Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question : Why aren´t the images recorded in anchore engine #31

Open
ThinkBriK opened this issue May 5, 2021 · 2 comments
Open

Question : Why aren´t the images recorded in anchore engine #31

ThinkBriK opened this issue May 5, 2021 · 2 comments
Labels
question Further information is requested

Comments

@ThinkBriK
Copy link

Hi !

I was looking for a way to add images to Anchore engine (as I can do manually with anchore cli image add) on Harbor scans. The idea behind it is to discover images in the registry dynamically and be able to be notified when new CVE are detected.

If I read well, so far, Anchore engine is used in a one-shot fashion ?
@zhill zhill added the question Further information is requested label May 5, 2021
@zhill
Copy link
Member

zhill commented May 5, 2021

Hi @ThinkBriK ! Thanks for the question. The adapter will request an analysis/scan from Anchore on each "scan job" initiated by Harbor. Harbor itself configures and executes the scan jobs, and that can be setup to scan each new image when it is pushed to Harbor (https://goharbor.io/docs/2.2.0/administration/vulnerability-scanning/). I think it is so you should be able to get the behavior you are describing unless I misunderstood your request.

Once Anchore has analyzed the image, it will retain the SBoM and other analysis artifacts and automatically update for new vulnerabilities inside Anchore as it syncs the vuln feeds down from the sources, so you can get update notifications from Anchore itself outside of the Harbor scan process as well. Harbor will only see the updated result on its next scan job where it will query Anchore for a new result to pull into its UI. But, if Anchore has seen the image before it does not need to re-download the image content and will simply provide an updated vuln scan report.

There may also be a non-adapter approach that may work for your use-case:
Anchore also has the ability to "watch" are repository in a registry for new tags and images and automatically scan them, even outside of this specific Harbor integration. The value this integration gives is that the scan results are viewable in the Harbor UI itself next to the image, and that those results can be used to block external pulls on an image based on the vulnerability status of the image.

@ThinkBriK
Copy link
Author

ThinkBriK commented May 7, 2021
edited

Hi @zhill , it seems I may have encountered a DB issue that would have prevented the recording of the image in Anchore : if I use the anchore-cli tool, I can see the images when using GET on /images but I don't get to see images that were scanned through the harbor adapter.

I'll reinstall to try it out again.

The endgame would be to be able to block downloads and have anchore cli / API to check actual scan results.

Another question : is the malware scan automatically done too (using clamav) if anchore is configured to use it ?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
question Further information is requested
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@zhill @ThinkBriK