In this document, we describe the current anchore gates (and related triggers/parameters) that are supported within anchore policy bundles.  If you have a running anchore engine, this information can also be obtained using the CLI:


# anchore-cli policy describe (--gate <gatename> ( --trigger <triggername))




Gate: secret_scans

Checks for secrets found in the image using configured regexes found in the "secret_search" section of analyzer_config.yaml.


Trigger NameDescriptionParameterDescriptionExample
content_regex_checksTriggers if the content search analyzer has found any matches with the configured and named regexes. Matches are filtered by the content_regex_name and filename_regex if they are set. The content_regex_name shoud be a value from the "secret_search" section of the analyzer_config.yaml.content_regex_nameName of content regexps configured in the analyzer that should trigger if found in the image, instead of triggering for any match. Names available by default are: ['AWS_ACCESS_KEY', 'AWS_SECRET_KEY', 'PRIV_KEY', 'DOCKER_AUTH', 'API_KEY'].AWS_ACCESS_KEY
content_regex_checksTriggers if the content search analyzer has found any matches with the configured and named regexes. Matches are filtered by the content_regex_name and filename_regex if they are set. The content_regex_name shoud be a value from the "secret_search" section of the analyzer_config.yaml.filename_regexRegexp to filter the content matched files by./etc/.*




Gate: ruby_gems

Ruby Gem Checks


Trigger NameDescriptionParameterDescriptionExample
newer_version_found_in_feedTriggers if an installed GEM is not the latest version according to GEM data feed.


not_found_in_feedTriggers if an installed GEM is not in the official GEM database, according to GEM data feed.


version_not_found_in_feedTriggers if an installed GEM version is not listed in the official GEM feed as a valid version.


blacklistTriggers if the evaluated image has a GEM package installed that matches the specified name and version.nameGem name to blacklist.time_diff
blacklistTriggers if the evaluated image has a GEM package installed that matches the specified name and version.versionOptional version to blacklist specifically.0.2.9
feed_data_unavailableTriggers if anchore does not have access to the GEM data feed.





Gate: licenses

License checks against found software licenses in the container image


Trigger NameDescriptionParameterDescriptionExample
blacklist_exact_matchTriggers if the evaluated image has a package installed with software distributed under the specified (exact match) license(s).licensesList of license names to blacklist exactly.GPLv2+,GPL-3+,BSD-2-clause
blacklist_partial_matchtriggers if the evaluated image has a package installed with software distributed under the specified (substring match) license(s)licensesList of strings to do substring match for blacklist.LGPL,BSD




Gate: vulnerabilities

CVE/Vulnerability checks.


Trigger NameDescriptionParameterDescriptionExample
packageTriggers if a found vulnerability in an image meets the comparison criteria.package_typeOnly trigger for specific package type.all
packageTriggers if a found vulnerability in an image meets the comparison criteria.severity_comparisonThe type of comparison to perform for severity evaluation.>
packageTriggers if a found vulnerability in an image meets the comparison criteria.severitySeverity to compare against.high
packageTriggers if a found vulnerability in an image meets the comparison criteria.fix_availableIf present, the fix availability for the vulnerability record must match the value of this parameter.true
packageTriggers if a found vulnerability in an image meets the comparison criteria.vendor_onlyIf True, an available fix for this CVE must not be explicitly marked as wont be addressed by the vendortrue
stale_feed_dataTriggers if the CVE data is older than the window specified by the parameter MAXAGE (unit is number of days).max_days_since_syncFire the trigger if the last sync was more than this number of days ago.10
vulnerability_data_unavailableTriggers if vulnerability data is unavailable for the image's distro.





Gate: dockerfile

Checks against the content of a dockerfile if provided, or a guessed dockerfile based on docker layer history if the dockerfile is not provided.


Trigger NameDescriptionParameterDescriptionExample
instructionTriggers if any directives in the list are found to match the described condition in the dockerfile.instructionThe Dockerfile instruction to check.from
instructionTriggers if any directives in the list are found to match the described condition in the dockerfile.checkThe type of check to perform.=
instructionTriggers if any directives in the list are found to match the described condition in the dockerfile.valueThe value to check the dockerfile instruction against.scratch
instructionTriggers if any directives in the list are found to match the described condition in the dockerfile.actual_dockerfile_onlyOnly evaluate against a user-provided dockerfile, skip evaluation on inferred/guessed dockerfiles. Default is False.true
effective_userChecks if the effective user matches the provided user names and fires based on the allowed parameter. If allowed=true, the rule behaves as a whitelist, otherwise acts as a blacklist.usersUser names to check against as the effective user (last user entry) in the images history.root,docker
effective_userChecks if the effective user matches the provided user names and fires based on the allowed parameter. If allowed=true, the rule behaves as a whitelist, otherwise acts as a blacklist.typeHow to treat the provided user names.None
exposed_portsEvaluates the set of ports exposed. Allows configuring whitelist or blacklist behavior. If type=whitelist, then any ports found exposed that are not in the list will cause the trigger to fire. If type=blacklist, then any ports exposed that are in the list will cause the trigger to fire.portsList of port numbers.80,8080,8088
exposed_portsEvaluates the set of ports exposed. Allows configuring whitelist or blacklist behavior. If type=whitelist, then any ports found exposed that are not in the list will cause the trigger to fire. If type=blacklist, then any ports exposed that are in the list will cause the trigger to fire.typeWhether to use port list as a whitelist or blacklist.whitelist
exposed_portsEvaluates the set of ports exposed. Allows configuring whitelist or blacklist behavior. If type=whitelist, then any ports found exposed that are not in the list will cause the trigger to fire. If type=blacklist, then any ports exposed that are in the list will cause the trigger to fire.actual_dockerfile_onlyOnly evaluate against a user-provided dockerfile, skip evaluation on inferred/guessed dockerfiles. Default is False.true
no_dockerfile_providedTriggers if anchore analysis was performed without supplying the actual image Dockerfile.





Gate: files

Checks against files in the analyzed image including file content, file names, and filesystem attributes.


Trigger NameDescriptionParameterDescriptionExample
content_regex_matchTriggers for each file where the content search analyzer has found a match using configured regexes in the analyzer_config.yaml "content_search" section. If the parameter is set, the trigger will only fire for files that matched the named regex. Refer to your analyzer_config.yaml for the regex values.regex_nameRegex string that also appears in the FILECHECK_CONTENTMATCH analyzer parameter in analyzer configuration, to limit the check to. If set, will only fire trigger when the specific named regex was found in a file..*password.*
name_matchTriggers if a file exists in the container that has a filename that matches the provided regex. This does have a performance impact on policy evaluation.regexRegex to apply to file names for match..*\.pem
suid_or_guid_setFires for each file found to have suid or sgid bit set.





Gate: passwd_file

Content checks for /etc/passwd for things like usernames, group ids, shells, or full entries.


Trigger NameDescriptionParameterDescriptionExample
content_not_availableTriggers if the /etc/passwd file is not present/stored in the evaluated image.


blacklist_usernamesTriggers if specified username is found in the /etc/passwd fileuser_namesList of usernames that will cause the trigger to fire if found in /etc/passwd.daemon,ftp
blacklist_useridsTriggers if specified user id is found in the /etc/passwd fileuser_idsList of userids (numeric) that will cause the trigger to fire if found in /etc/passwd.0,1
blacklist_groupidsTriggers if specified group id is found in the /etc/passwd filegroup_idsList of groupids (numeric) that will cause the trigger ot fire if found in /etc/passwd.999,20
blacklist_shellsTriggers if specified login shell for any user is found in the /etc/passwd fileshellsList of shell commands to blacklist./bin/bash,/bin/zsh
blacklist_full_entryTriggers if entire specified passwd entry is found in the /etc/passwd file.entryFull entry to match in /etc/passwd.ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin




Gate: packages

Distro package checks


Trigger NameDescriptionParameterDescriptionExample
required_packageTriggers if the specified package and optionally a specific version is not found in the image.nameName of package that must be found installed in image.libssl
required_packageTriggers if the specified package and optionally a specific version is not found in the image.versionOptional version of package for exact version match.1.10.3rc3
required_packageTriggers if the specified package and optionally a specific version is not found in the image.version_match_typeThe type of comparison to use for version if a version is provided.exact
verifyCheck package integrity against package db in the image. Triggers for changes or removal or content in all or the selected "dirs" parameter if provided, and can filter type of check with the "check_only" parameter.only_packagesList of package names to limit verification.libssl,openssl
verifyCheck package integrity against package db in the image. Triggers for changes or removal or content in all or the selected "dirs" parameter if provided, and can filter type of check with the "check_only" parameter.only_directoriesList of directories to limit checks so as to avoid checks on all dir./usr,/var/lib
verifyCheck package integrity against package db in the image. Triggers for changes or removal or content in all or the selected "dirs" parameter if provided, and can filter type of check with the "check_only" parameter.checkCheck to perform instead of all.changed
blacklistTriggers if the evaluated image has a package installed that matches the named package optionally with a specific version as well.namePackage name to blacklist.openssh-server
blacklistTriggers if the evaluated image has a package installed that matches the named package optionally with a specific version as well.versionSpecific version of package to blacklist.1.0.1




Gate: always

Triggers that fire unconditionally if present in policy, useful for things like testing and blacklisting.


Trigger NameDescriptionParameterDescriptionExample
alwaysFires if present in a policy being evaluated. Useful for things like blacklisting images or testing mappings and whitelists by using this trigger in combination with policy mapping rules.





Gate: metadata

Checks against image metadata, such as size, OS, distro, architecture, etc.


Trigger NameDescriptionParameterDescriptionExample
attributeTriggers if a named image metadata value matches the given condition.attributeAttribute name to be checked.size
attributeTriggers if a named image metadata value matches the given condition.checkThe operation to perform the evaluation.>
attributeTriggers if a named image metadata value matches the given condition.valueValue used in comparison.1073741824




Gate: npms

NPM Checks


Trigger NameDescriptionParameterDescriptionExample
newer_version_in_feedTriggers if an installed NPM is not the latest version according to NPM data feed.


unknown_in_feedsTriggers if an installed NPM is not in the official NPM database, according to NPM data feed.


version_not_in_feedsTriggers if an installed NPM version is not listed in the official NPM feed as a valid version.


blacklisted_name_versionTriggers if the evaluated image has an NPM package installed that matches the name and optionally a version specified in the parameters.nameNpm package name to blacklist.time_diff
blacklisted_name_versionTriggers if the evaluated image has an NPM package installed that matches the name and optionally a version specified in the parameters.versionNpm package version to blacklist specifically.0.2.9
feed_data_unavailableTriggers if the engine does not have access to the NPM data feed.