search

anchore / ci-tools

Contains scripts for running anchore engine in CI pipelines
Apache License 2.0
34 stars 33 forks source link

Added "-i" for single image scenario #50

Closed luoyimu1 closed 3 years ago

luoyimu1 commented 3 years ago

Previously "-i" flag was missing for situations like with b_flag but without d_flag, the update helps fix the open issue #27 as well

luoyimu1 commented 3 years ago

Thanks @Btodhunter , could you pls kindly help merge the pr to the master branch?

luoyimu1 commented 3 years ago

Hi @Btodhunter, Hope you don't mind if I ask a question here:) Basically we're trying to find an alternative to our existing twistlock image scan for our Bamboo CI/CD pipeline and we've been using Anchore inline-scan tool for over a week and we think it meets all our requirements so far.

The only thing we observe is that for the same image, Anchore engine takes ~2mins to finish scan whilst twistlock only takes less than 1min (2mins is purely the scan time as we count it from "Waiting for analysis to complete" until "Analysis completed"). We've tested both Anchore and Twistlock against over 40 images and the results are pretty consistent.

So I'm wondering if Anchore is considering reduce the scan time in some way so that the end users could possibly save some waiting time on it. I'm not sure how twistlock could achieve that fast scan speed and I could only find the following details on twistlock website for your reference: The twistcli images scan function collects information about the packages and binaries in the container image, and then sends it to Console for analysis. Data collected by twistcli includes: Packages in the image. Files installed by each package. Hashes for files in the image.

Btodhunter commented 3 years ago

@luoyimu1 The inline_scan tool is a bit heavy weight because it's standing up Anchore Engine w/ postgres and a docker registry all inside a container. Then performing intensive analysis & policy evaluation using whatever resources are available on the CI runner. Needless to say, it isn't the perfect tool for performing fast vuln scans in CI.

However, it's been apparent that a lot of people have really benefited from this little tool/script, so we decided to build a brand new project out of the idea. Check out our new golang tools at https://toolbox.anchore.io - if you replace inline scan with grype, you'll find that the scanning goes much quicker!

luoyimu1 commented 3 years ago

@Btodhunter, awesome!! I'll check it out shortly. Cheers,