Feed Synchronization Interval
The default configuration for the Anchore Engine will download vulnerability data from Anchore's feed service every 21,600 seconds (46hours).
For most users the only configuration option that is typically updated is the feed synchronization interval - the time interval (in seconds) at which the feed sync is run.
policy_engine: ..... cycle_timers: ... feed_sync: 14400
In the default Anchore configuration file, config.yaml, the feed settings are commented out and the Anchore Engine will use the default settings.
The Anchore Engine will default to downloading feed data from Anchore's feed service hosted at https://ancho.re/v1/services/feeds
This service requires authentication and the system includes default credential for an anonymous user.
The Anchore Engine will by default only synchronize vulnerability data such as CVE information. The Anchore Feed service also provide package data from NPM Package registry and Ruby Gems registry which can be used as part of policy checks which check Node and Ruby package names and versions, as well as non-os vulnerability data from National Vulnerability Data (NVD) which can be used to perform non-os package vulnerability scans.
By default the Anchore Engine will perform a selective sync enabling only the vulnerabilities feed. Setting the (selective_sync) enabled flag to false, or updating the other feed types to True will enable synchronization of the specified feed.
feeds: selective_sync: # If enabled only sync specific feeds instead of all. enabled: True feeds: vulnerabilities: True packages: False nvd: True anonymous_user_username: firstname.lastname@example.org anonymous_user_password: pbiU2RYZ2XrmYQ url: 'https://ancho.re/v1/service/feeds' client_url: 'https://ancho.re/v1/account/users' token_url: 'https://ancho.re/oauth/token' connection_timeout_seconds: 3 read_timeout_seconds: 60
Note: The package and nvd data feeds are large, resulting in the initial sync taking some time time, and will use in excess of 2GB of memory.
During initial feed sync, you can always query the progress and status of the feed sync using the anchore-cli.
# anchore-cli system feeds list Feed Group LastSync RecordCount nvd nvddb:2002 2018-06-08T12:10:08.933467Z 6745 nvd nvddb:2003 2018-06-08T12:10:06.822104Z 1546 ... ... vulnerabilities alpine:3.3 2018-06-08T17:28:53.876964Z 457 vulnerabilities alpine:3.4 2018-06-08T12:09:30.389172Z 594 ... ...