Anchore Policies Checks
Introduction
Information about the latest available policy gates, triggers and parameters can be retrieved from a running anchore-engine, using the anchore-cli command below:
# anchore-cli policy describe (--gate <gatename> ( --trigger <triggername))
Gates
Gate | Description |
---|---|
always | Triggers that fire unconditionally if present in policy, useful for things like testing and blacklisting |
dockerfile | Checks against the content of a dockerfile if provided, or a guessed dockerfile based on docker layer history if the dockerfile is not provided |
files | Checks against files in the analyzed image including file content, file names, and filesystem attributes |
licenses | License checks against found software licenses in the container image |
malware | Checks for malware scan findings in the image |
metadata | Checks against image metadata, such as size, OS, distro, architecture, etc. |
npms | NPM Checks |
packages | Distro package checks |
passwd_file | Content checks for /etc/passwd for things like usernames, group ids, shells, or full entries |
retrieved_files | Checks against content and/or presence of files retrieved at analysis time from an image |
ruby_gems | Ruby Gem Checks |
secret_scans | Checks for secrets and content found in the image using configured regexes found in the “secret_search” section of analyzer_config.yaml |
vulnerabilities | CVE/Vulnerability checks |
For a more in-depth list of available gates/triggers, refer to Anchore Policy Checks
Last modified November 23, 2020: More fixes, but not reaady yet (06a00c13)