Getting started
IntroductionInstalled packagesEnvironment variablesDebugging buildsCachingParallel testingDeployment pipelinesRunning commands as rootIgnoring commandsRun a command in case of an errorSetting timezoneAccess to other repositoriesUsing scriptsGit LFSUbuntu 20.04 Focal
IntroductionFTP/SSH/SFTP/RSYNCCustom scriptHerokuHeroku MigrationAWS Elastic BeanstalkAWS CodeDeployAWS LambdaAWS S3Google App EngineAWS CLIgcloud CLIAzure CLIDigital OceanEngine YardCapistranoGit PushCloudFoundryCloud66anynines
IntroductionBrowser testingBackground commandsGit submodulesCustom DNSArtifacts
IntroductionCassandraCouchDBDynamoDBMongoDBMySQLPostgreSQLSQLite
IntroductionDartElixirGoJava and JVMMeteorNode.jsPHPPythonRubyRust
IntroductionBeanstalkdRabbitMQRedis
IntroductionElasticsearchMemcachedSphinx
IntroductionCloudBees CodeShip Pro introduction guideCloudBees CodeShip Pro introduction guide 2CloudBees CodeShip Pro introduction guide 3CloudBees CodeShip Pro introduction guide 4CloudBees CodeShip Pro introduction guide 5
Migrating to CloudBees CodeShip Pro
Docker for CI/CD
Getting started with CloudBees CodeShip Pro overview and resources
IntroductionServices configSteps configEnvironment variablesImage registriesImage cachingBuild argumentsVolumesHandling secretsMultiple reposServices and databasesSetting an SSH private keyPreinstalled images
IntroductionInstallationUsing the Jet CLIjet cleanupjet decryptjet encryptjet generatejet loadjet runjet stepsjet updatejet validatejet version
IntroductionAWSAWS S3AWS EBAWS ECSAWS EKSAWS CodeDeployAzure Container ServiceHerokuGoogle CloudGoogle App EngineGoogle Cloud FunctionsGoogle Container EngineGoogle Compute EngineKubernetesTerraformDeploy Via SSHDocker SwarmIBM Cloud FoundryIBM Cloud Container Service
IntroductionBrowser testingParallel testing
IntroductionElixirGoJava and JVMNode.jsPHPPythonRuby
IntroductionCaching multi-stage DockerfileContainer is slow to exitDiffering results with Jet CLIDocker Hub rate limitingManaging multiple environments for a serviceReducing log output from dependent containersStep log not appearingUsing env vars in command steps

Integrating CloudBees CodeShip with Anchore for container image scanning

2 minute read

About Anchore

Anchore is a service that analyzes Docker images and applies user-defined acceptance polices to allow automated container image validation and certification.

By using Anchore you can be sure that your container images are secure and compliant.

The Anchore documentation does a great job of providing more information, in addition to the setup instructions below.

CloudBees CodeShip Pro

Setting up Anchore Engine service

Install Anchore Engine

A running Anchore Engine is required, this does not need to be run within the CodeShip infrastructure as long as the HTTP(s) endpoint of the Anchore Engine is accessible.

Note that this CI/CD model implies the following:

  1. Developers commit code into SCM

  2. CI/CD platform builds container image

  3. CI/CD platform pushes container image to staging registry

  4. CI/CD calls Anchore to analyze container image

  5. Anchore passes or fails the image based on the policy mapped to the image

  6. CI/CD performs automated tests

  7. If the container passes automated tests and policy evaluation the container image is pushed to the production registry.

Building Image

To use Anchore in your CI/CD process, you’ll need to add a Docker image build to a service in your codeship-services.yml file for Anchore to analyze.

imagebuild:
  build:
    dockerfile: Dockerfile
  cached: true

You’ll also need to add a step to your codeship-steps.yml file:

- name: imagebuildstep
  service: imagebuild
  type: push
  image_name: jvalance/sampledockerfiles
  encrypted_dockercfg_path: dockercfg.encrypted

Note that this example implies we have a Dockerfile to reference and build an image from.

Scanning image with Anchore

To scan an image with Anchore, add an Anchore scan service to your codeship-services.yml file for Anchore to analyze.

anchorescan:
  image: anchore/engine-cli:latest
  encrypted_env_file:
    - env.encrypted

You’ll also need to add a step to your codeship-steps.yml file:

- name: anchorestep
  service: anchorescan
  command: sh -c 'echo "Adding image to Anchore engine" &&
    anchore-cli image add $ANCHORE_IMAGE_SCAN &&
    echo "Waiting for image analysis to complete" &&
    counter=0 && while (! (anchore-cli image get $ANCHORE_IMAGE_SCAN | grep 'Status\:\ analyzed') ) ; do echo -n "." ; sleep 10 ; if [ $counter -eq $ANCHORE_RETRIES ] ; then echo " Timeout waiting for analysis" ; exit 1 ; fi ; counter=$(($counter+1)) ; done &&
    echo "Analysis complete" &&
    if [ "$ANCHORE_FAIL_ON_POLICY" == "true" ] ; then anchore-cli evaluate check $ANCHORE_IMAGE_SCAN  ; fi'
  encrypted_env_file:
    - env.encrypted

The job will poll the Anchore Engine every 10 seconds to check if the image has been analyzed and will repeat this until the maximum number of retries specified has been reached.

Note that depending on the result of the Anchore policy evaluation and the $ANCHORE_FAIL_ON_POLICY environment variable, the build may or may not fail.

CloudBees CodeShip Basic

Anchore does not currently integrate with CloudBees CodeShip Basic.

Introduction
Using CodeShip API