Adding an Image

To add an image to Anchore to be Analyzed refer to the adding images page.


Listing Images

A list of all tags/images analyzed by the Anchore Engine can be obtained by running the following command:


anchore-cli image list 


Full Tag                                       Image ID                                                                
Analysis Status        
docker.io/alpine:latest                        7328f6f8b41890597575cbaadc884e7386ae0acc53b747401ebce5cf0d624560        analyzed               
docker.io/debian:latest                        5b712ae16dd7439315462fe0719d87855ea88f4d3ab0461547a089a6a4116109        analyzed               
docker.io/library/alpine:latest                7328f6f8b41890597575cbaadc884e7386ae0acc53b747401ebce5cf0d624560        analyzed               
docker.io/library/cassandra:latest             d95f2513bdd2d94fd0c85ffd49cd024c0dda0fcd2862498f94e9553470fd08c2        not_analyzed           
docker.io/library/centos:latest                328edcd84f1bbf868bc88e4ae37afe421ef19be71890f59b4b2d8ba48414b84d        analyzed               
docker.io/library/debian:latest                5b712ae16dd7439315462fe0719d87855ea88f4d3ab0461547a089a6a4116109        analyzed               
docker.io/library/nginx:latest                 66216d141be6772cecb89c02b18ad3e19bc14c89298fd965457611a3f84d46c5        analyzed               
docker.io/library/ubuntu:latest                ccc7a11d65b1b5874b65adb4b2387034582d08d65ac1817ebc5fb9be1baa5f88        analyzed               
docker.io/ubuntu:latest                        ccc7a11d65b1b5874b65adb4b2387034582d08d65ac1817ebc5fb9be1baa5f88        analyzed               
registry.access.redhat.com/rhel7:latest        None                                                                    analyzing       


The default output format will list the Full Tag of the image, the Image ID ad the Analysis status of an image. The analysis status will be one of four values:

  • analyzed : The image has been analyzed and can be inspected and evaluated.
  • not_analyzed : The image has been submitted for analysis but not yet analyzed. Typically seen when the image is queued for analysis
  • analyzing : The image is currently being analyzed by the Anchore Engine
  • analysis_failed : An error state occurring when the system is unable to download or analyze an image.


In some cases the Image ID cannot be retrieved from the Image registry before the image has been pulled in which case the Image ID will be displayed as None until the image analysis has completed.


Passing the --full command line parameter will display the Image Digest in addition to the Image ID and analysis status.


Once a Image has been added to the Anchore Engine the engine will monitor the registry for any updates. When an update is detected the Anchore Engine will download and analyze the new image. In this case the Anchore Engine will store data about the current image and the previous image. By default the image list command will only show the most current image with the specific tag. For example:


Full Tag                                       Image ID                                                                Analysis Status        
docker.io/my/app:latest                38fe88a6edbf71e5f8233f877f1a4f61fb842cd8f2bbb8585e8e3e8346d66753        analyzed  


However if there are multiple images with the same TAG passing the --show-all parameter will show all images that have this tag.


Full Tag                                       Image ID                                                                Analysis Status        
docker.io/my/app:latest                16ead39deaa435be6bc40cbd21cf5f1f150c3460a92a77c68d7cb8c183f9c627        analyzed               
docker.io/my/app:latest                38fe88a6edbf71e5f8233f877f1a4f61fb842cd8f2bbb8585e8e3e8346d66753        analyzed 


Getting an Image

The image get command retrieves summary details for a given image. The image can be specified in one of the following formats:

  • Image ID : The long form image id. eg. 5b712ae16dd7439315462fe0719d87855ea88f4d3ab0461547a089a6a4116109

  • Image Digest : The image digest, including algorithm. eg. sha256:427752aa7da803378f765f5a8efba421df5925cbde8ab011717f3642f406fb15

  • Full Tag: The full pullable tag name, eg. docker.io/library/debian:latest


In this example you can see that the requested image ID has two tags: debian:latest and library/debian:latest and that the image digest is sha256:427752aa7da803378f765f5a8efba421df5925cbde8ab011717f3642f406fb15.


If the image is requested by tag then the current image with the specified tag is shown.  Most fields are self-explanatory, with the exception of 'Image Digest' versus 'Parent Digest'.  Docker supports a manifest list abstraction to support multiple architecture content builds all associated with the same tag.  Often, runtime and other container systems will display this top level (or 'parent') digest value associated with a particular image, even though the image content itself has a unique digest.  In anchore, the 'parent' digest is listed alongside the actual, unique image digest for each image.   For images that do not have a multi-architecture manifest list in the registry, the parent digest and image digest will be the same.


# anchore-cli image get mysql:latest
Image Digest: sha256:2b0e9b0e40202e2a6a0619f327c9acb9d0adc39d7dc292fefc1a886fc8cefee3
Parent Digest: sha256:811483efcd38de17d93193b4b4bc4ba290a931215c4c8512cbff624e5967a7dd
Analysis Status: analyzed
Image Type: docker
Image ID: 2dd01afbe8df1fe326f6609c56b08beefc6bf254d28993263da188b8fbf1254d
Dockerfile Mode: Guessed
Distro: debian
Distro Version: 9
Size: 138302512
Architecture: amd64
Layer Count: 12

Full Tag: docker.io/mysql:latest


The optional --show-history parameter will display all images that have, at any time, had the specified tag.


# anchore-cli image get mysql:latest
Image Digest: sha256:2b0e9b0e40202e2a6a0619f327c9acb9d0adc39d7dc292fefc1a886fc8cefee3
Parent Digest: sha256:811483efcd38de17d93193b4b4bc4ba290a931215c4c8512cbff624e5967a7dd
Analysis Status: analyzed
Image Type: docker
Image ID: 2dd01afbe8df1fe326f6609c56b08beefc6bf254d28993263da188b8fbf1254d
Dockerfile Mode: Guessed
Distro: debian
Distro Version: 9
Size: 138302512
Architecture: amd64
Layer Count: 12

Full Tag: docker.io/mysql:latest


Image Digest: sha256:02892826401a9d18f0ea01f8a2f35d328ef039db4e1edcc45c630314a0457d5b
Parent Digest: sha256:621c2f39f8133acb8e64023a94dbdf0d5ca81896102b9e57c0dc184cadaf5528
Analysis Status: analyzed
Image Type: docker
Image ID: 196d12cf6ab19273823e700516e98eb1910b03b17840f9d5509f03858484d321
Dockerfile Mode: Guessed
Distro: debian
Distro Version: 9
Size: 135201709
Architecture: amd64
Layer Count: 12

Full Tag: docker.io/mysql:latest


Deleting an Image

The image del command deletes the records for a specified image. Note: This command only removes references in the Anchore Engine database, the underlying image stored in the container registry will not be deleted.


The image to be deleted can be specified in one of the following formats:

  • Image Digest
  • Image ID
  • Registry/repo:tag


Next Steps

Once an image has been analyzed by the Anchore Engine you can: