Viewing Security Vulnerabilities
image vuln command can be used to return a list of vulnerabilities found in the container image.
anchore-cli image vuln INPUT_IMAGE VULN_TYPE
INPUT_IMAGE can be specified in one of the following formats:
- Image Digest
- Image ID
VULN_TYPE currently supports:
- os: Vulnerabilities against operating system packages (RPM, DPKG, APK, etc.)
- non-os: NPM, GEM, .NET (NuGet), Java Archive (jar, war, ear) and Python PIP CVEs.
- all: Combination report containing both ‘os’ and ‘non-os’ vulnerability records.
The system has been designed to incorporate 3rd party feeds for other vulnerabilites.
To generate a report of OS package (RPM/DEB/APK) vulnerabilities found in the image including CVE identifier, Vulnerable Package, Severity Level, Vulnerability details and version of fixed package (if available).
anchore-cli image vuln debian:latest os
Currently the following the anchore-engine draws vulnerability data specifically matched to the following OS distros:
- Oracle Linux
- Red Hat Enterprise Linux
- Red Hat Universal Base Image (UBI)
- Amazon Linux 2
- Google Distroless
To generate a report of language package (NPM/GEM/Java/Python/NuGet) vulnerabilities, the system draws vulnerability data from the NVD data feed, and vulnerability reports can be viewed using the ‘non-os’ vulnerability type:
anchore-cli image vuln node:latest non-os
To generate a list of all vulnerabilities that can be found, regardless of whether they are against an OS or non-OS package type, the ‘all’ vulnerability type can be used:
anchore-cli image vuln node:latest all
Finally, for any of the above queries, these commands (and other anchore-cli commands) can be passed the
--json flag to output the data in JSON format:
anchore-cli --json image vuln node:latest all
- Evaluate the image against policies you create.
- Subscribe to receive notifications when the image is updated, when the policy status changes or when new vulnerabilities are detected.