def toolbox(anchore_config, ctx, image): """ A collection of tools for operating on images and containers and building anchore modules. Subcommands operate on the specified image passed in as --image <imgid> """ global config, imagelist, nav config = anchore_config ecode = 0 imagelist = [image] if ctx.invoked_subcommand not in ['import', 'delete']: try: try: ret = anchore_utils.discover_imageIds(imagelist) except ValueError as err: raise err else: #imagelist = ret.keys() imagelist = ret except Exception as err: anchore_print_err("could not load any images") sys.exit(1) try: nav = navigator.Navigator(anchore_config=config, imagelist=imagelist, allimages=contexts['anchore_allimages']) except Exception as err: anchore_print_err('operation failed') nav = None ecode = 1
def explore(anchore_config, image, imagefile, include_allanchore): """ Explore image content via queries, visualizations and reports for the selected image(s). Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest). """ global config, imagelist, nav, vis ecode = 0 success = True config = anchore_config if image and imagefile: raise click.BadOptionUsage('Can only use one of --image, --imagefile') try: imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore) imagelist = imagedict.keys() try: ret = anchore_utils.discover_imageIds(imagelist) except ValueError as err: raise err else: imagelist = ret.keys() except Exception as err: anchore_print_err("could not load input images") sys.exit(1)
def toolbox(anchore_config, image): """ A collection of tools for operating on images and containers and building anchore modules. Subcommands operate on the specified image passed in as --image <imgid> """ global config, imagelist, nav config = anchore_config ecode = 0 imagelist = [image] try: ret = anchore_utils.discover_imageIds(anchore_config, imagelist) except ValueError as err: raise err else: imagelist = ret.keys() try: nav = navigator.Navigator(anchore_config=config, imagelist=imagelist, allimages=contexts['anchore_allimages']) except Exception as err: anchore_print_err('operation failed') nav = None ecode = 1
def toolbox(anchore_config, image): """ A collection of tools for operating on images and containers and building anchore modules. Subcommands operate on the specified image passed in as --image <imgid> """ global config, imagelist, nav config = anchore_config ecode = 0 imagelist = [image] try: ret = anchore_utils.discover_imageIds(anchore_config, imagelist) except ValueError as err: raise err else: imagelist = ret.keys() try: nav = navigator.Navigator(anchore_config=config, imagelist=imagelist, allimages=contexts['anchore_allimages']) except Exception as err: anchore_print_err('operation failed') nav = None ecode = 1
def query(anchore_config, image, imagefile, include_allanchore, module): """ Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest). Execute the specified query (module) with any parameters it requires. Modules are scripts in a specific location. Each query has its own parameters and outputs. Examples using pre-defined queries: 'anchore query --image nginx:latest list-packages all' 'anchore query has-package wget' 'anchore query --image nginx:latest list-files-detail all' 'anchore query cve-scan all' """ global config, imagelist, nav ecode = 0 success = True config = anchore_config if module: if image and imagefile: raise click.BadOptionUsage( 'Can only use one of --image, --imagefile') try: imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore) imagelist = list(imagedict.keys()) try: ret = anchore_utils.discover_imageIds(imagelist) except ValueError as err: raise err else: #imagelist = ret.keys() imagelist = ret except Exception as err: anchore_print_err("could not load input images") sys.exit(1) try: nav = init_nav_contexts() result = nav.run_query(list(module)) if result: anchore_utils.print_result(config, result) if nav.check_for_warnings(result): ecode = 2 except: anchore_print_err("query operation failed") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def audit(anchore_config, image, imagefile, include_allanchore): """ Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest). """ global config, imagelist, nav ecode = 0 success = True config = anchore_config if image and imagefile: raise click.BadOptionUsage('Can only use one of --image, --imagefile') try: imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore) imagelist = imagedict.keys() try: ret = anchore_utils.discover_imageIds(imagelist) except ValueError as err: raise err else: imagelist = ret.keys() except Exception as err: anchore_print_err("could not load input images") sys.exit(1)
def audit(anchore_config, ctx, image, imagefile, include_allanchore): """ Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest). """ global config, imagelist, nav ecode = 0 success = True config = anchore_config #include_allanchore = True if image and imagefile: raise click.BadOptionUsage('Can only use one of --image, --imagefile') #if image or imagefile: # include_allanchore = False try: imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore) imagelist = imagedict.keys() try: ret = anchore_utils.discover_imageIds(imagelist) except ValueError as err: raise err else: imagelist = ret except Exception as err: anchore_print_err("could not load input images") sys.exit(1)
def query(anchore_config, image, imagefile, include_allanchore, module): """ Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest). Execute the specified query (module) with any parameters it requires. Modules are scripts in a specific location. Each query has its own parameters and outputs. Examples using pre-defined queries: 'anchore query --image nginx:latest list-packages all' 'anchore query has-package wget' 'anchore query --image nginx:latest list-files-detail all' 'anchore query cve-scan all' """ global config, imagelist, nav ecode = 0 success = True config = anchore_config if module: if image and imagefile: raise click.BadOptionUsage('Can only use one of --image, --imagefile') try: imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore) imagelist = imagedict.keys() try: ret = anchore_utils.discover_imageIds(imagelist) except ValueError as err: raise err else: #imagelist = ret.keys() imagelist = ret except Exception as err: anchore_print_err("could not load input images") sys.exit(1) try: nav = init_nav_contexts() result = nav.run_query(list(module)) if result: anchore_utils.print_result(config, result) if nav.check_for_warnings(result): ecode = 2 except: anchore_print_err("query operation failed") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def toolbox(anchore_config, ctx, image, imageid): """ A collection of tools for operating on images and containers and building anchore modules. Subcommands operate on the specified image passed in as --image <imgid> """ global config, imagelist, nav config = anchore_config ecode = 0 try: # set up imagelist of imageIds if image: imagelist = [image] try: result = anchore_utils.discover_imageIds(imagelist) except ValueError as err: raise err else: imagelist = result elif imageid: if len(imageid) != 64 or re.findall("[^0-9a-fA-F]+", imageid): raise Exception( "input is not a valid imageId (64 characters, a-f, A-F, 0-9)" ) imagelist = [imageid] else: imagelist = [] if ctx.invoked_subcommand not in [ 'import', 'delete', 'kubesync', 'images', 'show' ]: if not imagelist: raise Exception( "for this operation, you must specify an image with '--image' or '--imageid'" ) else: try: nav = navigator.Navigator( anchore_config=config, imagelist=imagelist, allimages=contexts['anchore_allimages']) except Exception as err: nav = None raise err except Exception as err: anchore_print_err('operation failed') ecode = 1 if ecode: sys.exit(ecode)
def toolbox(anchore_config, ctx, image, imageid): """ A collection of tools for operating on images and containers and building anchore modules. Subcommands operate on the specified image passed in as --image <imgid> """ global config, imagelist, nav config = anchore_config ecode = 0 try: # set up imagelist of imageIds if image: imagelist = [image] try: result = anchore_utils.discover_imageIds(imagelist) except ValueError as err: raise err else: imagelist = result elif imageid: if len(imageid) != 64 or re.findall("[^0-9a-fA-F]+",imageid): raise Exception("input is not a valid imageId (64 characters, a-f, A-F, 0-9)") imagelist = [imageid] else: imagelist = [] if ctx.invoked_subcommand not in ['import', 'delete', 'kubesync', 'images', 'show']: if not imagelist: raise Exception("for this operation, you must specify an image with '--image' or '--imageid'") else: try: nav = navigator.Navigator(anchore_config=config, imagelist=imagelist, allimages=contexts['anchore_allimages']) except Exception as err: nav = None raise err except Exception as err: anchore_print_err('operation failed') ecode = 1 if ecode: sys.exit(ecode)
def gate(anchore_config, force, image, imagefile, include_allanchore, editpolicy, policy, whitelist): """ Runs gate checks on the specified image(s) or edits the image's gate policy. The --editpolicy option is only valid for a single image. The --image and --imagefile options are mutually exclusive. Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest). """ ecode = 0 success = True if image and imagefile: raise click.BadOptionUsage('Can only use one of --image, --imagefile') if policy and (editpolicy or whitelist): raise click.BadOptionUsage('Cannot use --editpolicy or --whitelist when --policy <file> is specified') try: imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore) imagelist = imagedict.keys() try: ret = anchore_utils.discover_imageIds(imagelist) except ValueError as err: raise err else: imagelist = ret.keys() except Exception as err: anchore_print_err("could not load any images") sys.exit(1) try: con = controller.Controller(anchore_config=anchore_config, imagelist=imagelist, allimages=contexts['anchore_allimages'], force=force) except Exception as err: anchore_print_err("gate operation failed") ecode = 1 else: if editpolicy: if not con.editpolicy(): ecode = 1 elif whitelist: if not con.editwhitelist(): ecode = 1 else: try: # run the gates result = con.run_gates(policy=policy) if result: anchore_utils.print_result(anchore_config, result) success = True ecode = con.result_get_highest_action(result) except Exception as err: print str(err) anchore_print_err("failed to run gates") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def gate(anchore_config, force, image, imagefile, include_allanchore, editpolicy, rmpolicy, listpolicy, updatepolicy, policy, run_bundle, bundlefile, usetag, resultsonly, show_gatehelp, show_policytemplate, whitelist, global_whitelist, show_triggerids, show_whitelisted): """ Runs gate checks on the specified image(s) or edits the image's gate policy. The --editpolicy option is only valid for a single image. The --image and --imagefile options are mutually exclusive. Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest). """ ecode = 0 success = True # special option, does not need any image inputs if show_gatehelp: try: gate_info = anchore_utils.discover_gates() anchore_print(gate_info, do_formatting=True) except Exception as err: anchore_print_err("operation failed: " + str(err)) sys.exit(1) sys.exit(0) if show_policytemplate: try: outstr = "\n" gate_info = anchore_utils.discover_gates() for g in gate_info.keys(): for t in gate_info[g].keys(): params = list() if 'params' in gate_info[g][t] and gate_info[g][t]['params'] and gate_info[g][t]['params'].lower() != 'none': for p in gate_info[g][t]['params'].split(','): params.append(p+"=<a,b,c>") outstr += ':'.join([g, t, "<STOP|WARN|GO>", ' '.join(params)]) + "\n" anchore_print(outstr, do_formatting=False) except Exception as err: anchore_print_err("operation failed: " + str(err)) sys.exit(1) sys.exit(0) # the rest require some form of image(s) be given as input if image and imagefile: raise click.BadOptionUsage('Can only use one of --image, --imagefile') if policy and (editpolicy or whitelist or listpolicy or updatepolicy or rmpolicy): raise click.BadOptionUsage('Cannot use other policy options when --policy <file> is specified.') if (policy and run_bundle): raise click.BadOptionUsage('Cannot use both --policy and --run_bundle at the same time.') if (run_bundle and (editpolicy or whitelist or listpolicy or updatepolicy or rmpolicy)): raise click.BadOptionUsage('Cannot use other policy options when --run_bundle is specified.') if (run_bundle and (usetag and resultsonly)): raise click.BadOptionUsage('Cannot use --resultsonly if --usetag is specified.') if (run_bundle and (usetag and not image)): raise click.BadOptionUsage('Cannot specify --usetag unless gating a single image (using --image)') try: imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore) imagelist = imagedict.keys() inputimagelist = list(imagelist) try: ret = anchore_utils.discover_imageIds(imagelist) except ValueError as err: raise err else: imagelist = ret except Exception as err: anchore_print_err("could not load any images") sys.exit(1) try: con = controller.Controller(anchore_config=anchore_config, imagelist=imagelist, allimages=contexts['anchore_allimages'], force=force) except Exception as err: anchore_print_err("gate operation failed") ecode = 1 else: if editpolicy: if not con.editpolicy(): ecode = 1 elif whitelist: if not con.editwhitelist(): ecode = 1 elif rmpolicy: if not con.rmpolicy(): ecode = 1; else: anchore_print("policies successfully removed.", do_formatting=True) elif updatepolicy: if not con.updatepolicy(updatepolicy): ecode = 1; else: anchore_print("policies successfully updated.", do_formatting=True) elif listpolicy: result = con.listpolicy() record = {} if not result: ecode = 1 else: try: for imageId in result.keys(): record[imageId] = list() pol = result[imageId] for gate in pol.keys(): for trigger in pol[gate].keys(): if str(pol[gate][trigger]['params']): outstr = ":".join([gate, trigger, str(pol[gate][trigger]['action']), str(pol[gate][trigger]['params'])]) else: outstr = ":".join([gate, trigger, str(pol[gate][trigger]['action'])]) record[imageId].append(outstr) if record: anchore_print(record, do_formatting=True) except Exception as err: anchore_print_err("failed to list policies: " + str(err)) ecode = 1 elif run_bundle: try: if not anchore_policy.check(): anchore_print_err("run-bundle specified, but it appears as though no policy bundles have been synced yet: run 'anchore policybundle sync' to get your latest bundles from anchore.io") ecode = 1 else: bundle = anchore_policy.load_policymeta(policymetafile=bundlefile) if not bundle: raise Exception("could not load stored bundle - run 'anchore policybundle sync' and try again") bundleId = bundle['id'] inputimage = inputimagelist[0] allresults = {} for inputimage in inputimagelist: result, image_ecode = anchore_policy.run_bundle(anchore_config=anchore_config, image=inputimage, matchtags=usetag, bundle=bundle, show_whitelisted=show_whitelisted, show_triggerIds=show_triggerids) allresults.update(result) if image_ecode == 1: ecode = 1 elif ecode == 0 and image_ecode > ecode: ecode = image_ecode if not resultsonly: if anchore_config.cliargs['json']: anchore_print(json.dumps(allresults)) else: for image in allresults.keys(): for gate_result in allresults[image]['evaluations']: _logger.info("Image="+image + " BundleId="+bundleId+" Policy="+gate_result['policy_name']+" Whitelists="+str(gate_result['whitelist_names'])) anchore_utils.print_result(anchore_config, gate_result['results']) else: final_result = {} for image in allresults.keys(): for gate_result in allresults[image]['evaluations']: final_result.update(gate_result['results']) anchore_utils.print_result(anchore_config, final_result) except Exception as err: anchore_print_err("failed to run gates") ecode = 1 else: try: # run the gates result = con.run_gates(policy=policy, global_whitelist=global_whitelist, show_triggerIds=show_triggerids, show_whitelisted=show_whitelisted) if result: anchore_utils.print_result(anchore_config, result) success = True ecode = con.result_get_highest_action(result) except Exception as err: anchore_print_err("failed to run gates") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def gate( anchore_config, force, image, imagefile, include_allanchore, editpolicy, whitelist, ): """ Runs gate checks on the specified image(s) or edits the image's gate policy. The --editpolicy option is only valid for a single image. The --image and --imagefile options are mutually exclusive. Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest). """ ecode = 0 success = True if image and imagefile: raise click.BadOptionUsage('Can only use one of --image, --imagefile') try: imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore) imagelist = imagedict.keys() try: ret = anchore_utils.discover_imageIds(anchore_config, imagelist) except ValueError as err: raise err else: imagelist = ret.keys() except Exception as err: anchore_print_err("could not load any images") sys.exit(1) try: con = controller.Controller(anchore_config=anchore_config, imagelist=imagelist, allimages=contexts['anchore_allimages'], force=force) except Exception as err: anchore_print_err("gate operation failed") ecode = 1 else: if editpolicy: if not con.editpolicy(): ecode = 1 elif whitelist: if not con.editwhitelist(): ecode = 1 else: try: # run the gates result = con.run_gates() if result: anchore_utils.print_result(anchore_config, result) success = True ecode = con.result_get_highest_action(result) except Exception as err: print str(err) anchore_print_err("failed to run gates") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def analyze(anchore_config, force, image, imagefile, include_allanchore, dockerfile, imagetype, skipgates, layerstrategy, excludefile): """ Invokes the anchore analyzer on the specified image(s). To include multiple images use the --imagefile, no option, or --include-allanchore options. To exclude specific images from analysis, use the --excludefile option. One of --imagetype or --dockerfile should be supplied for an analysis run. Use --dockerfile whenever possible as the inclusion of the dockerfile for an image associates the dockerfile and image for later use in queries etc. The --dockerfile option is only valid in combination with the --image option. If neither --dockerfile and --imagetype is supplied, then When using --imagetype, use 'none' to specify that the image(s) is an unknown or user image and use 'base' to specify that the image(s) are approved base images to be used to build other images or it is useful to mark the image one from which other images are meant to be derived. Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest). """ success = True ecode = 0 args = {} if image and imagefile: raise click.BadOptionUsage('Can only use one of --image, --imagefile') if dockerfile and not image: raise click.BadOptionUsage( 'Must specify --image option when using --dockerfile option') if not imagefile: if imagetype: if imagetype == "anchorebase": args['anchorebase'] = True elif imagetype == "base": args['isbase'] = True elif imagetype == "none": pass else: raise click.BadOptionUsage( "Invalid imagetype specified: valid types are 'none' or 'base'" ) #elif not dockerfile: # raise click.BadOptionUsage('Must specify either --dockerfile or --imagetype <type>') try: imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore, exclude_file=excludefile, dockerfile=dockerfile) imagelist = imagedict.keys() try: ret = anchore_utils.discover_imageIds(imagelist) except ValueError as err: raise err else: #imagelist = ret.keys() imagelist = ret except Exception as err: anchore_print_err("could not load any images") ecode = 1 else: step = 1 count = 0 allimages = {} success = True for imageId in imagedict.keys(): if count % step == 0: allimages.clear() allimages = {} count = 0 args.update({ 'dockerfile': imagedict[imageId]['dockerfile'], 'skipgates': skipgates, 'selection_strategy': layerstrategy }) inlist = [imageId] try: anchore_print("Analyzing image: " + imageId) rc = analyzer.Analyzer(anchore_config=anchore_config, imagelist=inlist, allimages=allimages, force=force, args=args).run() if not rc: anchore_print_err("analysis failed.") success = False ecode = 1 except: anchore_print_err('failed to run analyzer') allimages.clear() success = False ecode = 1 break count = count + 1 allimages.clear() if not success: anchore_print_err("analysis failed for one or more images.") ecode = 1 sys.exit(ecode)
def gate(anchore_config, force, image, imagefile, include_allanchore, editpolicy, rmpolicy, listpolicy, updatepolicy, policy, run_bundle, bundlefile, usetag, resultsonly, show_gatehelp, show_policytemplate, whitelist, global_whitelist, show_triggerids, show_whitelisted): """ Runs gate checks on the specified image(s) or edits the image's gate policy. The --editpolicy option is only valid for a single image. The --image and --imagefile options are mutually exclusive. Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest). """ ecode = 0 success = True # special option, does not need any image inputs if show_gatehelp: try: gate_info = anchore_utils.discover_gates() anchore_print(gate_info, do_formatting=True) except Exception as err: anchore_print_err("operation failed: " + str(err)) sys.exit(1) sys.exit(0) if show_policytemplate: try: outstr = "\n" gate_info = anchore_utils.discover_gates() for g in gate_info.keys(): for t in gate_info[g].keys(): params = list() if 'params' in gate_info[g][t] and gate_info[g][t][ 'params'] and gate_info[g][t]['params'].lower( ) != 'none': for p in gate_info[g][t]['params'].split(','): params.append(p + "=<a,b,c>") outstr += ':'.join( [g, t, "<STOP|WARN|GO>", ' '.join(params)]) + "\n" anchore_print(outstr, do_formatting=False) except Exception as err: anchore_print_err("operation failed: " + str(err)) sys.exit(1) sys.exit(0) # the rest require some form of image(s) be given as input if image and imagefile: raise click.BadOptionUsage('Can only use one of --image, --imagefile') if policy and (editpolicy or whitelist or listpolicy or updatepolicy or rmpolicy): raise click.BadOptionUsage( 'Cannot use other policy options when --policy <file> is specified.' ) if (policy and run_bundle): raise click.BadOptionUsage( 'Cannot use both --policy and --run_bundle at the same time.') if (run_bundle and (editpolicy or whitelist or listpolicy or updatepolicy or rmpolicy)): raise click.BadOptionUsage( 'Cannot use other policy options when --run_bundle is specified.') try: imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore) imagelist = imagedict.keys() inputimagelist = list(imagelist) try: ret = anchore_utils.discover_imageIds(imagelist) except ValueError as err: raise err else: #imagelist = ret.keys() imagelist = ret except Exception as err: anchore_print_err("could not load any images") sys.exit(1) try: con = controller.Controller(anchore_config=anchore_config, imagelist=imagelist, allimages=contexts['anchore_allimages'], force=force) except Exception as err: anchore_print_err("gate operation failed") ecode = 1 else: if editpolicy: if not con.editpolicy(): ecode = 1 elif whitelist: if not con.editwhitelist(): ecode = 1 elif rmpolicy: if not con.rmpolicy(): ecode = 1 else: anchore_print("policies successfully removed.", do_formatting=True) elif updatepolicy: if not con.updatepolicy(updatepolicy): ecode = 1 else: anchore_print("policies successfully updated.", do_formatting=True) elif listpolicy: result = con.listpolicy() record = {} if not result: ecode = 1 else: try: for imageId in result.keys(): record[imageId] = list() pol = result[imageId] for gate in pol.keys(): for trigger in pol[gate].keys(): if str(pol[gate][trigger]['params']): outstr = ":".join([ gate, trigger, str(pol[gate][trigger]['action']), str(pol[gate][trigger]['params']) ]) else: outstr = ":".join([ gate, trigger, str(pol[gate][trigger]['action']) ]) record[imageId].append(outstr) if record: anchore_print(record, do_formatting=True) except Exception as err: anchore_print_err("failed to list policies: " + str(err)) ecode = 1 elif run_bundle: try: if not anchore_policy.check(): anchore_print_err( "run-bundle specified, but it appears as though no policy bundles have been synced yet: run 'anchore policybundle sync' to get your latest bundles from anchore.io" ) ecode = 1 else: bundle = anchore_policy.load_policymeta( policymetafile=bundlefile) if not bundle: raise Exception( "could not load stored bundle - run 'anchore policybundle sync' and try again" ) bundleId = bundle['id'] result, ecode = anchore_policy.run_bundle( anchore_config=anchore_config, imagelist=inputimagelist, matchtag=usetag, bundle=bundle) if not resultsonly: if anchore_config.cliargs['json']: import json anchore_print(json.dumps(result)) else: for image in result.keys(): for gate_result in result[image][ 'evaluations']: _logger.info( "BundleId=" + bundleId + " Policy=" + gate_result['policy_name'] + " Whitelists=" + str(gate_result['whitelist_names'])) anchore_utils.print_result( anchore_config, gate_result['results']) else: final_result = {} for image in result.keys(): for gate_result in result[image]['evaluations']: final_result.update(gate_result['results']) anchore_utils.print_result(anchore_config, final_result) except Exception as err: anchore_print_err("failed to run gates") ecode = 1 else: try: # run the gates result = con.run_gates(policy=policy, global_whitelist=global_whitelist, show_triggerIds=show_triggerids, show_whitelisted=show_whitelisted) if result: anchore_utils.print_result(anchore_config, result) success = True ecode = con.result_get_highest_action(result) except Exception as err: anchore_print_err("failed to run gates") ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def gate(anchore_config, force, image, imagefile, include_allanchore, editpolicy, rmpolicy, listpolicy, updatepolicy, policy, show_gatehelp, show_policytemplate, whitelist): """ Runs gate checks on the specified image(s) or edits the image's gate policy. The --editpolicy option is only valid for a single image. The --image and --imagefile options are mutually exclusive. Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest). """ ecode = 0 success = True # special option, does not need any image inputs if show_gatehelp: try: gate_info = anchore_utils.discover_gates() anchore_print(gate_info, do_formatting=True) except Exception as err: anchore_print_err("operation failed: " + str(err)) sys.exit(1) sys.exit(0) if show_policytemplate: try: outstr = "\n" gate_info = anchore_utils.discover_gates() for g in gate_info.keys(): for t in gate_info[g].keys(): params = list() if 'params' in gate_info[g][t] and gate_info[g][t][ 'params'] and gate_info[g][t]['params'].lower( ) != 'none': for p in gate_info[g][t]['params'].split(','): params.append(p + "=<a,b,c>") outstr += ':'.join( [g, t, "<STOP|WARN|GO>", ' '.join(params)]) + "\n" anchore_print(outstr, do_formatting=False) except Exception as err: anchore_print_err("operation failed: " + str(err)) sys.exit(1) sys.exit(0) # the rest require some form of image(s) be given as input if image and imagefile: raise click.BadOptionUsage('Can only use one of --image, --imagefile') if policy and (editpolicy or whitelist or listpolicy or updatepolicy or rmpolicy): raise click.BadOptionUsage( 'Cannot use other policy options when --policy <file> is specified.' ) try: imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore) imagelist = imagedict.keys() try: ret = anchore_utils.discover_imageIds(imagelist) except ValueError as err: raise err else: #imagelist = ret.keys() imagelist = ret except Exception as err: anchore_print_err("could not load any images") sys.exit(1) try: con = controller.Controller(anchore_config=anchore_config, imagelist=imagelist, allimages=contexts['anchore_allimages'], force=force) except Exception as err: anchore_print_err("gate operation failed") ecode = 1 else: if editpolicy: if not con.editpolicy(): ecode = 1 elif whitelist: if not con.editwhitelist(): ecode = 1 elif rmpolicy: if not con.rmpolicy(): ecode = 1 else: anchore_print("policies successfully removed.", do_formatting=True) elif updatepolicy: if not con.updatepolicy(updatepolicy): ecode = 1 else: anchore_print("policies successfully updated.", do_formatting=True) elif listpolicy: result = con.listpolicy() record = {} if not result: ecode = 1 else: try: for imageId in result.keys(): record[imageId] = list() pol = result[imageId] for gate in pol.keys(): for trigger in pol[gate].keys(): if str(pol[gate][trigger]['params']): outstr = ":".join([ gate, trigger, str(pol[gate][trigger]['action']), str(pol[gate][trigger]['params']) ]) else: outstr = ":".join([ gate, trigger, str(pol[gate][trigger]['action']) ]) record[imageId].append(outstr) if record: anchore_print(record, do_formatting=True) except Exception as err: anchore_print_err("failed to list policies: " + str(err)) ecode = 1 else: try: # run the gates result = con.run_gates(policy=policy) if result: anchore_utils.print_result(anchore_config, result) success = True ecode = con.result_get_highest_action(result) except Exception as err: anchore_print_err("failed to run gates: " + str(err)) ecode = 1 contexts['anchore_allimages'].clear() sys.exit(ecode)
def analyze(anchore_config, force, image, imagefile, include_allanchore, dockerfile, imagetype, skipgates, layerstrategy, excludefile): """ Invokes the anchore analyzer on the specified image(s). To include multiple images use the --imagefile, no option, or --include-allanchore options. To exclude specific images from analysis, use the --excludefile option. One of --imagetype or --dockerfile should be supplied for an analysis run. Use --dockerfile whenever possible as the inclusion of the dockerfile for an image associates the dockerfile and image for later use in queries etc. The --dockerfile option is only valid in combination with the --image option. If neither --dockerfile and --imagetype is supplied, then When using --imagetype, use 'none' to specify that the image(s) is an unknown or user image and use 'base' to specify that the image(s) are approved base images to be used to build other images or it is useful to mark the image one from which other images are meant to be derived. Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest). """ success = True ecode = 0 args = {} if image and imagefile: raise click.BadOptionUsage('Can only use one of --image, --imagefile') if dockerfile and not image: raise click.BadOptionUsage('Must specify --image option when using --dockerfile option') if not imagefile: if imagetype: if imagetype == "anchorebase": args['anchorebase'] = True elif imagetype == "base": args['isbase'] = True elif imagetype == "none": pass else: raise click.BadOptionUsage("Invalid imagetype specified: valid types are 'none' or 'base'") try: imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore, exclude_file=excludefile, dockerfile=dockerfile) imagelist = imagedict.keys() try: ret = anchore_utils.discover_imageIds(imagelist) except ValueError as err: raise err else: #imagelist = ret.keys() imagelist = ret except Exception as err: anchore_print_err("could not load any images") ecode = 1 else: step = 1 count = 0 allimages = {} success = True for imageId in imagedict.keys(): if count % step == 0: allimages.clear() allimages = {} count = 0 args.update({'dockerfile': imagedict[imageId]['dockerfile'], 'skipgates': skipgates, 'selection_strategy': layerstrategy}) inlist = [imageId] try: anchore_print("Analyzing image: " + imageId) rc = analyzer.Analyzer(anchore_config=anchore_config, imagelist=inlist, allimages=allimages, force=force, args=args).run() if not rc: anchore_print_err("analysis failed.") success = False ecode = 1 except: anchore_print_err('failed to run analyzer') allimages.clear() success = False ecode = 1 break count = count + 1 allimages.clear() if not success: anchore_print_err("analysis failed for one or more images.") ecode = 1 sys.exit(ecode)