MACRO NEPAL
Anchore Inline Scan in Java: Comprehensive Container Security Integration
awiskar acharya
November 26, 2025
1:33 pm

Anchore Engine is a container security and compliance platform that performs deep image inspection and vulnerability scanning. The inline scan allows integration directly into CI/CD pipelines.

Core Concepts

What is Anchore Inline Scan?

  • Lightweight container image security scanner
  • CLI tool for CI/CD pipeline integration
  • Performs vulnerability scanning and policy evaluation
  • Provides pass/fail results based on custom policies
  • Supports both local and remote image scanning

Key Features:

  • Vulnerability scanning for container images
  • Policy-based evaluation with custom rules
  • Multiple output formats (JSON, table, CycloneDX)
  • CI/CD integration (Jenkins, GitLab, GitHub Actions)
  • Local scanning without requiring Anchore Engine

Setup and Installation

1. Docker Image Installation
# Pull the anchore/inline-scan image
docker pull anchore/inline-scan:latest
# Verify installation
docker run --rm anchore/inline-scan:latest --help
2. Binary Installation (Alternative)
# Download the binary
curl -s https://ci-tools.anchore.io/inline_scan-v0.9.0 | sh -s -- -b /usr/local/bin
# Make executable
chmod +x /usr/local/bin/inline_scan
# Verify installation
inline_scan --help
3. Maven/Gradle Dependencies for Integration
<!-- For Java applications that need container security APIs -->
<properties>
<jackson.version>2.15.2</jackson.version>
<junit.version>5.9.2</junit.version>
</properties>
<dependencies>
<!-- JSON Processing -->
<dependency>
<groupId>com.fasterxml.jackson.core</groupId>
<artifactId>jackson-databind</artifactId>
<version>${jackson.version}</version>
</dependency>
<!-- HTTP Client -->
<dependency>
<groupId>org.apache.httpcomponents.client5</groupId>
<artifactId>httpclient5</artifactId>
<version>5.2.1</version>
</dependency>
</dependencies>

Basic Usage

1. Simple Image Scan
# Scan a local Docker image
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
anchore/inline-scan:latest \
-t my-java-app:latest
# Scan with specific output format
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
anchore/inline-scan:latest \
-t my-java-app:latest \
-f table
# Scan remote image from registry
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
anchore/inline-scan:latest \
-t docker.io/library/nginx:latest
2. Basic Java Integration Script
// AnchoreScanRunner.java
import java.io.BufferedReader;
import java.io.IOException;
import java.io.InputStreamReader;
import java.util.ArrayList;
import java.util.List;
public class AnchoreScanRunner {
private static final String ANCHORE_IMAGE = "anchore/inline-scan:latest";
public boolean scanImage(String imageName, String imageTag) {
List<String> command = new ArrayList<>();
command.add("docker");
command.add("run");
command.add("--rm");
command.add("-v");
command.add("/var/run/docker.sock:/var/run/docker.sock");
command.add(ANCHORE_IMAGE);
command.add("-t");
command.add(imageName + ":" + imageTag);
command.add("-f");
command.add("json");
try {
ProcessBuilder processBuilder = new ProcessBuilder(command);
Process process = processBuilder.start();
int exitCode = process.waitFor();
// Read output
BufferedReader reader = new BufferedReader(
new InputStreamReader(process.getInputStream()));
String line;
while ((line = reader.readLine()) != null) {
System.out.println(line);
}
return exitCode == 0;
} catch (IOException | InterruptedException e) {
System.err.println("Scan failed: " + e.getMessage());
return false;
}
}
}

Advanced Configuration

1. Custom Policy Configuration
# Create custom policy file
cat > policy.json << 'EOF'
{
"comment": "Java Application Security Policy",
"id": "java-app-policy",
"name": "Java Application Policy",
"version": "1.0",
"rules": [
{
"action": "STOP",
"gate": "vulnerabilities",
"id": "critical_vulns",
"params": [
{
"name": "package_type",
"value": "all"
},
{
"name": "severity_comparison",
"value": ">="
},
{
"name": "severity",
"value": "critical"
}
],
"trigger": "package"
},
{
"action": "WARN",
"gate": "vulnerabilities",
"id": "high_vulns",
"params": [
{
"name": "package_type",
"value": "all"
},
{
"name": "severity_comparison",
"value": ">="
},
{
"name": "severity",
"value": "high"
}
],
"trigger": "package"
}
]
}
EOF
# Scan with custom policy
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v $(pwd)/policy.json:/policy.json \
anchore/inline-scan:latest \
-t my-java-app:latest \
-p /policy.json
2. Environment Configuration
# Set environment variables for scanning
export ANCHORE_FAIL_ON_POLICY=true
export ANCHORE_TIMEOUT=600
export ANCHORE_DEBUG=true
# Scan with environment configuration
docker run --rm \
-e ANCHORE_FAIL_ON_POLICY=true \
-e ANCHORE_TIMEOUT=600 \
-e ANCHORE_DEBUG=true \
-v /var/run/docker.sock:/var/run/docker.sock \
anchore/inline-scan:latest \
-t my-java-app:latest
3. Advanced Java Integration Class
// AnchoreSecurityScanner.java
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import org.apache.hc.client5.http.classic.methods.HttpGet;
import org.apache.hc.client5.http.impl.classic.CloseableHttpClient;
import org.apache.hc.client5.http.impl.classic.HttpClients;
import java.io.*;
import java.util.*;
public class AnchoreSecurityScanner {
private final String dockerSocketPath;
private final String anchoreImage;
private final ObjectMapper objectMapper;
public AnchoreSecurityScanner() {
this.dockerSocketPath = "/var/run/docker.sock";
this.anchoreImage = "anchore/inline-scan:latest";
this.objectMapper = new ObjectMapper();
}
public ScanResult scanImage(String imageName, String imageTag, 
ScanConfig config) throws ScanException {
try {
// Build Docker command
List<String> command = buildDockerCommand(imageName, imageTag, config);
// Execute scan
Process process = executeScan(command);
// Parse results
return parseScanResults(process, config);
} catch (Exception e) {
throw new ScanException("Failed to scan image: " + imageName + ":" + imageTag, e);
}
}
private List<String> buildDockerCommand(String imageName, String imageTag, 
ScanConfig config) {
List<String> command = new ArrayList<>();
command.add("docker");
command.add("run");
command.add("--rm");
// Mount Docker socket
command.add("-v");
command.add(dockerSocketPath + ":/var/run/docker.sock");
// Add environment variables
if (config.isFailOnPolicy()) {
command.add("-e");
command.add("ANCHORE_FAIL_ON_POLICY=true");
}
if (config.getTimeout() > 0) {
command.add("-e");
command.add("ANCHORE_TIMEOUT=" + config.getTimeout());
}
// Mount policy file if provided
if (config.getPolicyFilePath() != null) {
command.add("-v");
command.add(config.getPolicyFilePath() + ":/policy.json");
}
// Anchore image
command.add(anchoreImage);
// Image to scan
command.add("-t");
command.add(imageName + ":" + imageTag);
// Output format
command.add("-f");
command.add(config.getOutputFormat().toString().toLowerCase());
// Add policy file if provided
if (config.getPolicyFilePath() != null) {
command.add("-p");
command.add("/policy.json");
}
return command;
}
private Process executeScan(List<String> command) throws IOException {
ProcessBuilder processBuilder = new ProcessBuilder(command);
processBuilder.redirectErrorStream(true);
return processBuilder.start();
}
private ScanResult parseScanResults(Process process, ScanConfig config) 
throws IOException, InterruptedException {
int exitCode = process.waitFor();
// Read output
String output = readProcessOutput(process);
if (config.getOutputFormat() == OutputFormat.JSON) {
JsonNode result = objectMapper.readTree(output);
return parseJsonResult(result, exitCode);
} else {
return parseTextResult(output, exitCode);
}
}
private String readProcessOutput(Process process) throws IOException {
StringBuilder output = new StringBuilder();
try (BufferedReader reader = new BufferedReader(
new InputStreamReader(process.getInputStream()))) {
String line;
while ((line = reader.readLine()) != null) {
output.append(line).append("\n");
}
}
return output.toString();
}
private ScanResult parseJsonResult(JsonNode result, int exitCode) {
ScanResult scanResult = new ScanResult();
scanResult.setExitCode(exitCode);
scanResult.setSuccess(exitCode == 0);
if (result.has("vulnerabilities")) {
JsonNode vulns = result.get("vulnerabilities");
scanResult.setVulnerabilityCount(vulns.size());
}
if (result.has("policy_evaluation")) {
JsonNode policy = result.get("policy_evaluation");
scanResult.setPolicyEvaluation(policy.toString());
}
return scanResult;
}
private ScanResult parseTextResult(String output, int exitCode) {
ScanResult scanResult = new ScanResult();
scanResult.setExitCode(exitCode);
scanResult.setSuccess(exitCode == 0);
scanResult.setRawOutput(output);
return scanResult;
}
// Configuration classes
public static class ScanConfig {
private boolean failOnPolicy = true;
private int timeout = 300;
private String policyFilePath;
private OutputFormat outputFormat = OutputFormat.JSON;
// Getters and setters
public boolean isFailOnPolicy() { return failOnPolicy; }
public void setFailOnPolicy(boolean failOnPolicy) { this.failOnPolicy = failOnPolicy; }
public int getTimeout() { return timeout; }
public void setTimeout(int timeout) { this.timeout = timeout; }
public String getPolicyFilePath() { return policyFilePath; }
public void setPolicyFilePath(String policyFilePath) { this.policyFilePath = policyFilePath; }
public OutputFormat getOutputFormat() { return outputFormat; }
public void setOutputFormat(OutputFormat outputFormat) { this.outputFormat = outputFormat; }
}
public static class ScanResult {
private boolean success;
private int exitCode;
private int vulnerabilityCount;
private String policyEvaluation;
private String rawOutput;
// Getters and setters
public boolean isSuccess() { return success; }
public void setSuccess(boolean success) { this.success = success; }
public int getExitCode() { return exitCode; }
public void setExitCode(int exitCode) { this.exitCode = exitCode; }
public int getVulnerabilityCount() { return vulnerabilityCount; }
public void setVulnerabilityCount(int vulnerabilityCount) { this.vulnerabilityCount = vulnerabilityCount; }
public String getPolicyEvaluation() { return policyEvaluation; }
public void setPolicyEvaluation(String policyEvaluation) { this.policyEvaluation = policyEvaluation; }
public String getRawOutput() { return rawOutput; }
public void setRawOutput(String rawOutput) { this.rawOutput = rawOutput; }
}
public enum OutputFormat {
JSON, TABLE
}
public static class ScanException extends Exception {
public ScanException(String message) {
super(message);
}
public ScanException(String message, Throwable cause) {
super(message, cause);
}
}
}

CI/CD Integration

1. GitHub Actions Integration
# .github/workflows/container-security.yml
name: Container Security Scan
on:
push:
branches: [ main, develop ]
tags: ['v*']
pull_request:
branches: [ main ]
jobs:
security-scan:
name: Anchore Container Scan
runs-on: ubuntu-latest
steps:
- name: Checkout code
uses: actions/checkout@v3
- name: Build Docker image
run: |
docker build -t my-java-app:${{ github.sha }} .
- name: Run Anchore Inline Scan
run: |
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
anchore/inline-scan:latest \
-t my-java-app:${{ github.sha }} \
-f json \
--timeout 600
- name: Upload Scan Report
uses: actions/upload-artifact@v3
with:
name: security-scan-report
path: anchore_security_scan.json
retention-days: 30
- name: Fail on Critical Vulnerabilities
run: |
# Custom script to check for critical vulnerabilities
./scripts/check-vulnerabilities.sh
2. GitLab CI Integration
# .gitlab-ci.yml
stages:
- build
- security
variables:
DOCKER_IMAGE: my-java-app:$CI_COMMIT_SHA
build:
stage: build
image: docker:latest
services:
- docker:dind
script:
- docker build -t $DOCKER_IMAGE .
- docker save $DOCKER_IMAGE -o image.tar
artifacts:
paths:
- image.tar
anchore_scan:
stage: security
image: docker:latest
services:
- docker:dind
dependencies:
- build
before_script:
- docker load -i image.tar
script:
- |
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
anchore/inline-scan:latest \
-t $DOCKER_IMAGE \
-f table \
--timeout 300
rules:
- if: $CI_COMMIT_BRANCH == "main"
- if: $CI_PIPELINE_SOURCE == "merge_request_event"
3. Jenkins Pipeline Integration
// Jenkinsfile
pipeline {
agent any
environment {
DOCKER_IMAGE = "my-java-app:${env.BUILD_ID}"
}
stages {
stage('Build') {
steps {
script {
sh 'docker build -t ${DOCKER_IMAGE} .'
}
}
}
stage('Security Scan') {
steps {
script {
sh '''
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
anchore/inline-scan:latest \
-t ${DOCKER_IMAGE} \
-f json \
--timeout 600
'''
}
}
post {
always {
archiveArtifacts artifacts: 'anchore_*.json', fingerprint: true
junit 'anchore_*.xml'
}
}
}
stage('Vulnerability Check') {
steps {
script {
// Custom vulnerability threshold check
sh '''
./scripts/validate-scan-results.sh ${DOCKER_IMAGE}
'''
}
}
}
}
post {
failure {
emailext (
subject: "FAILED: Job ${env.JOB_NAME} - Build ${env.BUILD_NUMBER}",
body: "Security scan failed for ${env.BUILD_URL}",
to: "[email protected]"
)
}
}
}
4. Java-based CI/CD Integration
// SecurityScanPipeline.java
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
public class SecurityScanPipeline {
private final AnchoreSecurityScanner securityScanner;
private final ObjectMapper objectMapper;
public SecurityScanPipeline() {
this.securityScanner = new AnchoreSecurityScanner();
this.objectMapper = new ObjectMapper();
}
public boolean executeSecurityScan(String imageName, String imageTag, 
String buildId, String workspace) 
throws ScanException, IOException {
System.out.println("Starting security scan for: " + imageName + ":" + imageTag);
// Configure scan
AnchoreSecurityScanner.ScanConfig config = new AnchoreSecurityScanner.ScanConfig();
config.setFailOnPolicy(true);
config.setTimeout(600);
config.setOutputFormat(AnchoreSecurityScanner.OutputFormat.JSON);
// Execute scan
AnchoreSecurityScanner.ScanResult result = 
securityScanner.scanImage(imageName, imageTag, config);
// Save report
saveScanReport(result, buildId, workspace);
// Evaluate results
return evaluateScanResults(result, buildId);
}
private void saveScanReport(AnchoreSecurityScanner.ScanResult result, 
String buildId, String workspace) throws IOException {
Path reportsDir = Paths.get(workspace, "security-reports");
Files.createDirectories(reportsDir);
String reportFileName = "anchore-scan-" + buildId + ".json";
Path reportPath = reportsDir.resolve(reportFileName);
Files.writeString(reportPath, result.getRawOutput());
System.out.println("Security report saved: " + reportPath);
}
private boolean evaluateScanResults(AnchoreSecurityScanner.ScanResult result, 
String buildId) throws IOException {
if (!result.isSuccess()) {
System.err.println("Security scan failed for build: " + buildId);
// Parse detailed results
if (result.getRawOutput() != null) {
JsonNode scanResult = objectMapper.readTree(result.getRawOutput());
analyzeVulnerabilities(scanResult);
}
return false;
}
System.out.println("Security scan passed for build: " + buildId);
return true;
}
private void analyzeVulnerabilities(JsonNode scanResult) {
if (scanResult.has("vulnerabilities")) {
JsonNode vulnerabilities = scanResult.get("vulnerabilities");
int criticalCount = 0;
int highCount = 0;
for (JsonNode vuln : vulnerabilities) {
String severity = vuln.path("severity").asText("").toLowerCase();
switch (severity) {
case "critical":
criticalCount++;
break;
case "high":
highCount++;
break;
}
}
System.err.println("Critical vulnerabilities: " + criticalCount);
System.err.println("High vulnerabilities: " + highCount);
if (criticalCount > 0) {
System.err.println("CRITICAL: " + criticalCount + 
" critical vulnerabilities found. Failing build.");
}
}
}
}

Custom Policy Development

1. Java Application Security Policy
{
"comment": "Java Application Security Policy",
"id": "java-app-security-policy",
"name": "Java Application Security Policy",
"version": "1.0",
"rules": [
{
"action": "STOP",
"gate": "vulnerabilities",
"id": "critical_java_vulns",
"params": [
{
"name": "package_type",
"value": "java"
},
{
"name": "severity_comparison",
"value": ">="
},
{
"name": "severity",
"value": "critical"
}
],
"trigger": "package"
},
{
"action": "WARN",
"gate": "vulnerabilities",
"id": "high_java_vulns",
"params": [
{
"name": "package_type",
"value": "java"
},
{
"name": "severity_comparison",
"value": ">="
},
{
"name": "severity",
"value": "high"
}
],
"trigger": "package"
},
{
"action": "STOP",
"gate": "vulnerabilities",
"id": "critical_os_vulns",
"params": [
{
"name": "package_type",
"value": "apkg,dpkg,rpm"
},
{
"name": "severity_comparison",
"value": ">="
},
{
"name": "severity",
"value": "critical"
}
],
"trigger": "package"
},
{
"action": "GO",
"gate": "dockerfile",
"id": "check_base_image",
"params": [
{
"name": "allowed_images",
"value": "openjdk:11-jre,openjdk:17-jre,eclipse-temurin:11-jre"
}
],
"trigger": "instruction"
},
{
"action": "STOP",
"gate": "secret_scans",
"id": "detect_secrets",
"params": [
{
"name": "content_regex_checks",
"value": "AWS_ACCESS_KEY|AWS_SECRET_KEY|PRIVATE_KEY"
}
],
"trigger": "content_regex_match"
}
]
}
2. Policy Management Service
// PolicyManager.java
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ObjectNode;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.util.*;
public class PolicyManager {
private final ObjectMapper objectMapper;
private final String policiesDirectory;
public PolicyManager(String policiesDirectory) {
this.objectMapper = new ObjectMapper();
this.policiesDirectory = policiesDirectory;
}
public String createJavaPolicy(String policyName, Map<String, Object> rules) 
throws IOException {
ObjectNode policy = objectMapper.createObjectNode();
policy.put("comment", "Java Application Security Policy");
policy.put("id", policyName);
policy.put("name", policyName);
policy.put("version", "1.0");
// Add rules
policy.set("rules", createRulesArray(rules));
// Save policy file
String fileName = policyName + ".json";
Path policyPath = Paths.get(policiesDirectory, fileName);
objectMapper.writerWithDefaultPrettyPrinter()
.writeValue(policyPath.toFile(), policy);
return policyPath.toString();
}
private JsonNode createRulesArray(Map<String, Object> ruleConfig) {
List<Map<String, Object>> rules = new ArrayList<>();
// Critical Java vulnerabilities rule
if (ruleConfig.getOrDefault("blockCriticalJava", true)) {
rules.add(createVulnerabilityRule(
"critical_java_vulns", "STOP", "java", "critical"));
}
// High Java vulnerabilities rule
if (ruleConfig.getOrDefault("warnHighJava", true)) {
rules.add(createVulnerabilityRule(
"high_java_vulns", "WARN", "java", "high"));
}
// Base image check
if (ruleConfig.containsKey("allowedBaseImages")) {
rules.add(createBaseImageRule(
"check_base_image", (List<String>) ruleConfig.get("allowedBaseImages")));
}
// Secret detection
if (ruleConfig.getOrDefault("detectSecrets", true)) {
rules.add(createSecretDetectionRule(
"detect_secrets", Arrays.asList("AWS_ACCESS_KEY", "AWS_SECRET_KEY", "PRIVATE_KEY")));
}
return objectMapper.valueToTree(rules);
}
private Map<String, Object> createVulnerabilityRule(String id, String action, 
String packageType, String severity) {
Map<String, Object> rule = new HashMap<>();
rule.put("action", action);
rule.put("gate", "vulnerabilities");
rule.put("id", id);
rule.put("trigger", "package");
List<Map<String, String>> params = new ArrayList<>();
params.add(createParam("package_type", packageType));
params.add(createParam("severity_comparison", ">="));
params.add(createParam("severity", severity));
rule.put("params", params);
return rule;
}
private Map<String, Object> createBaseImageRule(String id, List<String> allowedImages) {
Map<String, Object> rule = new HashMap<>();
rule.put("action", "GO");
rule.put("gate", "dockerfile");
rule.put("id", id);
rule.put("trigger", "instruction");
List<Map<String, String>> params = new ArrayList<>();
params.add(createParam("allowed_images", String.join(",", allowedImages)));
rule.put("params", params);
return rule;
}
private Map<String, Object> createSecretDetectionRule(String id, List<String> patterns) {
Map<String, Object> rule = new HashMap<>();
rule.put("action", "STOP");
rule.put("gate", "secret_scans");
rule.put("id", id);
rule.put("trigger", "content_regex_match");
List<Map<String, String>> params = new ArrayList<>();
params.add(createParam("content_regex_checks", String.join("|", patterns)));
rule.put("params", params);
return rule;
}
private Map<String, String> createParam(String name, String value) {
Map<String, String> param = new HashMap<>();
param.put("name", name);
param.put("value", value);
return param;
}
public String getPolicyPath(String policyName) {
return Paths.get(policiesDirectory, policyName + ".json").toString();
}
}

Vulnerability Analysis and Reporting

1. Vulnerability Analysis Service
// VulnerabilityAnalyzer.java
import com.fasterxml.jackson.databind.JsonNode;
import com.fasterxml.jackson.databind.ObjectMapper;
import java.io.IOException;
import java.nio.file.Path;
import java.util.*;
public class VulnerabilityAnalyzer {
private final ObjectMapper objectMapper;
public VulnerabilityAnalyzer() {
this.objectMapper = new ObjectMapper();
}
public VulnerabilityReport analyzeScanResults(String scanResultsJson) 
throws IOException {
JsonNode scanResult = objectMapper.readTree(scanResultsJson);
VulnerabilityReport report = new VulnerabilityReport();
if (scanResult.has("vulnerabilities")) {
JsonNode vulnerabilities = scanResult.get("vulnerabilities");
for (JsonNode vuln : vulnerabilities) {
Vulnerability vulnerability = parseVulnerability(vuln);
report.addVulnerability(vulnerability);
}
}
report.calculateSummary();
return report;
}
private Vulnerability parseVulnerability(JsonNode vulnNode) {
Vulnerability vuln = new Vulnerability();
vuln.setCveId(vulnNode.path("vuln").asText());
vuln.setSeverity(vulnNode.path("severity").asText());
vuln.setPackageName(vulnNode.path("package").asText());
vuln.setPackageVersion(vulnNode.path("version").asText());
vuln.setPackageType(vulnNode.path("type").asText());
vuln.setFix(vulnNode.path("fix").asText());
vuln.setUrl(vulnNode.path("url").asText());
return vuln;
}
public static class VulnerabilityReport {
private List<Vulnerability> vulnerabilities = new ArrayList<>();
private Map<String, Integer> severityCount = new HashMap<>();
private Map<String, Integer> packageTypeCount = new HashMap<>();
private int totalVulnerabilities;
private int fixableVulnerabilities;
public void addVulnerability(Vulnerability vulnerability) {
vulnerabilities.add(vulnerability);
// Count by severity
String severity = vulnerability.getSeverity();
severityCount.put(severity, severityCount.getOrDefault(severity, 0) + 1);
// Count by package type
String packageType = vulnerability.getPackageType();
packageTypeCount.put(packageType, packageTypeCount.getOrDefault(packageType, 0) + 1);
// Count fixable
if (vulnerability.getFix() != null && !vulnerability.getFix().isEmpty()) {
fixableVulnerabilities++;
}
}
public void calculateSummary() {
totalVulnerabilities = vulnerabilities.size();
}
// Getters
public List<Vulnerability> getVulnerabilities() { return vulnerabilities; }
public Map<String, Integer> getSeverityCount() { return severityCount; }
public Map<String, Integer> getPackageTypeCount() { return packageTypeCount; }
public int getTotalVulnerabilities() { return totalVulnerabilities; }
public int getFixableVulnerabilities() { return fixableVulnerabilities; }
}
public static class Vulnerability {
private String cveId;
private String severity;
private String packageName;
private String packageVersion;
private String packageType;
private String fix;
private String url;
// Getters and setters
public String getCveId() { return cveId; }
public void setCveId(String cveId) { this.cveId = cveId; }
public String getSeverity() { return severity; }
public void setSeverity(String severity) { this.severity = severity; }
public String getPackageName() { return packageName; }
public void setPackageName(String packageName) { this.packageName = packageName; }
public String getPackageVersion() { return packageVersion; }
public void setPackageVersion(String packageVersion) { this.packageVersion = packageVersion; }
public String getPackageType() { return packageType; }
public void setPackageType(String packageType) { this.packageType = packageType; }
public String getFix() { return fix; }
public void setFix(String fix) { this.fix = fix; }
public String getUrl() { return url; }
public void setUrl(String url) { this.url = url; }
}
}
2. Report Generator
// SecurityReportGenerator.java
import com.fasterxml.jackson.databind.ObjectMapper;
import com.fasterxml.jackson.databind.node.ObjectNode;
import java.io.File;
import java.io.IOException;
import java.nio.file.Files;
import java.nio.file.Path;
import java.nio.file.Paths;
import java.text.SimpleDateFormat;
import java.util.Date;
import java.util.Map;
public class SecurityReportGenerator {
private final ObjectMapper objectMapper;
public SecurityReportGenerator() {
this.objectMapper = new ObjectMapper();
}
public void generateHtmlReport(VulnerabilityAnalyzer.VulnerabilityReport report, 
String outputPath) throws IOException {
String htmlTemplate = loadHtmlTemplate();
String reportContent = generateReportContent(report);
String finalReport = htmlTemplate.replace("{{REPORT_CONTENT}}", reportContent);
Path reportPath = Paths.get(outputPath, "security-report.html");
Files.writeString(reportPath, finalReport);
}
public void generateJsonReport(VulnerabilityAnalyzer.VulnerabilityReport report, 
String outputPath) throws IOException {
ObjectNode jsonReport = objectMapper.createObjectNode();
jsonReport.put("timestamp", new SimpleDateFormat("yyyy-MM-dd HH:mm:ss").format(new Date()));
jsonReport.put("totalVulnerabilities", report.getTotalVulnerabilities());
jsonReport.put("fixableVulnerabilities", report.getFixableVulnerabilities());
// Add severity counts
ObjectNode severityCounts = objectMapper.createObjectNode();
for (Map.Entry<String, Integer> entry : report.getSeverityCount().entrySet()) {
severityCounts.put(entry.getKey(), entry.getValue());
}
jsonReport.set("severityCounts", severityCounts);
Path reportPath = Paths.get(outputPath, "security-report.json");
objectMapper.writerWithDefaultPrettyPrinter()
.writeValue(reportPath.toFile(), jsonReport);
}
private String loadHtmlTemplate() {
return """
<!DOCTYPE html>
<html>
<head>
<title>Container Security Report</title>
<style>
body { font-family: Arial, sans-serif; margin: 20px; }
.summary { background: #f5f5f5; padding: 15px; border-radius: 5px; }
.critical { color: #d73a49; font-weight: bold; }
.high { color: #f66a0a; }
.medium { color: #ffd33d; }
.low { color: #0366d6; }
table { width: 100%; border-collapse: collapse; }
th, td { padding: 8px; text-align: left; border-bottom: 1px solid #ddd; }
th { background-color: #f2f2f2; }
</style>
</head>
<body>
<h1>Container Security Report</h1>
{{REPORT_CONTENT}}
</body>
</html>
""";
}
private String generateReportContent(VulnerabilityAnalyzer.VulnerabilityReport report) {
StringBuilder content = new StringBuilder();
// Summary section
content.append("<div class='summary'>")
.append("<h2>Summary</h2>")
.append("<p>Total Vulnerabilities: ").append(report.getTotalVulnerabilities()).append("</p>")
.append("<p>Fixable Vulnerabilities: ").append(report.getFixableVulnerabilities()).append("</p>");
// Severity breakdown
content.append("<h3>Severity Breakdown</h3>");
for (Map.Entry<String, Integer> entry : report.getSeverityCount().entrySet()) {
content.append("<p class='").append(entry.getKey().toLowerCase()).append("'>")
.append(entry.getKey()).append(": ").append(entry.getValue())
.append("</p>");
}
content.append("</div>");
// Vulnerabilities table
content.append("<h2>Vulnerabilities</h2>")
.append("<table>")
.append("<tr><th>CVE ID</th><th>Severity</th><th>Package</th><th>Fix</th></tr>");
for (VulnerabilityAnalyzer.Vulnerability vuln : report.getVulnerabilities()) {
content.append("<tr>")
.append("<td><a href='").append(vuln.getUrl()).append("'>").append(vuln.getCveId()).append("</a></td>")
.append("<td class='").append(vuln.getSeverity().toLowerCase()).append("'>").append(vuln.getSeverity()).append("</td>")
.append("<td>").append(vuln.getPackageName()).append(" ").append(vuln.getPackageVersion()).append("</td>")
.append("<td>").append(vuln.getFix() != null ? vuln.getFix() : "No fix available").append("</td>")
.append("</tr>");
}
content.append("</table>");
return content.toString();
}
}

Best Practices and Optimization

1. Performance Optimization
#!/bin/bash
# optimized-scan.sh
# Use specific version for reproducibility
ANCHORE_IMAGE="anchore/inline-scan:0.9.0"
# Cache vulnerability database
docker volume create anchore-db
# Optimized scan command
docker run --rm \
-v /var/run/docker.sock:/var/run/docker.sock \
-v anchore-db:/root/.cache/anchore \
$ANCHORE_IMAGE \
-t $1 \
-f json \
--timeout 300 \
--skip-policy-update
2. Java Integration Best Practices
// SecurityScanManager.java
import java.util.concurrent.*;
public class SecurityScanManager {
private final ExecutorService executorService;
private final AnchoreSecurityScanner scanner;
public SecurityScanManager() {
this.executorService = Executors.newFixedThreadPool(3);
this.scanner = new AnchoreSecurityScanner();
}
public CompletableFuture<ScanResult> scanImageAsync(String imageName, String imageTag) {
return CompletableFuture.supplyAsync(() -> {
try {
AnchoreSecurityScanner.ScanConfig config = new AnchoreSecurityScanner.ScanConfig();
config.setFailOnPolicy(true);
config.setTimeout(300);
return scanner.scanImage(imageName, imageTag, config);
} catch (AnchoreSecurityScanner.ScanException e) {
throw new RuntimeException("Async scan failed", e);
}
}, executorService);
}
public void shutdown() {
executorService.shutdown();
try {
if (!executorService.awaitTermination(60, TimeUnit.SECONDS)) {
executorService.shutdownNow();
}
} catch (InterruptedException e) {
executorService.shutdownNow();
Thread.currentThread().interrupt();
}
}
}
3. Error Handling and Retry Logic
// RetryableSecurityScanner.java
import java.util.concurrent.atomic.AtomicInteger;
public class RetryableSecurityScanner {
private final AnchoreSecurityScanner scanner;
private final int maxRetries;
private final long retryDelayMs;
public RetryableSecurityScanner(int maxRetries, long retryDelayMs) {
this.scanner = new AnchoreSecurityScanner();
this.maxRetries = maxRetries;
this.retryDelayMs = retryDelayMs;
}
public AnchoreSecurityScanner.ScanResult scanWithRetry(String imageName, String imageTag) 
throws AnchoreSecurityScanner.ScanException {
AtomicInteger attempt = new AtomicInteger(0);
AnchoreSecurityScanner.ScanException lastException = null;
while (attempt.get() < maxRetries) {
try {
AnchoreSecurityScanner.ScanConfig config = new AnchoreSecurityScanner.ScanConfig();
return scanner.scanImage(imageName, imageTag, config);
} catch (AnchoreSecurityScanner.ScanException e) {
lastException = e;
attempt.incrementAndGet();
if (attempt.get() < maxRetries) {
System.out.println("Scan attempt " + attempt.get() + " failed, retrying...");
try {
Thread.sleep(retryDelayMs);
} catch (InterruptedException ie) {
Thread.currentThread().interrupt();
throw new AnchoreSecurityScanner.ScanException("Scan interrupted", ie);
}
}
}
}
throw new AnchoreSecurityScanner.ScanException(
"All scan attempts failed after " + maxRetries + " retries", lastException);
}
}

Conclusion

Anchore Inline Scan provides:

  • Comprehensive container security scanning for Java applications
  • Policy-based evaluation with custom security rules
  • Seamless CI/CD integration across multiple platforms
  • Detailed vulnerability reporting and analysis
  • Flexible configuration for different security requirements

By implementing the patterns and configurations shown above, you can create a robust container security scanning pipeline that identifies vulnerabilities early, enforces security policies, and maintains the security posture of your Java containerized applications throughout their lifecycle.

Secure Java Dependency Management, Vulnerability Scanning & Software Supply Chain Protection (SBOM, SCA, CI Security & License Compliance)

https://macronepal.com/blog/github-code-scanning-in-java-complete-guide/
Explains GitHub Code Scanning for Java using tools like CodeQL to automatically analyze source code and detect security vulnerabilities directly inside CI/CD pipelines before deployment.

https://macronepal.com/blog/license-compliance-in-java-comprehensive-guide/
Explains software license compliance in Java projects, ensuring dependencies follow legal requirements (MIT, Apache, GPL, etc.) and preventing license violations in enterprise software.

https://macronepal.com/blog/container-security-for-java-uncovering-vulnerabilities-with-grype/
Explains using Grype to scan Java container images and filesystems for known CVEs in OS packages and application dependencies to improve container security.

https://macronepal.com/blog/syft-sbom-generation-in-java-comprehensive-software-bill-of-materials-for-jvm-applications/
Explains using Syft to generate SBOMs (Software Bill of Materials) for Java applications, listing all dependencies, libraries, and components for supply chain transparency.

https://macronepal.com/blog/comprehensive-dependency-analysis-generating-and-scanning-sboms-with-trivy-for-java/
Explains using Trivy to generate SBOMs and scan Java dependencies and container images for vulnerabilities, integrating security checks into CI/CD pipelines.

https://macronepal.com/blog/dependabot-for-java-in-java/
Explains GitHub Dependabot for Java projects, which automatically detects vulnerable dependencies and creates pull requests to update them securely.

https://macronepal.com/blog/parasoft-jtest-in-java-comprehensive-guide-to-code-analysis-and-testing/
Explains Parasoft Jtest, a static analysis and testing tool for Java that helps detect bugs, security issues, and code quality problems early in development.

https://macronepal.com/blog/snyk-open-source-in-java-comprehensive-dependency-vulnerability-management-2/
Explains Snyk Open Source for Java, which continuously scans dependencies for vulnerabilities and provides automated fix suggestions and monitoring.

https://macronepal.com/blog/owasp-dependency-check-in-java-complete-vulnerability-scanning-guide/
Explains OWASP Dependency-Check, which scans Java dependencies against the National Vulnerability Database (NVD) to detect known security vulnerabilities.

https://macronepal.com/blog/securing-your-dependencies-a-java-developers-guide-to-whitesource-mend-bolt/
Explains Mend (WhiteSource) Bolt for Java, a dependency management and SCA tool that provides vulnerability detection, license compliance, and security policy enforcement in enterprise environments.

Category : JAVA

Leave a Reply

Your email address will not be published. Required fields are marked *


Macro Nepal Helper