Anchore Policies Checks

Introduction

Information about the latest available policy gates, triggers and parameters can be retrieved from a running anchore-engine, using the anchore-cli command below:

# anchore-cli policy describe (--gate <gatename> ( --trigger <triggername))

Gates

GateDescription
alwaysTriggers that fire unconditionally if present in policy, useful for things like testing and blacklisting
dockerfileChecks against the content of a dockerfile if provided, or a guessed dockerfile based on docker layer history if the dockerfile is not provided
filesChecks against files in the analyzed image including file content, file names, and filesystem attributes
licensesLicense checks against found software licenses in the container image
malwareChecks for malware scan findings in the image
metadataChecks against image metadata, such as size, OS, distro, architecture, etc.
npmsNPM Checks
packagesDistro package checks
passwd_fileContent checks for /etc/passwd for things like usernames, group ids, shells, or full entries
retrieved_filesChecks against content and/or presence of files retrieved at analysis time from an image
ruby_gemsRuby Gem Checks
secret_scansChecks for secrets and content found in the image using configured regexes found in the “secret_search” section of analyzer_config.yaml
vulnerabilitiesCVE/Vulnerability checks

For a more in-depth list of available gates/triggers, refer to Anchore Policy Checks

Last modified November 23, 2020: More fixes, but not reaady yet (06a00c13)