• Anchore
• Clair
• Trivy

Both Anchore and Clair environments can be started using my-dev-env, which provides Docker compose files for both.

Test images:

• ninckblokje/helm:latest
  • Contains only OS packages
  • No CVE's (2021-01-20)
• registry.access.redhat.com/ubi7/ubi:7.6
  • Contains only OS packages
  • Multiple CVE's on OS packages
• ninckblokje/crasher:sh
  • Contains OS packages and a Java applications
  • Multiple CVE's on OS packages
• ninckblokje/ratetraining:1.1.0
  • Contains OS packages and a Java Spring Boot application
  • Multiple CVE's on OS packages and JAR's
• ninckblokje/polyglot-micronaut-express:1.0.0
  • Contains OS packages, Java Micronaut application and a Node application
  • Multiple CVE's on OS packages, JAR's and Node modules

Note: It will take quite some time for Anchore to load the database, before images can be scanned!

• System status: docker-compose exec jnb-anchore-api anchore-cli system status
• Feed list: docker-compose exec jnb-anchore-api anchore-cli system feeds list
• Refresh feeds: docker-compose exec jnb-anchore-api anchore-cli system feeds sync
• Add image: docker-compose exec jnb-anchore-api anchore-cli image add [IMAGE_NAME]
• Image vulnerabilities: docker-compose exec jnb-anchore-api anchore-cli image vuln [IMAGE_NAME] all

Note: Clair does not find most CVE's from the example images

• Report image: docker-compose exec jnb-clair clairctl report [IMAGE_NAME]

Trivy runs as a command line tool.

• Scan image: docker run --rm aquasec/trivy image --timeout 5ms0 [IMAGE_NAME]
• Clear cache: docker run --rm aquasec/trivy image --clear-cache