def toolbox(anchore_config, ctx, image):
"""
A collection of tools for operating on images and containers and building anchore modules.
Subcommands operate on the specified image passed in as --image <imgid>
"""
global config, imagelist, nav
config = anchore_config
ecode = 0
imagelist = [image]
if ctx.invoked_subcommand not in ['import', 'delete']:
try:
try:
ret = anchore_utils.discover_imageIds(imagelist)
except ValueError as err:
raise err
else:
#imagelist = ret.keys()
imagelist = ret
except Exception as err:
anchore_print_err("could not load any images")
sys.exit(1)
try:
nav = navigator.Navigator(anchore_config=config,
imagelist=imagelist,
allimages=contexts['anchore_allimages'])
except Exception as err:
anchore_print_err('operation failed')
nav = None
ecode = 1
def explore(anchore_config, image, imagefile, include_allanchore):
"""
Explore image content via queries, visualizations and reports for the selected image(s).
Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest).
"""
global config, imagelist, nav, vis
ecode = 0
success = True
config = anchore_config
if image and imagefile:
raise click.BadOptionUsage('Can only use one of --image, --imagefile')
try:
imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore)
imagelist = imagedict.keys()
try:
ret = anchore_utils.discover_imageIds(imagelist)
except ValueError as err:
raise err
else:
imagelist = ret.keys()
except Exception as err:
anchore_print_err("could not load input images")
sys.exit(1)
def toolbox(anchore_config, image):
"""
A collection of tools for operating on images and containers and building anchore modules.
Subcommands operate on the specified image passed in as --image <imgid>
"""
global config, imagelist, nav
config = anchore_config
ecode = 0
imagelist = [image]
try:
ret = anchore_utils.discover_imageIds(anchore_config, imagelist)
except ValueError as err:
raise err
else:
imagelist = ret.keys()
try:
nav = navigator.Navigator(anchore_config=config, imagelist=imagelist, allimages=contexts['anchore_allimages'])
except Exception as err:
anchore_print_err('operation failed')
nav = None
ecode = 1
def toolbox(anchore_config, image):
"""
A collection of tools for operating on images and containers and building anchore modules.
Subcommands operate on the specified image passed in as --image <imgid>
"""
global config, imagelist, nav
config = anchore_config
ecode = 0
imagelist = [image]
try:
ret = anchore_utils.discover_imageIds(anchore_config, imagelist)
except ValueError as err:
raise err
else:
imagelist = ret.keys()
try:
nav = navigator.Navigator(anchore_config=config,
imagelist=imagelist,
allimages=contexts['anchore_allimages'])
except Exception as err:
anchore_print_err('operation failed')
nav = None
ecode = 1
def query(anchore_config, image, imagefile, include_allanchore, module):
"""
Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest).
Execute the specified query (module) with any parameters it requires. Modules are scripts in a specific location.
Each query has its own parameters and outputs.
Examples using pre-defined queries:
'anchore query --image nginx:latest list-packages all'
'anchore query has-package wget'
'anchore query --image nginx:latest list-files-detail all'
'anchore query cve-scan all'
"""
global config, imagelist, nav
ecode = 0
success = True
config = anchore_config
if module:
if image and imagefile:
raise click.BadOptionUsage(
'Can only use one of --image, --imagefile')
try:
imagedict = build_image_list(anchore_config, image, imagefile,
not (image or imagefile),
include_allanchore)
imagelist = list(imagedict.keys())
try:
ret = anchore_utils.discover_imageIds(imagelist)
except ValueError as err:
raise err
else:
#imagelist = ret.keys()
imagelist = ret
except Exception as err:
anchore_print_err("could not load input images")
sys.exit(1)
try:
nav = init_nav_contexts()
result = nav.run_query(list(module))
if result:
anchore_utils.print_result(config, result)
if nav.check_for_warnings(result):
ecode = 2
except:
anchore_print_err("query operation failed")
ecode = 1
contexts['anchore_allimages'].clear()
sys.exit(ecode)
def audit(anchore_config, image, imagefile, include_allanchore):
"""
Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest).
"""
global config, imagelist, nav
ecode = 0
success = True
config = anchore_config
if image and imagefile:
raise click.BadOptionUsage('Can only use one of --image, --imagefile')
try:
imagedict = build_image_list(anchore_config, image, imagefile,
not (image or imagefile),
include_allanchore)
imagelist = imagedict.keys()
try:
ret = anchore_utils.discover_imageIds(imagelist)
except ValueError as err:
raise err
else:
imagelist = ret.keys()
except Exception as err:
anchore_print_err("could not load input images")
sys.exit(1)
def audit(anchore_config, ctx, image, imagefile, include_allanchore):
"""
Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest).
"""
global config, imagelist, nav
ecode = 0
success = True
config = anchore_config
#include_allanchore = True
if image and imagefile:
raise click.BadOptionUsage('Can only use one of --image, --imagefile')
#if image or imagefile:
# include_allanchore = False
try:
imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore)
imagelist = imagedict.keys()
try:
ret = anchore_utils.discover_imageIds(imagelist)
except ValueError as err:
raise err
else:
imagelist = ret
except Exception as err:
anchore_print_err("could not load input images")
sys.exit(1)
def query(anchore_config, image, imagefile, include_allanchore, module):
"""
Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest).
Execute the specified query (module) with any parameters it requires. Modules are scripts in a specific location.
Each query has its own parameters and outputs.
Examples using pre-defined queries:
'anchore query --image nginx:latest list-packages all'
'anchore query has-package wget'
'anchore query --image nginx:latest list-files-detail all'
'anchore query cve-scan all'
"""
global config, imagelist, nav
ecode = 0
success = True
config = anchore_config
if module:
if image and imagefile:
raise click.BadOptionUsage('Can only use one of --image, --imagefile')
try:
imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore)
imagelist = imagedict.keys()
try:
ret = anchore_utils.discover_imageIds(imagelist)
except ValueError as err:
raise err
else:
#imagelist = ret.keys()
imagelist = ret
except Exception as err:
anchore_print_err("could not load input images")
sys.exit(1)
try:
nav = init_nav_contexts()
result = nav.run_query(list(module))
if result:
anchore_utils.print_result(config, result)
if nav.check_for_warnings(result):
ecode = 2
except:
anchore_print_err("query operation failed")
ecode = 1
contexts['anchore_allimages'].clear()
sys.exit(ecode)
def toolbox(anchore_config, ctx, image, imageid):
"""
A collection of tools for operating on images and containers and building anchore modules.
Subcommands operate on the specified image passed in as --image <imgid>
"""
global config, imagelist, nav
config = anchore_config
ecode = 0
try:
# set up imagelist of imageIds
if image:
imagelist = [image]
try:
result = anchore_utils.discover_imageIds(imagelist)
except ValueError as err:
raise err
else:
imagelist = result
elif imageid:
if len(imageid) != 64 or re.findall("[^0-9a-fA-F]+", imageid):
raise Exception(
"input is not a valid imageId (64 characters, a-f, A-F, 0-9)"
)
imagelist = [imageid]
else:
imagelist = []
if ctx.invoked_subcommand not in [
'import', 'delete', 'kubesync', 'images', 'show'
]:
if not imagelist:
raise Exception(
"for this operation, you must specify an image with '--image' or '--imageid'"
)
else:
try:
nav = navigator.Navigator(
anchore_config=config,
imagelist=imagelist,
allimages=contexts['anchore_allimages'])
except Exception as err:
nav = None
raise err
except Exception as err:
anchore_print_err('operation failed')
ecode = 1
if ecode:
sys.exit(ecode)
def toolbox(anchore_config, ctx, image, imageid):
"""
A collection of tools for operating on images and containers and building anchore modules.
Subcommands operate on the specified image passed in as --image <imgid>
"""
global config, imagelist, nav
config = anchore_config
ecode = 0
try:
# set up imagelist of imageIds
if image:
imagelist = [image]
try:
result = anchore_utils.discover_imageIds(imagelist)
except ValueError as err:
raise err
else:
imagelist = result
elif imageid:
if len(imageid) != 64 or re.findall("[^0-9a-fA-F]+",imageid):
raise Exception("input is not a valid imageId (64 characters, a-f, A-F, 0-9)")
imagelist = [imageid]
else:
imagelist = []
if ctx.invoked_subcommand not in ['import', 'delete', 'kubesync', 'images', 'show']:
if not imagelist:
raise Exception("for this operation, you must specify an image with '--image' or '--imageid'")
else:
try:
nav = navigator.Navigator(anchore_config=config, imagelist=imagelist, allimages=contexts['anchore_allimages'])
except Exception as err:
nav = None
raise err
except Exception as err:
anchore_print_err('operation failed')
ecode = 1
if ecode:
sys.exit(ecode)
def gate(anchore_config, force, image, imagefile, include_allanchore, editpolicy, policy, whitelist):
"""
Runs gate checks on the specified image(s) or edits the image's gate policy.
The --editpolicy option is only valid for a single image.
The --image and --imagefile options are mutually exclusive.
Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest).
"""
ecode = 0
success = True
if image and imagefile:
raise click.BadOptionUsage('Can only use one of --image, --imagefile')
if policy and (editpolicy or whitelist):
raise click.BadOptionUsage('Cannot use --editpolicy or --whitelist when --policy <file> is specified')
try:
imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore)
imagelist = imagedict.keys()
try:
ret = anchore_utils.discover_imageIds(imagelist)
except ValueError as err:
raise err
else:
imagelist = ret.keys()
except Exception as err:
anchore_print_err("could not load any images")
sys.exit(1)
try:
con = controller.Controller(anchore_config=anchore_config, imagelist=imagelist, allimages=contexts['anchore_allimages'], force=force)
except Exception as err:
anchore_print_err("gate operation failed")
ecode = 1
else:
if editpolicy:
if not con.editpolicy():
ecode = 1
elif whitelist:
if not con.editwhitelist():
ecode = 1
else:
try:
# run the gates
result = con.run_gates(policy=policy)
if result:
anchore_utils.print_result(anchore_config, result)
success = True
ecode = con.result_get_highest_action(result)
except Exception as err:
print str(err)
anchore_print_err("failed to run gates")
ecode = 1
contexts['anchore_allimages'].clear()
sys.exit(ecode)
def gate(anchore_config, force, image, imagefile, include_allanchore, editpolicy, rmpolicy, listpolicy, updatepolicy, policy, run_bundle, bundlefile, usetag, resultsonly, show_gatehelp, show_policytemplate, whitelist, global_whitelist, show_triggerids, show_whitelisted):
"""
Runs gate checks on the specified image(s) or edits the image's gate policy.
The --editpolicy option is only valid for a single image.
The --image and --imagefile options are mutually exclusive.
Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest).
"""
ecode = 0
success = True
# special option, does not need any image inputs
if show_gatehelp:
try:
gate_info = anchore_utils.discover_gates()
anchore_print(gate_info, do_formatting=True)
except Exception as err:
anchore_print_err("operation failed: " + str(err))
sys.exit(1)
sys.exit(0)
if show_policytemplate:
try:
outstr = "\n"
gate_info = anchore_utils.discover_gates()
for g in gate_info.keys():
for t in gate_info[g].keys():
params = list()
if 'params' in gate_info[g][t] and gate_info[g][t]['params'] and gate_info[g][t]['params'].lower() != 'none':
for p in gate_info[g][t]['params'].split(','):
params.append(p+"=<a,b,c>")
outstr += ':'.join([g, t, "<STOP|WARN|GO>", ' '.join(params)]) + "\n"
anchore_print(outstr, do_formatting=False)
except Exception as err:
anchore_print_err("operation failed: " + str(err))
sys.exit(1)
sys.exit(0)
# the rest require some form of image(s) be given as input
if image and imagefile:
raise click.BadOptionUsage('Can only use one of --image, --imagefile')
if policy and (editpolicy or whitelist or listpolicy or updatepolicy or rmpolicy):
raise click.BadOptionUsage('Cannot use other policy options when --policy <file> is specified.')
if (policy and run_bundle):
raise click.BadOptionUsage('Cannot use both --policy and --run_bundle at the same time.')
if (run_bundle and (editpolicy or whitelist or listpolicy or updatepolicy or rmpolicy)):
raise click.BadOptionUsage('Cannot use other policy options when --run_bundle is specified.')
if (run_bundle and (usetag and resultsonly)):
raise click.BadOptionUsage('Cannot use --resultsonly if --usetag is specified.')
if (run_bundle and (usetag and not image)):
raise click.BadOptionUsage('Cannot specify --usetag unless gating a single image (using --image)')
try:
imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore)
imagelist = imagedict.keys()
inputimagelist = list(imagelist)
try:
ret = anchore_utils.discover_imageIds(imagelist)
except ValueError as err:
raise err
else:
imagelist = ret
except Exception as err:
anchore_print_err("could not load any images")
sys.exit(1)
try:
con = controller.Controller(anchore_config=anchore_config, imagelist=imagelist, allimages=contexts['anchore_allimages'], force=force)
except Exception as err:
anchore_print_err("gate operation failed")
ecode = 1
else:
if editpolicy:
if not con.editpolicy():
ecode = 1
elif whitelist:
if not con.editwhitelist():
ecode = 1
elif rmpolicy:
if not con.rmpolicy():
ecode = 1;
else:
anchore_print("policies successfully removed.", do_formatting=True)
elif updatepolicy:
if not con.updatepolicy(updatepolicy):
ecode = 1;
else:
anchore_print("policies successfully updated.", do_formatting=True)
elif listpolicy:
result = con.listpolicy()
record = {}
if not result:
ecode = 1
else:
try:
for imageId in result.keys():
record[imageId] = list()
pol = result[imageId]
for gate in pol.keys():
for trigger in pol[gate].keys():
if str(pol[gate][trigger]['params']):
outstr = ":".join([gate, trigger, str(pol[gate][trigger]['action']), str(pol[gate][trigger]['params'])])
else:
outstr = ":".join([gate, trigger, str(pol[gate][trigger]['action'])])
record[imageId].append(outstr)
if record:
anchore_print(record, do_formatting=True)
except Exception as err:
anchore_print_err("failed to list policies: " + str(err))
ecode = 1
elif run_bundle:
try:
if not anchore_policy.check():
anchore_print_err("run-bundle specified, but it appears as though no policy bundles have been synced yet: run 'anchore policybundle sync' to get your latest bundles from anchore.io")
ecode = 1
else:
bundle = anchore_policy.load_policymeta(policymetafile=bundlefile)
if not bundle:
raise Exception("could not load stored bundle - run 'anchore policybundle sync' and try again")
bundleId = bundle['id']
inputimage = inputimagelist[0]
allresults = {}
for inputimage in inputimagelist:
result, image_ecode = anchore_policy.run_bundle(anchore_config=anchore_config, image=inputimage, matchtags=usetag, bundle=bundle, show_whitelisted=show_whitelisted, show_triggerIds=show_triggerids)
allresults.update(result)
if image_ecode == 1:
ecode = 1
elif ecode == 0 and image_ecode > ecode:
ecode = image_ecode
if not resultsonly:
if anchore_config.cliargs['json']:
anchore_print(json.dumps(allresults))
else:
for image in allresults.keys():
for gate_result in allresults[image]['evaluations']:
_logger.info("Image="+image + " BundleId="+bundleId+" Policy="+gate_result['policy_name']+" Whitelists="+str(gate_result['whitelist_names']))
anchore_utils.print_result(anchore_config, gate_result['results'])
else:
final_result = {}
for image in allresults.keys():
for gate_result in allresults[image]['evaluations']:
final_result.update(gate_result['results'])
anchore_utils.print_result(anchore_config, final_result)
except Exception as err:
anchore_print_err("failed to run gates")
ecode = 1
else:
try:
# run the gates
result = con.run_gates(policy=policy, global_whitelist=global_whitelist, show_triggerIds=show_triggerids, show_whitelisted=show_whitelisted)
if result:
anchore_utils.print_result(anchore_config, result)
success = True
ecode = con.result_get_highest_action(result)
except Exception as err:
anchore_print_err("failed to run gates")
ecode = 1
contexts['anchore_allimages'].clear()
sys.exit(ecode)
def gate(
anchore_config,
force,
image,
imagefile,
include_allanchore,
editpolicy,
whitelist,
):
"""
Runs gate checks on the specified image(s) or edits the image's gate policy.
The --editpolicy option is only valid for a single image.
The --image and --imagefile options are mutually exclusive.
Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest).
"""
ecode = 0
success = True
if image and imagefile:
raise click.BadOptionUsage('Can only use one of --image, --imagefile')
try:
imagedict = build_image_list(anchore_config, image, imagefile,
not (image or imagefile),
include_allanchore)
imagelist = imagedict.keys()
try:
ret = anchore_utils.discover_imageIds(anchore_config, imagelist)
except ValueError as err:
raise err
else:
imagelist = ret.keys()
except Exception as err:
anchore_print_err("could not load any images")
sys.exit(1)
try:
con = controller.Controller(anchore_config=anchore_config,
imagelist=imagelist,
allimages=contexts['anchore_allimages'],
force=force)
except Exception as err:
anchore_print_err("gate operation failed")
ecode = 1
else:
if editpolicy:
if not con.editpolicy():
ecode = 1
elif whitelist:
if not con.editwhitelist():
ecode = 1
else:
try:
# run the gates
result = con.run_gates()
if result:
anchore_utils.print_result(anchore_config, result)
success = True
ecode = con.result_get_highest_action(result)
except Exception as err:
print str(err)
anchore_print_err("failed to run gates")
ecode = 1
contexts['anchore_allimages'].clear()
sys.exit(ecode)
def analyze(anchore_config, force, image, imagefile, include_allanchore,
dockerfile, imagetype, skipgates, layerstrategy, excludefile):
"""
Invokes the anchore analyzer on the specified image(s).
To include multiple images use the --imagefile, no option, or --include-allanchore options.
To exclude specific images from analysis, use the --excludefile option.
One of --imagetype or --dockerfile should be supplied for an analysis run. Use --dockerfile whenever possible as the inclusion
of the dockerfile for an image associates the dockerfile and image for later use in queries etc. The --dockerfile option
is only valid in combination with the --image option. If neither --dockerfile and --imagetype is supplied, then
When using --imagetype, use 'none' to specify that the image(s) is an unknown or user image and use 'base' to specify
that the image(s) are approved base images to be used to build other images or it is useful to mark the image one from which
other images are meant to be derived.
Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest).
"""
success = True
ecode = 0
args = {}
if image and imagefile:
raise click.BadOptionUsage('Can only use one of --image, --imagefile')
if dockerfile and not image:
raise click.BadOptionUsage(
'Must specify --image option when using --dockerfile option')
if not imagefile:
if imagetype:
if imagetype == "anchorebase":
args['anchorebase'] = True
elif imagetype == "base":
args['isbase'] = True
elif imagetype == "none":
pass
else:
raise click.BadOptionUsage(
"Invalid imagetype specified: valid types are 'none' or 'base'"
)
#elif not dockerfile:
# raise click.BadOptionUsage('Must specify either --dockerfile or --imagetype <type>')
try:
imagedict = build_image_list(anchore_config,
image,
imagefile,
not (image or imagefile),
include_allanchore,
exclude_file=excludefile,
dockerfile=dockerfile)
imagelist = imagedict.keys()
try:
ret = anchore_utils.discover_imageIds(imagelist)
except ValueError as err:
raise err
else:
#imagelist = ret.keys()
imagelist = ret
except Exception as err:
anchore_print_err("could not load any images")
ecode = 1
else:
step = 1
count = 0
allimages = {}
success = True
for imageId in imagedict.keys():
if count % step == 0:
allimages.clear()
allimages = {}
count = 0
args.update({
'dockerfile': imagedict[imageId]['dockerfile'],
'skipgates': skipgates,
'selection_strategy': layerstrategy
})
inlist = [imageId]
try:
anchore_print("Analyzing image: " + imageId)
rc = analyzer.Analyzer(anchore_config=anchore_config,
imagelist=inlist,
allimages=allimages,
force=force,
args=args).run()
if not rc:
anchore_print_err("analysis failed.")
success = False
ecode = 1
except:
anchore_print_err('failed to run analyzer')
allimages.clear()
success = False
ecode = 1
break
count = count + 1
allimages.clear()
if not success:
anchore_print_err("analysis failed for one or more images.")
ecode = 1
sys.exit(ecode)
def gate(anchore_config, force, image, imagefile, include_allanchore,
editpolicy, rmpolicy, listpolicy, updatepolicy, policy, run_bundle,
bundlefile, usetag, resultsonly, show_gatehelp, show_policytemplate,
whitelist, global_whitelist, show_triggerids, show_whitelisted):
"""
Runs gate checks on the specified image(s) or edits the image's gate policy.
The --editpolicy option is only valid for a single image.
The --image and --imagefile options are mutually exclusive.
Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest).
"""
ecode = 0
success = True
# special option, does not need any image inputs
if show_gatehelp:
try:
gate_info = anchore_utils.discover_gates()
anchore_print(gate_info, do_formatting=True)
except Exception as err:
anchore_print_err("operation failed: " + str(err))
sys.exit(1)
sys.exit(0)
if show_policytemplate:
try:
outstr = "\n"
gate_info = anchore_utils.discover_gates()
for g in gate_info.keys():
for t in gate_info[g].keys():
params = list()
if 'params' in gate_info[g][t] and gate_info[g][t][
'params'] and gate_info[g][t]['params'].lower(
) != 'none':
for p in gate_info[g][t]['params'].split(','):
params.append(p + "=<a,b,c>")
outstr += ':'.join(
[g, t, "<STOP|WARN|GO>", ' '.join(params)]) + "\n"
anchore_print(outstr, do_formatting=False)
except Exception as err:
anchore_print_err("operation failed: " + str(err))
sys.exit(1)
sys.exit(0)
# the rest require some form of image(s) be given as input
if image and imagefile:
raise click.BadOptionUsage('Can only use one of --image, --imagefile')
if policy and (editpolicy or whitelist or listpolicy or updatepolicy
or rmpolicy):
raise click.BadOptionUsage(
'Cannot use other policy options when --policy <file> is specified.'
)
if (policy and run_bundle):
raise click.BadOptionUsage(
'Cannot use both --policy and --run_bundle at the same time.')
if (run_bundle and
(editpolicy or whitelist or listpolicy or updatepolicy or rmpolicy)):
raise click.BadOptionUsage(
'Cannot use other policy options when --run_bundle is specified.')
try:
imagedict = build_image_list(anchore_config, image, imagefile,
not (image or imagefile),
include_allanchore)
imagelist = imagedict.keys()
inputimagelist = list(imagelist)
try:
ret = anchore_utils.discover_imageIds(imagelist)
except ValueError as err:
raise err
else:
#imagelist = ret.keys()
imagelist = ret
except Exception as err:
anchore_print_err("could not load any images")
sys.exit(1)
try:
con = controller.Controller(anchore_config=anchore_config,
imagelist=imagelist,
allimages=contexts['anchore_allimages'],
force=force)
except Exception as err:
anchore_print_err("gate operation failed")
ecode = 1
else:
if editpolicy:
if not con.editpolicy():
ecode = 1
elif whitelist:
if not con.editwhitelist():
ecode = 1
elif rmpolicy:
if not con.rmpolicy():
ecode = 1
else:
anchore_print("policies successfully removed.",
do_formatting=True)
elif updatepolicy:
if not con.updatepolicy(updatepolicy):
ecode = 1
else:
anchore_print("policies successfully updated.",
do_formatting=True)
elif listpolicy:
result = con.listpolicy()
record = {}
if not result:
ecode = 1
else:
try:
for imageId in result.keys():
record[imageId] = list()
pol = result[imageId]
for gate in pol.keys():
for trigger in pol[gate].keys():
if str(pol[gate][trigger]['params']):
outstr = ":".join([
gate, trigger,
str(pol[gate][trigger]['action']),
str(pol[gate][trigger]['params'])
])
else:
outstr = ":".join([
gate, trigger,
str(pol[gate][trigger]['action'])
])
record[imageId].append(outstr)
if record:
anchore_print(record, do_formatting=True)
except Exception as err:
anchore_print_err("failed to list policies: " + str(err))
ecode = 1
elif run_bundle:
try:
if not anchore_policy.check():
anchore_print_err(
"run-bundle specified, but it appears as though no policy bundles have been synced yet: run 'anchore policybundle sync' to get your latest bundles from anchore.io"
)
ecode = 1
else:
bundle = anchore_policy.load_policymeta(
policymetafile=bundlefile)
if not bundle:
raise Exception(
"could not load stored bundle - run 'anchore policybundle sync' and try again"
)
bundleId = bundle['id']
result, ecode = anchore_policy.run_bundle(
anchore_config=anchore_config,
imagelist=inputimagelist,
matchtag=usetag,
bundle=bundle)
if not resultsonly:
if anchore_config.cliargs['json']:
import json
anchore_print(json.dumps(result))
else:
for image in result.keys():
for gate_result in result[image][
'evaluations']:
_logger.info(
"BundleId=" + bundleId + " Policy=" +
gate_result['policy_name'] +
" Whitelists=" +
str(gate_result['whitelist_names']))
anchore_utils.print_result(
anchore_config, gate_result['results'])
else:
final_result = {}
for image in result.keys():
for gate_result in result[image]['evaluations']:
final_result.update(gate_result['results'])
anchore_utils.print_result(anchore_config,
final_result)
except Exception as err:
anchore_print_err("failed to run gates")
ecode = 1
else:
try:
# run the gates
result = con.run_gates(policy=policy,
global_whitelist=global_whitelist,
show_triggerIds=show_triggerids,
show_whitelisted=show_whitelisted)
if result:
anchore_utils.print_result(anchore_config, result)
success = True
ecode = con.result_get_highest_action(result)
except Exception as err:
anchore_print_err("failed to run gates")
ecode = 1
contexts['anchore_allimages'].clear()
sys.exit(ecode)
def gate(anchore_config, force, image, imagefile, include_allanchore,
editpolicy, rmpolicy, listpolicy, updatepolicy, policy, show_gatehelp,
show_policytemplate, whitelist):
"""
Runs gate checks on the specified image(s) or edits the image's gate policy.
The --editpolicy option is only valid for a single image.
The --image and --imagefile options are mutually exclusive.
Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest).
"""
ecode = 0
success = True
# special option, does not need any image inputs
if show_gatehelp:
try:
gate_info = anchore_utils.discover_gates()
anchore_print(gate_info, do_formatting=True)
except Exception as err:
anchore_print_err("operation failed: " + str(err))
sys.exit(1)
sys.exit(0)
if show_policytemplate:
try:
outstr = "\n"
gate_info = anchore_utils.discover_gates()
for g in gate_info.keys():
for t in gate_info[g].keys():
params = list()
if 'params' in gate_info[g][t] and gate_info[g][t][
'params'] and gate_info[g][t]['params'].lower(
) != 'none':
for p in gate_info[g][t]['params'].split(','):
params.append(p + "=<a,b,c>")
outstr += ':'.join(
[g, t, "<STOP|WARN|GO>", ' '.join(params)]) + "\n"
anchore_print(outstr, do_formatting=False)
except Exception as err:
anchore_print_err("operation failed: " + str(err))
sys.exit(1)
sys.exit(0)
# the rest require some form of image(s) be given as input
if image and imagefile:
raise click.BadOptionUsage('Can only use one of --image, --imagefile')
if policy and (editpolicy or whitelist or listpolicy or updatepolicy
or rmpolicy):
raise click.BadOptionUsage(
'Cannot use other policy options when --policy <file> is specified.'
)
try:
imagedict = build_image_list(anchore_config, image, imagefile,
not (image or imagefile),
include_allanchore)
imagelist = imagedict.keys()
try:
ret = anchore_utils.discover_imageIds(imagelist)
except ValueError as err:
raise err
else:
#imagelist = ret.keys()
imagelist = ret
except Exception as err:
anchore_print_err("could not load any images")
sys.exit(1)
try:
con = controller.Controller(anchore_config=anchore_config,
imagelist=imagelist,
allimages=contexts['anchore_allimages'],
force=force)
except Exception as err:
anchore_print_err("gate operation failed")
ecode = 1
else:
if editpolicy:
if not con.editpolicy():
ecode = 1
elif whitelist:
if not con.editwhitelist():
ecode = 1
elif rmpolicy:
if not con.rmpolicy():
ecode = 1
else:
anchore_print("policies successfully removed.",
do_formatting=True)
elif updatepolicy:
if not con.updatepolicy(updatepolicy):
ecode = 1
else:
anchore_print("policies successfully updated.",
do_formatting=True)
elif listpolicy:
result = con.listpolicy()
record = {}
if not result:
ecode = 1
else:
try:
for imageId in result.keys():
record[imageId] = list()
pol = result[imageId]
for gate in pol.keys():
for trigger in pol[gate].keys():
if str(pol[gate][trigger]['params']):
outstr = ":".join([
gate, trigger,
str(pol[gate][trigger]['action']),
str(pol[gate][trigger]['params'])
])
else:
outstr = ":".join([
gate, trigger,
str(pol[gate][trigger]['action'])
])
record[imageId].append(outstr)
if record:
anchore_print(record, do_formatting=True)
except Exception as err:
anchore_print_err("failed to list policies: " + str(err))
ecode = 1
else:
try:
# run the gates
result = con.run_gates(policy=policy)
if result:
anchore_utils.print_result(anchore_config, result)
success = True
ecode = con.result_get_highest_action(result)
except Exception as err:
anchore_print_err("failed to run gates: " + str(err))
ecode = 1
contexts['anchore_allimages'].clear()
sys.exit(ecode)
def analyze(anchore_config, force, image, imagefile, include_allanchore, dockerfile, imagetype, skipgates, layerstrategy, excludefile):
"""
Invokes the anchore analyzer on the specified image(s).
To include multiple images use the --imagefile, no option, or --include-allanchore options.
To exclude specific images from analysis, use the --excludefile option.
One of --imagetype or --dockerfile should be supplied for an analysis run. Use --dockerfile whenever possible as the inclusion
of the dockerfile for an image associates the dockerfile and image for later use in queries etc. The --dockerfile option
is only valid in combination with the --image option. If neither --dockerfile and --imagetype is supplied, then
When using --imagetype, use 'none' to specify that the image(s) is an unknown or user image and use 'base' to specify
that the image(s) are approved base images to be used to build other images or it is useful to mark the image one from which
other images are meant to be derived.
Image IDs can be specified as hash ids, repo names (e.g. centos), or tags (e.g. centos:latest).
"""
success = True
ecode = 0
args = {}
if image and imagefile:
raise click.BadOptionUsage('Can only use one of --image, --imagefile')
if dockerfile and not image:
raise click.BadOptionUsage('Must specify --image option when using --dockerfile option')
if not imagefile:
if imagetype:
if imagetype == "anchorebase":
args['anchorebase'] = True
elif imagetype == "base":
args['isbase'] = True
elif imagetype == "none":
pass
else:
raise click.BadOptionUsage("Invalid imagetype specified: valid types are 'none' or 'base'")
try:
imagedict = build_image_list(anchore_config, image, imagefile, not (image or imagefile), include_allanchore, exclude_file=excludefile, dockerfile=dockerfile)
imagelist = imagedict.keys()
try:
ret = anchore_utils.discover_imageIds(imagelist)
except ValueError as err:
raise err
else:
#imagelist = ret.keys()
imagelist = ret
except Exception as err:
anchore_print_err("could not load any images")
ecode = 1
else:
step = 1
count = 0
allimages = {}
success = True
for imageId in imagedict.keys():
if count % step == 0:
allimages.clear()
allimages = {}
count = 0
args.update({'dockerfile': imagedict[imageId]['dockerfile'], 'skipgates': skipgates, 'selection_strategy': layerstrategy})
inlist = [imageId]
try:
anchore_print("Analyzing image: " + imageId)
rc = analyzer.Analyzer(anchore_config=anchore_config, imagelist=inlist, allimages=allimages, force=force, args=args).run()
if not rc:
anchore_print_err("analysis failed.")
success = False
ecode = 1
except:
anchore_print_err('failed to run analyzer')
allimages.clear()
success = False
ecode = 1
break
count = count + 1
allimages.clear()
if not success:
anchore_print_err("analysis failed for one or more images.")
ecode = 1
sys.exit(ecode)
