Versions Compared

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Comment: Add content to excerpt

Wiki Markup
{jenkins-plugin-info:pluginId=anchore-container-scanner}

Description

Excerpt

Allows users to add a build step to run the Anchore container image scanner.

Anchore Jenkins Plugin

Anchore

is a container inspection and analytics platform that enables operators to analyze, inspect, perform security scans, and evaluate custom policies against container images. The Anchore plugin can be used in a Pipeline job or added as a build step to a Freestyle job to automate the process of running an anchore analysis, evaluating custom anchore policies against images, and performing image anchore security scans. 

Anchore Jenkins Plugin


Anchore has been designed to plug seamlessly into the CI/CD workflow. A developer commits code into the source code management system. This change triggers Jenkins to start a build which creates a container image.

...

 

Code Block
languagebash
themeEmacs
TAG=$(date "+%H%M%S%d%m%Y")
IMAGENAME=build.example.com/myapp
docker build -t $IMAGENAME:$TAG .
docker push $IMAGENAME:$TAG

# Line added to create anchore_images file
echo "$IMAGENAME:$TAG ${WORKSPACE}/Dockerfile " > anchore_images

 

After the image has been built and pushed to the staging registry the Anchore Scanner should be called. 

Dropdown Add build step and select the Anchore Container Image Scanner


A new build step labeled Anchore Build Options will appear in your job.

<Insert image here>


OptionDescription
Image list fileName of the file, present in workspace that contains the image name and optionally Dockerfile location
Fail build on policy check STOP resultIf the Anchore Engine policy evaluate returns a fail (STOP) then the Jenkins job should be failed. If this is not selected then a failed policy evaluation will allow the build to continue.
Fail build on critical plugin errorIf selected and the Anchore Plugin experiences a critical error the the build will be failed. This is typically used to ensure that a fault with the Anchore Engine (eg. service not available) does not permit a failing image to be promoted to production.
AnchoreEngine operation retriesHow long in seconds the Anchore Plugin waits until timing out image analysis.
The Plugin will continue operation once the image has been analyzed but will time out if this period is exceeded.

 


The Anchore Plugin creates an Anchore Report directory that includes a JSON file including the results of the policy evaluation.

The Plugin renders this in the Jenkins UI showing the status of the build (GO = Pass, STOP = Fail, WARN=Warning)


Clicking on the Anchore Report link will display a graphical policy reporting showing the summary information and a detailed list of policy checks and results.