Anchore Policy Checks

Introduction

In this document, we describe the current anchore gates (and related triggers/parameters) that are supported within anchore policy bundles. If you have a running anchore engine, this information can also be obtained using the CLI:

# anchore-cli policy describe (--gate <gatename> ( --trigger <triggername))

Gate: dockerfile

Checks against the content of a dockerfile if provided, or a guessed dockerfile based on docker layer history if the dockerfile is not provided.

Trigger NameDescriptionParameterDescriptionExample
instructionTriggers if any directives in the list are found to match the described condition in the dockerfile.instructionThe Dockerfile instruction to check.from
instructionTriggers if any directives in the list are found to match the described condition in the dockerfile.checkThe type of check to perform.=
instructionTriggers if any directives in the list are found to match the described condition in the dockerfile.valueThe value to check the dockerfile instruction against.scratch
instructionTriggers if any directives in the list are found to match the described condition in the dockerfile.actual_dockerfile_onlyOnly evaluate against a user-provided dockerfile, skip evaluation on inferred/guessed dockerfiles. Default is False.true
effective_userChecks if the effective user matches the provided user names, either as a whitelist or blacklist depending on the type parameter setting.usersUser names to check against as the effective user (last user entry) in the images history.root,docker
effective_userChecks if the effective user matches the provided user names, either as a whitelist or blacklist depending on the type parameter setting.typeHow to treat the provided user names.blacklist
exposed_portsEvaluates the set of ports exposed. Allows configuring whitelist or blacklist behavior. If type=whitelist, then any ports found exposed that are not in the list will cause the trigger to fire. If type=blacklist, then any ports exposed that are in the list will cause the trigger to fire.portsList of port numbers.80,8080,8088
exposed_portsEvaluates the set of ports exposed. Allows configuring whitelist or blacklist behavior. If type=whitelist, then any ports found exposed that are not in the list will cause the trigger to fire. If type=blacklist, then any ports exposed that are in the list will cause the trigger to fire.typeWhether to use port list as a whitelist or blacklist.blacklist
exposed_portsEvaluates the set of ports exposed. Allows configuring whitelist or blacklist behavior. If type=whitelist, then any ports found exposed that are not in the list will cause the trigger to fire. If type=blacklist, then any ports exposed that are in the list will cause the trigger to fire.actual_dockerfile_onlyOnly evaluate against a user-provided dockerfile, skip evaluation on inferred/guessed dockerfiles. Default is False.true
no_dockerfile_providedTriggers if anchore analysis was performed without supplying the actual image Dockerfile.

Gate: files

Checks against files in the analyzed image including file content, file names, and filesystem attributes.

Trigger NameDescriptionParameterDescriptionExample
content_regex_matchTriggers for each file where the content search analyzer has found a match using configured regexes in the analyzer_config.yaml “content_search” section. If the parameter is set, the trigger will only fire for files that matched the named regex. Refer to your analyzer_config.yaml for the regex values.regex_nameRegex string that also appears in the FILECHECK_CONTENTMATCH analyzer parameter in analyzer configuration, to limit the check to. If set, will only fire trigger when the specific named regex was found in a file..password.
name_matchTriggers if a file exists in the container that has a filename that matches the provided regex. This does have a performance impact on policy evaluation.regexRegex to apply to file names for match..*.pem
attribute_matchTriggers if a filename exists in the container that has attributes that match those which are provided . This check has a performance impact on policy evaluation.filenameFilename to check against provided checksum./etc/passwd
attribute_matchTriggers if a filename exists in the container that has attributes that match those which are provided . This check has a performance impact on policy evaluation.checksum_algorithmChecksum algorithmsha256
attribute_matchTriggers if a filename exists in the container that has attributes that match those which are provided . This check has a performance impact on policy evaluation.checksumChecksum of file.832cd0f75b227d13aac82b1f70b7f90191a4186c151f9db50851d209c45ede11
attribute_matchTriggers if a filename exists in the container that has attributes that match those which are provided . This check has a performance impact on policy evaluation.checksum_matchChecksum operation to perform.equals
attribute_matchTriggers if a filename exists in the container that has attributes that match those which are provided . This check has a performance impact on policy evaluation.modeFile mode of file.00644
attribute_matchTriggers if a filename exists in the container that has attributes that match those which are provided . This check has a performance impact on policy evaluation.mode_opFile mode operation to perform.equals
attribute_matchTriggers if a filename exists in the container that has attributes that match those which are provided . This check has a performance impact on policy evaluation.skip_missingIf set to true, do not fire this trigger if the file is not present. If set to false, fire this trigger ignoring the other parameter settings.true
suid_or_guid_setFires for each file found to have suid or sgid bit set.

Gate: passwd_file

Content checks for /etc/passwd for things like usernames, group ids, shells, or full entries.

Trigger NameDescriptionParameterDescriptionExample
content_not_availableTriggers if the /etc/passwd file is not present/stored in the evaluated image.
blacklist_usernamesTriggers if specified username is found in the /etc/passwd fileuser_namesList of usernames that will cause the trigger to fire if found in /etc/passwd.daemon,ftp
blacklist_useridsTriggers if specified user id is found in the /etc/passwd fileuser_idsList of userids (numeric) that will cause the trigger to fire if found in /etc/passwd.0,1
blacklist_groupidsTriggers if specified group id is found in the /etc/passwd filegroup_idsList of groupids (numeric) that will cause the trigger ot fire if found in /etc/passwd.999,20
blacklist_shellsTriggers if specified login shell for any user is found in the /etc/passwd fileshellsList of shell commands to blacklist./bin/bash,/bin/zsh
blacklist_full_entryTriggers if entire specified passwd entry is found in the /etc/passwd file.entryFull entry to match in /etc/passwd.ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin

Gate: packages

Distro package checks

Trigger NameDescriptionParameterDescriptionExample
required_packageTriggers if the specified package and optionally a specific version is not found in the image.nameName of package that must be found installed in image.libssl
required_packageTriggers if the specified package and optionally a specific version is not found in the image.versionOptional version of package for exact version match.1.10.3rc3
required_packageTriggers if the specified package and optionally a specific version is not found in the image.version_match_typeThe type of comparison to use for version if a version is provided.exact
verifyCheck package integrity against package db in the image. Triggers for changes or removal or content in all or the selected “dirs” parameter if provided, and can filter type of check with the “check_only” parameter.only_packagesList of package names to limit verification.libssl,openssl
verifyCheck package integrity against package db in the image. Triggers for changes or removal or content in all or the selected “dirs” parameter if provided, and can filter type of check with the “check_only” parameter.only_directoriesList of directories to limit checks so as to avoid checks on all dir./usr,/var/lib
verifyCheck package integrity against package db in the image. Triggers for changes or removal or content in all or the selected “dirs” parameter if provided, and can filter type of check with the “check_only” parameter.checkCheck to perform instead of all.changed
blacklistTriggers if the evaluated image has a package installed that matches the named package optionally with a specific version as well.namePackage name to blacklist.openssh-server
blacklistTriggers if the evaluated image has a package installed that matches the named package optionally with a specific version as well.versionSpecific version of package to blacklist.1.0.1

Gate: vulnerabilities

CVE/Vulnerability checks.

Trigger NameDescriptionParameterDescriptionExample
packageTriggers if a found vulnerability in an image meets the comparison criteria.package_typeOnly trigger for specific package type.all
packageTriggers if a found vulnerability in an image meets the comparison criteria.severity_comparisonThe type of comparison to perform for severity evaluation.>
packageTriggers if a found vulnerability in an image meets the comparison criteria.severitySeverity to compare against.high
packageTriggers if a found vulnerability in an image meets the comparison criteria.cvss_v3_base_score_comparisonThe type of comparison to perform for CVSS v3 base score evaluation.>
packageTriggers if a found vulnerability in an image meets the comparison criteria.cvss_v3_base_scoreCVSS v3 base score to compare against.None
packageTriggers if a found vulnerability in an image meets the comparison criteria.cvss_v3_exploitability_score_comparisonThe type of comparison to perform for CVSS v3 exploitability sub score evaluation.>
packageTriggers if a found vulnerability in an image meets the comparison criteria.cvss_v3_exploitability_scoreCVSS v3 exploitability sub score to compare against.None
packageTriggers if a found vulnerability in an image meets the comparison criteria.cvss_v3_impact_score_comparisonThe type of comparison to perform for CVSS v3 impact sub score evaluation.>
packageTriggers if a found vulnerability in an image meets the comparison criteria.cvss_v3_impact_scoreCVSS v3 impact sub score to compare against.None
packageTriggers if a found vulnerability in an image meets the comparison criteria.fix_availableIf present, the fix availability for the vulnerability record must match the value of this parameter.true
packageTriggers if a found vulnerability in an image meets the comparison criteria.vendor_onlyIf True, an available fix for this CVE must not be explicitly marked as wont be addressed by the vendortrue
packageTriggers if a found vulnerability in an image meets the comparison criteria.max_days_since_creationIf provided, this CVE must be older than the days provided to trigger.7
packageTriggers if a found vulnerability in an image meets the comparison criteria.max_days_since_fixIf provided (only evaluated when fix_available option is also set to true), the fix first observed time must be older than days provided, to trigger.30
packageTriggers if a found vulnerability in an image meets the comparison criteria.vendor_cvss_v3_base_score_comparisonThe type of comparison to perform for vendor specified CVSS v3 base score evaluation.>
packageTriggers if a found vulnerability in an image meets the comparison criteria.vendor_cvss_v3_base_scoreVendor CVSS v3 base score to compare against.None
packageTriggers if a found vulnerability in an image meets the comparison criteria.vendor_cvss_v3_exploitability_score_comparisonThe type of comparison to perform for vendor specified CVSS v3 exploitability sub score evaluation.>
packageTriggers if a found vulnerability in an image meets the comparison criteria.vendor_cvss_v3_exploitability_scoreVendor CVSS v3 exploitability sub score to compare against.None
packageTriggers if a found vulnerability in an image meets the comparison criteria.vendor_cvss_v3_impact_score_comparisonThe type of comparison to perform for vendor specified CVSS v3 impact sub score evaluation.>
packageTriggers if a found vulnerability in an image meets the comparison criteria.vendor_cvss_v3_impact_scoreVendor CVSS v3 impact sub score to compare against.None
blacklistTriggers if any of a list of specified vulnerabilities has been detected in the image.vulnerability_idsList of vulnerability IDs, will cause the trigger to fire if any are detected.CVE-2019-1234
blacklistTriggers if any of a list of specified vulnerabilities has been detected in the image.vulnerability_idsIf set to True, discard matches against this vulnerability if vendor has marked as will not fix in the vulnerability record.True
stale_feed_dataTriggers if the CVE data is older than the window specified by the parameter MAXAGE (unit is number of days).max_days_since_syncFire the trigger if the last sync was more than this number of days ago.10
vulnerability_data_unavailableTriggers if vulnerability data is unavailable for the image’s distro.

Gate: licenses

License checks against found software licenses in the container image

Trigger NameDescriptionParameterDescriptionExample
blacklist_exact_matchTriggers if the evaluated image has a package installed with software distributed under the specified (exact match) license(s).licensesList of license names to blacklist exactly.GPLv2+,GPL-3+,BSD-2-clause
blacklist_partial_matchtriggers if the evaluated image has a package installed with software distributed under the specified (substring match) license(s)licensesList of strings to do substring match for blacklist.LGPL,BSD

Gate: ruby_gems

Ruby Gem Checks

Trigger NameDescriptionParameterDescriptionExample
newer_version_found_in_feedTriggers if an installed GEM is not the latest version according to GEM data feed.
not_found_in_feedTriggers if an installed GEM is not in the official GEM database, according to GEM data feed.
version_not_found_in_feedTriggers if an installed GEM version is not listed in the official GEM feed as a valid version.
blacklistTriggers if the evaluated image has a GEM package installed that matches the specified name and version.nameGem name to blacklist.time_diff
blacklistTriggers if the evaluated image has a GEM package installed that matches the specified name and version.versionOptional version to blacklist specifically.0.2.9
feed_data_unavailableTriggers if anchore does not have access to the GEM data feed.

Gate: npms

NPM Checks

Trigger NameDescriptionParameterDescriptionExample
newer_version_in_feedTriggers if an installed NPM is not the latest version according to NPM data feed.
unknown_in_feedsTriggers if an installed NPM is not in the official NPM database, according to NPM data feed.
version_not_in_feedsTriggers if an installed NPM version is not listed in the official NPM feed as a valid version.
blacklisted_name_versionTriggers if the evaluated image has an NPM package installed that matches the name and optionally a version specified in the parameters.nameNpm package name to blacklist.time_diff
blacklisted_name_versionTriggers if the evaluated image has an NPM package installed that matches the name and optionally a version specified in the parameters.versionNpm package version to blacklist specifically.0.2.9
feed_data_unavailableTriggers if the engine does not have access to the NPM data feed.

Gate: secret_scans

Checks for secrets and content found in the image using configured regexes found in the “secret_search” section of analyzer_config.yaml.

Trigger NameDescriptionParameterDescriptionExample
content_regex_checksTriggers if the secret content search analyzer has found any matches with the configured and named regexes. Checks can be configured to trigger if a match is found or is not found (selected using match_type parameter). Matches are filtered by the content_regex_name and filename_regex if they are set. The content_regex_name shoud be a value from the “secret_search” section of the analyzer_config.yaml.content_regex_nameName of content regexps configured in the analyzer that match if found in the image, instead of matching all. Names available by default are: [‘AWS_ACCESS_KEY’, ‘AWS_SECRET_KEY’, ‘PRIV_KEY’, ‘DOCKER_AUTH’, ‘API_KEY’].AWS_ACCESS_KEY
content_regex_checksTriggers if the secret content search analyzer has found any matches with the configured and named regexes. Checks can be configured to trigger if a match is found or is not found (selected using match_type parameter). Matches are filtered by the content_regex_name and filename_regex if they are set. The content_regex_name shoud be a value from the “secret_search” section of the analyzer_config.yaml.filename_regexRegexp to filter the content matched files by./etc/.*
content_regex_checksTriggers if the secret content search analyzer has found any matches with the configured and named regexes. Checks can be configured to trigger if a match is found or is not found (selected using match_type parameter). Matches are filtered by the content_regex_name and filename_regex if they are set. The content_regex_name shoud be a value from the “secret_search” section of the analyzer_config.yaml.match_typeSet to define the type of match - trigger if match is found (default) or not found.found

Gate: metadata

Checks against image metadata, such as size, OS, distro, architecture, etc.

Trigger NameDescriptionParameterDescriptionExample
attributeTriggers if a named image metadata value matches the given condition.attributeAttribute name to be checked.size
attributeTriggers if a named image metadata value matches the given condition.checkThe operation to perform the evaluation.>
attributeTriggers if a named image metadata value matches the given condition.valueValue used in comparison.1073741824

Gate: always

Triggers that fire unconditionally if present in policy, useful for things like testing and blacklisting.

Trigger NameDescriptionParameterDescriptionExample
alwaysFires if present in a policy being evaluated. Useful for things like blacklisting images or testing mappings and whitelists by using this trigger in combination with policy mapping rules.

Gate: retrieved_files

Checks against content and/or presence of files retrieved at analysis time from an image

Trigger NameDescriptionParameterDescriptionExample
content_not_availableTriggers if the specified file is not present/stored in the evaluated image.pathThe path of the file to verify has been retrieved during analysis/etc/httpd.conf
content_regexEvaluation of regex on retrieved file contentpathThe path of the file to verify has been retrieved during analysis/etc/httpd.conf
content_regexEvaluation of regex on retrieved file contentcheckThe type of check to perform with the regexmatch
content_regexEvaluation of regex on retrieved file contentregexThe regex to evaluate against the content of the file.SSlEnabled.

Gate: Malware

TriggerDescriptionParameters
scansTriggers if any malware scanner has found any matches in the image.
scan_not_runTriggers if no scan was found for the image.

Next Steps

Now that you have a good grasp on the core concepts and architecture, check out the Requirements section for running Anchore.