How to Install Open Source Docker CVE Scanners in Linux

Most of the companies and organizations are analyzing how to secure the images before containers are deployed. It helps to identify known Vulnerabilities in docker images. There are many vendors that provide CVE scanning tools for Docker images and in this Blog Post, we will be looking at the two open-source image scanning tools to identify and secure the container images from vulnerabilities.

1. Trivy

Installation

sudo apt-get update 
sudo apt-get install trivy

You can verify the installation by running the below command.

trivy -v

Scan an image

Before scanning an image you need to know the available docker images in your local machine. You can find them by the below command.

sudo docker images

trivy image docker.wso2.com/wso2mi:1.2.0.1617123620379.4-alpine

2. Anchore

Installation

To quickly bring up an installation of Anchore Engine on a system with docker (and docker-compose) installed, follow these simple steps:

curl https://engine.anchore.io/docs/quickstart/docker-compose.yaml > docker-compose.yaml

Start the Anchore Engine

docker-compose up -d

If you haven’t installed the docker-compose in your machine, you can install it by running the below command.

apt-get install docker-compose

It is a good security practice to change the password, and you can do this by editing the docker-compose.yaml file. However, in this tutorial, we will use the default settings(username – admin and password – foobar).

Install AnchoreCLI

we will first install the python-pip utility, which will then use to install the AnchoreCLI from the source.

sudo apt-get update
sudo apt-get install python-pip
sudo pip install --upgrade setuptools

Install the AnchoreCLI using python-pip

pip install anchorecli

To verify if the installation is successful and version of the Anchorecli, use the command

anchore-cli --version

To check anchore-CLI system status, use the command

anchore-cli --url http://localhost:8228/v1 --u admin --p foobar system status

Please note that you must pass the Anchor engine URL,username and password.

Adding and analyzing images

To add the images, use the below command.

anchore-cli image add docker.wso2.com/wso2mi:1.2.0.1616678418027.4-alpine

Before adding the images you first need to add your docker private registry to the Anchor Engine. If you haven’t done it you will get an error like below.

You can list the available registries from this command

anchore-cli registry list

So to add a registry, use this command

anchore-cli registry add docker.wso2.com username password

After adding an image to the Anchore Engine, the analysis starts immediately. If there are several loaded images, they are put in a queue and analyzed one at a time. You can check the progress and see the list of loaded images together with their analysis status.

To see the list, run the command

anchore-cli image list

Retrieve and view analysis results

Once the analysis is complete, you can check the results and see the results for the vulnerability scans and other issues the engine has identified.

To check results for the vulnerability scan run the below command

anchore-cli image vuln docker.wso2.com/wso2mi:1.2.0.1616678418027.4-alpine all