Adding an Image
To add an image to Anchore to be Analyzed refer to the adding images page.
A list of all tags/images analyzed by the Anchore Engine can be obtained by running the following command:
anchore-cli image list Full Tag Image ID Analysis Status docker.io/alpine:latest 7328f6f8b41890597575cbaadc884e7386ae0acc53b747401ebce5cf0d624560 analyzed docker.io/debian:latest 5b712ae16dd7439315462fe0719d87855ea88f4d3ab0461547a089a6a4116109 analyzed docker.io/library/alpine:latest 7328f6f8b41890597575cbaadc884e7386ae0acc53b747401ebce5cf0d624560 analyzed docker.io/library/cassandra:latest d95f2513bdd2d94fd0c85ffd49cd024c0dda0fcd2862498f94e9553470fd08c2 not_analyzed docker.io/library/centos:latest 328edcd84f1bbf868bc88e4ae37afe421ef19be71890f59b4b2d8ba48414b84d analyzed docker.io/library/debian:latest 5b712ae16dd7439315462fe0719d87855ea88f4d3ab0461547a089a6a4116109 analyzed docker.io/library/nginx:latest 66216d141be6772cecb89c02b18ad3e19bc14c89298fd965457611a3f84d46c5 analyzed docker.io/library/ubuntu:latest ccc7a11d65b1b5874b65adb4b2387034582d08d65ac1817ebc5fb9be1baa5f88 analyzed docker.io/ubuntu:latest ccc7a11d65b1b5874b65adb4b2387034582d08d65ac1817ebc5fb9be1baa5f88 analyzed registry.access.redhat.com/rhel7:latest None analyzing
The default output format will list the Full Tag of the image, the Image ID ad the Analysis status of an image. The analysis status will be one of four values:
- analyzed : The image has been analyzed and can be inspected and evaluated.
- not_analyzed : The image has been submitted for analysis but not yet analyzed. Typically seen when the image is queued for analysis
- analyzing : The image is currently being analyzed by the Anchore Engine
- analysis_failed : An error state occurring when the system is unable to download or analyze an image.
In some cases the Image ID cannot be retrieved from the Image registry before the image has been pulled in which case the Image ID will be displayed as None until the image analysis has completed.
--full command line parameter will display the Image Digest in addition to the Image ID and analysis status.
Once a Image has been added to the Anchore Engine the engine will monitor the registry for any updates. When an update is detected the Anchore Engine will download and analyze the new image. In this case the Anchore Engine will store data about the current image and the previous image. By default the
image list command will only show the most current image with the specific tag. For example:
Full Tag Image ID Analysis Status docker.io/my/app:latest 38fe88a6edbf71e5f8233f877f1a4f61fb842cd8f2bbb8585e8e3e8346d66753 analyzed
However if there are multiple images with the same TAG passing the
--show-all parameter will show all images that have this tag.
Full Tag Image ID Analysis Status docker.io/my/app:latest 16ead39deaa435be6bc40cbd21cf5f1f150c3460a92a77c68d7cb8c183f9c627 analyzed docker.io/my/app:latest 38fe88a6edbf71e5f8233f877f1a4f61fb842cd8f2bbb8585e8e3e8346d66753 analyzed
Getting an Image
image get command retrieves summary details for a given image. The image can be specified in one of the following formats:
Image ID : The long form image id. eg.
Image Digest : The image digest, including algorithm. eg.
Full Tag: The full pullable tag name, eg. docker.io/library/debian:latest
In this example you can see that the requested image ID has two tags:
library/debian:latest and that the image digest is
If the image is requested by tag then the current image with the specified tag is shown. Most fields are self-explanatory, with the exception of 'Image Digest' versus 'Parent Digest'. Docker supports a manifest list abstraction to support multiple architecture content builds all associated with the same tag. Often, runtime and other container systems will display this top level (or 'parent') digest value associated with a particular image, even though the image content itself has a unique digest. In anchore, the 'parent' digest is listed alongside the actual, unique image digest for each image. For images that do not have a multi-architecture manifest list in the registry, the parent digest and image digest will be the same.
# anchore-cli image get mysql:latest Image Digest: sha256:2b0e9b0e40202e2a6a0619f327c9acb9d0adc39d7dc292fefc1a886fc8cefee3 Parent Digest: sha256:811483efcd38de17d93193b4b4bc4ba290a931215c4c8512cbff624e5967a7dd Analysis Status: analyzed Image Type: docker Image ID: 2dd01afbe8df1fe326f6609c56b08beefc6bf254d28993263da188b8fbf1254d Dockerfile Mode: Guessed Distro: debian Distro Version: 9 Size: 138302512 Architecture: amd64 Layer Count: 12 Full Tag: docker.io/mysql:latest
--show-history parameter will display all images that have, at any time, had the specified tag.
# anchore-cli image get mysql:latest Image Digest: sha256:2b0e9b0e40202e2a6a0619f327c9acb9d0adc39d7dc292fefc1a886fc8cefee3 Parent Digest: sha256:811483efcd38de17d93193b4b4bc4ba290a931215c4c8512cbff624e5967a7dd Analysis Status: analyzed Image Type: docker Image ID: 2dd01afbe8df1fe326f6609c56b08beefc6bf254d28993263da188b8fbf1254d Dockerfile Mode: Guessed Distro: debian Distro Version: 9 Size: 138302512 Architecture: amd64 Layer Count: 12 Full Tag: docker.io/mysql:latest Image Digest: sha256:02892826401a9d18f0ea01f8a2f35d328ef039db4e1edcc45c630314a0457d5b Parent Digest: sha256:621c2f39f8133acb8e64023a94dbdf0d5ca81896102b9e57c0dc184cadaf5528 Analysis Status: analyzed Image Type: docker Image ID: 196d12cf6ab19273823e700516e98eb1910b03b17840f9d5509f03858484d321 Dockerfile Mode: Guessed Distro: debian Distro Version: 9 Size: 135201709 Architecture: amd64 Layer Count: 12 Full Tag: docker.io/mysql:latest
Deleting an Image
image del command deletes the records for a specified image. Note: This command only removes references in the Anchore Engine database, the underlying image stored in the container registry will not be deleted.
The image to be deleted can be specified in one of the following formats:
- Image Digest
- Image ID
Once an image has been analyzed by the Anchore Engine you can: