In short: a system to help automate the description and enforcement of requirements on the content of docker containers.
With a bit more detail? Anchore Engine is a docker container static analysis and policy-based compliance tool that automates the inspection, analysis, and evaluation of images against user-defined checks to allow high confidence in container deployments by ensuring workload content meets the required criteria. Anchore Engine ultimately provides a policy evaluation result for each image: pass/fail against policies defined by the user. Additionally, the way that policies are defined and evaluated allows the policy evaluation itself to double as an audit mechanism that allows point-in-time evaluations of specific image properties and content attributes.
Anchore takes a data-driven approach to analysis and policy enforcement. The system essentially has discrete phases for each image analyzed:
The primary interface is a RESTful API that provides mechanisms to request analysis, policy evaluation, and monitoring of images in registries as well as query for image contents and analysis results. We also provide a CLI and its own container.
There are, generally speaking, two different ways to use Anchore Engine, within its single API:
With these two modes of operation, integration into CI/CD with Interactive Mode or less intrusive watching of production image repositories with Watch Mode, Anchore Engine can be easily integrated into most environments and processes.
The system is a collection of services that can be deployed co-located or fully distributed or anything in-between, and as such it can scale out to increase analysis throughput. The only external system required is a PostgreSQL database (9.6+) that all services connect to, but is not used for communication beyond some very simple service registration/lookup processes. The database is centralized simply for ease of management and operation.
The six services that comprise the Engine can be deployed in a single container or scaled out to handle load:
For most installations a single instance is sufficient however multiple Analyzer Worker services can be spun up to handle heavy load and to reduce analysis time.
Now that you have an overview, check out the Concepts section to gain a deeper understanding.