers.pdf
byJuan Vicente Herrera Ruiz de Alejo
 
Using Anchore and DefectDojo to Stand Up Your DevSecOps Function
byAnchore
 
Understanding docker ecosystem and vulnerabilities points
byAbdul Khan
 
Container Security: a toolchain for automatic image rebuilds
byRaphaël PINSON
 
AWS live hack: Docker + Snyk Container on AWS
byEric Smalling
 
Csa container-security-in-aws-dw
byCloud Security Alliance, UK chapter
 
How to Secure Your Kubernetes Software Supply Chain at Scale
byAnchore
 
Discovering and Fixing Dependency Vulnerabilities for Kubernetes apps with Sn...
byCodefresh
 

More from Codefresh

PDF
Detect, debug, deploy with Codefresh and Lightstep
byCodefresh
 
PDF
CICD Pipelines for Microservices: Lessons from the Trenches
byCodefresh
 
PDF
Simplify Your Code with Helmfile
byCodefresh
 
PDF
Making the Most of Helm 3 with Codefresh
byCodefresh
 
PDF
5 Simple Tips for Troubleshooting Your Kubernetes Pods
byCodefresh
 
PDF
Best Practices for Microservice CI/CD: Lessons from Expedia and Codefresh
byCodefresh
 
PDF
Hybrid CI/CD with Kubernetes & Codefresh
byCodefresh
 
PDF
VM vs Docker-Based Pipelines
byCodefresh
 
PDF
Why You Should be Using Multi-stage Docker Builds in 2019
byCodefresh
 
PPTX
Deploy Secure Cloud-Native Apps Fast
byCodefresh
 
PDF
CICD Pipelines for Microservices Best Practices
byCodefresh
 
PDF
Codefresh CICD New Features Launch! May 2019
byCodefresh
 
PDF
Terraform GitOps on Codefresh
byCodefresh
 
PDF
Image scanning using Clair
byCodefresh
 
PDF
Updating Kubernetes With Helm Charts: Build, Test, Deploy with Codefresh and...
byCodefresh
 
PDF
Docker based-Pipelines with Codefresh
byCodefresh
 
PDF
Automated Serverless Pipelines with #GitOps on Codefresh
byCodefresh
 
PDF
Net Pipeline on Windows Kubernetes
byCodefresh
 
PPTX
Multi-cloud CI/CD with failover powered by K8s, Istio, Helm, and Codefresh
byCodefresh
 
PPTX
Skip Staging! Test Docker, Helm, and Kubernetes Apps like a Pro
byCodefresh
 
Detect, debug, deploy with Codefresh and Lightstep
byCodefresh
 
CICD Pipelines for Microservices: Lessons from the Trenches
byCodefresh
 
Simplify Your Code with Helmfile
byCodefresh
 
Making the Most of Helm 3 with Codefresh
byCodefresh
 
5 Simple Tips for Troubleshooting Your Kubernetes Pods
byCodefresh
 
Best Practices for Microservice CI/CD: Lessons from Expedia and Codefresh
byCodefresh
 
Hybrid CI/CD with Kubernetes & Codefresh
byCodefresh
 
VM vs Docker-Based Pipelines
byCodefresh
 
Why You Should be Using Multi-stage Docker Builds in 2019
byCodefresh
 
Deploy Secure Cloud-Native Apps Fast
byCodefresh
 
CICD Pipelines for Microservices Best Practices
byCodefresh
 
Codefresh CICD New Features Launch! May 2019
byCodefresh
 
Terraform GitOps on Codefresh
byCodefresh
 
Image scanning using Clair
byCodefresh
 
Updating Kubernetes With Helm Charts: Build, Test, Deploy with Codefresh and...
byCodefresh
 
Docker based-Pipelines with Codefresh
byCodefresh
 
Automated Serverless Pipelines with #GitOps on Codefresh
byCodefresh
 
Net Pipeline on Windows Kubernetes
byCodefresh
 
Multi-cloud CI/CD with failover powered by K8s, Istio, Helm, and Codefresh
byCodefresh
 
Skip Staging! Test Docker, Helm, and Kubernetes Apps like a Pro
byCodefresh
 

Recently uploaded

DOCX
Formula 3 - MACO using general limit.docx
byMarkus Janssen
 
PDF
Poster: Generalizable Image Repair for Robust Visual Control
byIvan Ruchkin
 
PDF
APDCA Energy sustainability white paper.pdf
byflintglobalapac
 
PDF
Energia Nowa and byteLAKE Partner to Develop Intelligent Services for Energy ...
bybyteLAKE
 
PDF
ClipsField AI - Transform Static Images Into Cinematic Videos in Minutes.pdf
bySOFTTECHHUB
 
PDF
Morgenbooster: Navigating Ai Criticism with Systems Thinking
by1508 A/S
 
PDF
AI-Driven DevOps: How LLMs and Agents Are Changing Software Delivery
byAll Things Open
 
PDF
ChatGPT Ain't Got $%@& On Me! by Andy Pavlo
byScyllaDB
 
PDF
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
PDF
G.O.RT.No. 1173_LRS Extension of time limit
byRAGHU RAM
 
PPTX
Mosaic: The Agentic AI Video Editing Platform
byDaniel Gimness
 
PDF
Agentic Automation in Action - Future Skills and Opportunities.pdf
byanabulhac
 
PPTX
Enterprise Architecture for Microsoft 365: From Vision to Value
bySimon Denton
 
DOCX
Formula 2 - APIC HBEL general calculation.docx
byMarkus Janssen
 
PPTX
Session 6 Specialized AI Associate Series: The GenAI Experience in UiPath Doc...
byDianaGray10
 
PPTX
Artificial Intelligence lecture slides.pptx
bymaimelabernard6
 
PDF
n8n - Next Generation Workflow Automation with Open Source
byDaisuke Masuda
 
PDF
RaBitQ, JSON Index, Schema Evolution, What's New in Milvus 2.6
byZilliz
 
PPTX
Autonomous Convoy Routing via Drone Swarms and Multi-Modal Threat Detection
byIvan Ruchkin
 
PDF
AWS Community Day Indonesia 2025 - Attack the Cloud Before Attackers Do Build...
byMuhammad Yuga Nugraha
 
Formula 3 - MACO using general limit.docx
byMarkus Janssen
 
Poster: Generalizable Image Repair for Robust Visual Control
byIvan Ruchkin
 
APDCA Energy sustainability white paper.pdf
byflintglobalapac
 
Energia Nowa and byteLAKE Partner to Develop Intelligent Services for Energy ...
bybyteLAKE
 
ClipsField AI - Transform Static Images Into Cinematic Videos in Minutes.pdf
bySOFTTECHHUB
 
Morgenbooster: Navigating Ai Criticism with Systems Thinking
by1508 A/S
 
AI-Driven DevOps: How LLMs and Agents Are Changing Software Delivery
byAll Things Open
 
ChatGPT Ain't Got $%@& On Me! by Andy Pavlo
byScyllaDB
 
From Data Chaos to Copilot Confidence: A Step-by-Step Microsoft 365 Copilot R...
byNikki Chapple
 
G.O.RT.No. 1173_LRS Extension of time limit
byRAGHU RAM
 
Mosaic: The Agentic AI Video Editing Platform
byDaniel Gimness
 
Agentic Automation in Action - Future Skills and Opportunities.pdf
byanabulhac
 
Enterprise Architecture for Microsoft 365: From Vision to Value
bySimon Denton
 
Formula 2 - APIC HBEL general calculation.docx
byMarkus Janssen
 
Session 6 Specialized AI Associate Series: The GenAI Experience in UiPath Doc...
byDianaGray10
 
Artificial Intelligence lecture slides.pptx
bymaimelabernard6
 
n8n - Next Generation Workflow Automation with Open Source
byDaisuke Masuda
 
RaBitQ, JSON Index, Schema Evolution, What's New in Milvus 2.6
byZilliz
 
Autonomous Convoy Routing via Drone Swarms and Multi-Modal Threat Detection
byIvan Ruchkin
 
AWS Community Day Indonesia 2025 - Attack the Cloud Before Attackers Do Build...
byMuhammad Yuga Nugraha
 

Adding Container Image Scanning to Your Codefresh Pipelines with Anchore

  • 1.
    Adding Container ImageScanning to your Codefresh Pipelines with JEREMY VALANCE
  • 2.
  • 3.
    Agenda ● Introduction ● ContainerSecurity Models ● Scanning with Anchore in a CodeFresh Pipeline ● Live Demo ● Q&A
  • 4.
    What should acontainer security model look like? Container Security ● Should involve securing all pieces of the container lifecycle (image, registry, container runtime, and host). ● Mandatory image scanning step in CI/CD process. ● “Shift left” to catch vulnerabilities early in the development lifecycle. ● Methods and tooling for notifications and remediation are available when vulnerabilities are found within a container image.
  • 5.
    Why do weneed to scan images?Container Security ● Container images greatly increase speed of development and release. ● Images are static archive files that include all components to run a given app or service. ● Libraries and components within the image may contain vulnerabilities. ● If not scanned, images with vulnerable packages can make their way into production environments. ● Developers may accidentally leave secrets or credentials within images. ● Image metadata and Dockerfiles may contain sensitive configurations like unused exposed ports or running as a root user.
  • 6.
    What does containerimage scanning do?Container Security ● Anchore analysis tools will inspect container images and generate a detailed manifest of the image, a virtual ‘bill of materials’ that includes official operating system packages, unofficial packages, configuration files and language modules and artifacts. ● Policies rules can be created to govern security vulnerabilities,, configuration file contents, secrets, manifest changes, exposed ports or any user defined checks. ● Image scanning is focused on gaining a deep understanding of the contents of the images, and does not scan proprietary source code.
  • 7.
    How do Anchorepolicies work?Anchore Policies ● Anchore first analyzes the container image, then conducts a policy evaluation on it. ● Anchore policies are made up of a set of user-defined rules such as: ○ Security vulnerabilities ○ Image manifest changes ○ Configuration file contents ○ Presence of credentials in an image ○ Exposed ports ○ Package whitelists and blacklists ● Policies can be created through API, CLI, or Enterprise UI. ● Policies can be enforced through CI/CD, API or CLI.
  • 8.
    { “id”: “48e6f7d6-1765-11e8-b5f9-8b6f228548b6”, “name”: “ExamplePolicy”, “rules”: [ { “action”: “STOP”, “gate”: “dockerfile”, “id”:“ce7b8000-829b-4c27-8122-69cd59018400”, “params”: [ { “name”: “ports”, “value”: “22” } ] } ] Example Policy
  • 9.
    Scanning with Anchorein a Codefresh pipeline Anchore & Codefresh ● All configuration detailed within codefresh.yml file. ● First step builds image from Dockerfile and pushes to Codefresh registry automatically. ● Second step scans image with Anchore and evaluates the policy rules against the analyzed data. ● Final step (depending on the result of step two), will push the image to Dockerhub.
  • 10.
    How do Iuse it?Anchore ● Anchore Engine Open Source: https://github.com/anchore/anchore-engine ● Anchore Enterprise: https://anchore.com/enterprise ● Github examples: ○ Image Fail: https://github.com/valancej/node_critical_fail ○ Image Pass: https://github.com/valancej/node_critical_pass
  • 11.
    INTEGRATION See our blogpost complete with codefresh yaml at: Codefresh.io/blog https://codefresh.io/blog
  • 12.
    Summary ● Container imagesshould be scanned as a step in CI/CD process. ● Policies should be created and enforced at the CI/CD layer to increase confidence in deployments.
  • 13.
    Schedule a 1:1with our DevOps Experts -and- Sign up for FREE! 120 builds/month Q ? Codefresh.ioAnchore.com Get the open source at anchore.com/opensource
  • 14.
    See our upcomingCodefresh Live events at: codefresh.io/events T Y