This repository has been archived by the owner on Jan 27, 2023. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 271
/
default_config.yaml
201 lines (184 loc) · 8 KB
/
default_config.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
# Anchore Engine default configuration file bundled into the container. These values should provide a simple starting point
# To fully customize configuration, provide a different config.yaml to container at startup by mounting a directory
# at /config that has the config.yaml
# These defaults are intended to serve a deployment where each service is started in its own container with individual overrides
# for values like the endpoint hostname. This config provides a uniform setting of those such that env vars passed in from
# execution will overwrite values needed.
service_dir: ${ANCHORE_SERVICE_DIR}
tmp_dir: /analysis_scratch
log_level: ${ANCHORE_LOG_LEVEL}
# When set, if a registry credential username is set to 'iamauto' for an ecr registry, the engine will
# use whatever aws creds are available in the standard boto search path (.aws, env, etc)
allow_awsecr_iam_auto: true
host_id: "${ANCHORE_HOST_ID}"
internal_ssl_verify: ${ANCHORE_INTERNAL_SSL_VERIFY}
global_client_connect_timeout: ${ANCHORE_GLOBAL_CLIENT_CONNECT_TIMEOUT}
global_client_read_timeout: ${ANCHORE_GLOBAL_CLIENT_READ_TIMEOUT}
# Twisted has a global server side timeout on all established connections which defaults to 60, anything lasting longer
# than this (+ a 15 min abort final timeout) will have the connection killed by twisted
server_request_timeout_seconds: ${ANCHORE_GLOBAL_SERVER_REQUEST_TIMEOUT_SEC}
auto_restart_services: false
# Locations for keys used for signing and encryption. Only one of 'secret' or 'public_key_path'/'private_key_path' needs to be set. If all are set then the keys take precedence over the secret value
# Secret is for a shared secret and if set, all components in anchore should have the exact same value in their configs.
#
keys:
secret: ${ANCHORE_AUTH_SECRET}
public_key_path: ${ANCHORE_AUTH_PUBKEY}
private_key_path: ${ANCHORE_AUTH_PRIVKEY}
# Configuring supported user authentication and credential management
user_authentication:
oauth:
enabled: ${ANCHORE_OAUTH_ENABLED}
default_token_expiration_seconds: ${ANCHORE_OAUTH_TOKEN_EXPIRATION}
# Set this to True to enable storing user passwords only as secure hashes in the db. This can dramatically increase CPU usage if you
# don't also use oauth and tokens for internal communications (which requires keys/secret to be configured as well)
# WARNING: you should not change this after a system has been initialized as it may cause a mismatch in existing passwords
hashed_passwords: ${ANCHORE_AUTH_ENABLE_HASHED_PASSWORDS}
metrics:
enabled: ${ANCHORE_ENABLE_METRICS}
auth_disabled: ${ANCHORE_DISABLE_METRICS_AUTH}
# Uncomment if you have a local endpoint that can accept
# notifications from the anchore-engine, as configured below
# This section is only required on the catalog service containers
webhooks:
webhook_user: null
webhook_pass: null
ssl_verify: false
general:
url: ${ANCHORE_WEBHOOK_DESTINATION_URL}
policy_eval: {}
event_log: {}
# As of 0.3.0 this section is used instead of the credentials.users section
# Can be omitted and will default to 'foobar' on db initialization
default_admin_password: ${ANCHORE_ADMIN_PASSWORD}
# Can be ommitted and will default to 'admin@myanchore'
default_admin_email: ${ANCHORE_ADMIN_EMAIL}
credentials:
database:
db_connect: 'postgresql://${ANCHORE_DB_USER}:${ANCHORE_DB_PASSWORD}@${ANCHORE_DB_HOST}:${ANCHORE_DB_PORT}/${ANCHORE_DB_NAME}'
db_connect_args:
timeout: 120
ssl: false
db_pool_size: 30
db_pool_max_overflow: 100
# Defines a maximum compressed image size (MB) to be added for analysis
# Value < 0 disables feature
# Disabled by default
max_compressed_image_size_mb: ${ANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB}
services:
apiext:
enabled: true
require_auth: true
endpoint_hostname: '${ANCHORE_ENDPOINT_HOSTNAME}'
listen: '0.0.0.0'
port: ${ANCHORE_SERVICE_PORT}
authorization_handler: ${ANCHORE_AUTHZ_HANDLER}
authorization_handler_config:
endpoint: ${ANCHORE_EXTERNAL_AUTHZ_ENDPOINT}
catalog:
enabled: true
require_auth: true
endpoint_hostname: '${ANCHORE_ENDPOINT_HOSTNAME}'
listen: '0.0.0.0'
port: ${ANCHORE_SERVICE_PORT}
# NOTE: use the below external_* parameters to define the port/tls
# setting that will allow other internal services to access this
# service - if left unset services will use the above,
# e.g. http://<endpoint_hostname>:<port>
external_port: ${ANCHORE_EXTERNAL_PORT}
external_tls: ${ANCHORE_EXTERNAL_TLS}
archive:
compression:
enabled: false
min_size_kbytes: 100
storage_driver:
name: db
config: {}
cycle_timer_seconds: 1
cycle_timers:
image_watcher: 3600
policy_eval: 3600
vulnerability_scan: 14400
analyzer_queue: 1
notifications: ${ANCHORE_CATALOG_NOTIFICATION_INTERVAL_SEC}
service_watcher: 15
policy_bundle_sync: 300
repo_watcher: 60
archive_tasks: 43200 # 12 hours between archive task run
image_gc: 60
image_gc:
max_worker_threads: 1
event_log:
notification:
enabled: ${ANCHORE_EVENTS_NOTIFICATIONS_ENABLED}
# (optional) notify events that match these levels. If this section is commented, notifications for all events are sent
level:
- error
simplequeue:
enabled: true
require_auth: true
endpoint_hostname: '${ANCHORE_ENDPOINT_HOSTNAME}'
listen: '0.0.0.0'
port: ${ANCHORE_SERVICE_PORT}
external_port: ${ANCHORE_EXTERNAL_PORT}
external_tls: ${ANCHORE_EXTERNAL_TLS}
analyzer:
enabled: true
require_auth: true
cycle_timer_seconds: 1
max_threads: 1
analyzer_driver: 'nodocker'
endpoint_hostname: '${ANCHORE_ENDPOINT_HOSTNAME}'
listen: '0.0.0.0'
port: ${ANCHORE_SERVICE_PORT}
external_port: ${ANCHORE_EXTERNAL_PORT}
external_tls: ${ANCHORE_EXTERNAL_TLS}
enable_hints: ${ANCHORE_HINTS_ENABLED}
enable_owned_package_filtering: ${ANCHORE_ENABLE_PACKAGE_FILTERING}
policy_engine:
enabled: true
require_auth: true
endpoint_hostname: '${ANCHORE_ENDPOINT_HOSTNAME}'
listen: '0.0.0.0'
port: ${ANCHORE_SERVICE_PORT}
external_port: ${ANCHORE_EXTERNAL_PORT}
external_tls: ${ANCHORE_EXTERNAL_TLS}
cycle_timer_seconds: 1
cycle_timers:
feed_sync: ${ANCHORE_FEED_SYNC_INTERVAL_SEC} # 6 hours between feed syncs
feed_sync_checker: 3600 # 1 hour between checks to see if there needs to be a task queued
grypedb_sync: 60 # 1 minute between checks to verify local grype-db is up to date
vulnerabilities:
# Available providers are legacy and grype. Legacy provider offers the same matching logic as previous versions of anchore-engine (<= 0.9.4)
# grype is a new provider that was introduced in 1.0.0, it uses the grype tool for all things vulnerabilities
provider: ${ANCHORE_VULNERABILITIES_PROVIDER}
sync:
enabled: ${ANCHORE_FEEDS_ENABLED}
ssl_verify: ${ANCHORE_FEEDS_SSL_VERIFY}
connection_timeout_seconds: 3
read_timeout_seconds: 60
data:
# grypedb feed is synced if the provider is set to grype. All the remaining feeds except for packages are ignored even if they are enabled
grypedb:
enabled: true
url: ${ANCHORE_GRYPE_DB_URL}
# The following feeds are synced if provider is set to legacy
vulnerabilities:
enabled: true
url: ${ANCHORE_FEEDS_URL}
nvdv2:
enabled: true
url: ${ANCHORE_FEEDS_URL}
github:
enabled: true
url: ${ANCHORE_FEEDS_URL}
# VulnDB feed is available only in anchore-enterprise
#vulndb:
# enabled: true
# url: ${ANCHORE_FEEDS_URL}
# Warning: enabling the packages and nvd sync causes the service to require much
# more memory to do process the significant data volume. We recommend at least 4GB available for the container
# packages feed is synced if it is enabled regardless of the provider
#packages:
# enabled: true
# url: ${ANCHORE_FEEDS_URL}