Anchore Azure DevOps Task Plugins
Anchore Task Extensions for Azure DevOps Pipelines
This is an Azure DevOps Pipeline task for scanning locally built images using Anchore Engine. It is used to scan container images and will return the vulnerabilities found, a software bill of materials, and the result of a policy evaluation. The task can be provided a custom policy which can be used to fail the pipeline if so desired.
No data is sent to a remote service to execute the scan, and no credentials are required
The vulnerability data comes from sources such as RedHat, Debian, Alpine, etc. All of this vulnerability data is packaged with the Anchore container that is used in the Anchore task. This means no external connections are required to sync vulnerability data when Anchore runs. The only external connection that is needed will be the connection to pull the Anchore image itself.
Getting the results only
By default, the Anchore task will simply scan a local image using Anchore Engine and will provide files that contain a list of all the contents in the image as well as a list of all the vulnerabilities detected by Anchore. Both of these files will be output as pipeline variables along with the result of the policy evaluation. Under default behavior, the pipeline will not fail when the container does not pass the Anchore policy scan. The fail result will be published as a variable in the pipeline and can be used in subsequent tasks.
Note: While the dockerfile option is not required, it is recommended if the Dockerfile is available as it adds metadata for Anchore Engine.
Failing the pipeline when Anchore Policy scan fails
By default, the Anchore task will not fail the pipeline if the policy scan
If this option is set and the container does not pass policy, the build will fail and the following variables will be published:
Scanning Application and OS Packages in the Container
By default, the Anchore task uses an image which will only find vulnerabilities
in OS packages (rpms, dpkg, apk, etc). This version of the Anchore image is
much smaller and therefore results in a faster scan. If you wish to find
vulnerabilities in application packages (npm, gems, pip, etc) then set the
Scanning with a Custom Policy
When the Anchore task runs, it will use a default policy that is bundled with
the scanner. If you wish to use your own custom policy then simply use the
This example builds a local image and runs an Anchore scan on the image. It
provides a custom Anchore policy which it assumes is contained in the root of
the repository under the
We love contributions, feedback, and bug reports. For issues with the invocation of this action, file issues in this repository.
For contributing, see Contributing.
For documentation on Anchore itself, including policy language and capabilities see the Anchore Documentation
Connect with the anchore community directly on slack.