Anchore

+ Added new analyzers and queries for gathering and querying python packages and java packages
+ Added a new secret check analyzer (similiar to existing content check analyzer but specifically for naming secret/key regexps by name)
+ Minor bug fixes and improvements

+ Added new analyzer for storing metadata from installed package manager about files owned by packages
+ Break out a new analyzer that searches container contents for secrets (separate from existing content_search) with ability for user to use named tags for secret searches that can then be used in policy evaluations
+ Minor bug fixes and improvements

+ Added detected OS string 'redhat' to map to RHEL flavor for package/vuln mapping (for example, now support Scientific Linux)
+ Improved feed sync memory efficiency and reduced need for frequency --do-compact sync runs
+ Improved analysis time by removing extra image copy for layer/familytree discovery
+ Cleaned up some dead code and fixed outdated in-code documentation links (contrubuted by Matt Jaynes <mattnanobeep.com>)

+ New feature 'policy bundles' which is a compact JSON document that contains policies, whitelists, and mapping rules (which match image registry/repository/tag names with specified policy/whitelists)
+ New Dockerfiles
+ Added Vagrantfile for setting up a vagrant environment with anchore installed (contributed by wurstbrot <githubtimo-pagel.de>)
+ Added option --imageid to anchore toolbox for faster image lookup
+ Added ability to specify environment variables for username/password (ANCHOREUSER, ANCHOREPASS) for better scriptability of 'anchore login'
+ Added better wildcard matcher for whitelisted items (now supports triggerId strings of the form (for example) \*-busybox, CVE-\*, \*2016\*busybox\*)
+ Fixed issue in --do-compact logic where older vulnerability records were sometimes being evaluated before newer records, if rapid vulnerability updates were made within a short amount of time (multiple updates in under a day)
+ Minor bug fixes and code cleaup

+ New option to analyze (--layerstrategy) which allows the user to select which intermediate images are analyzed between the specified image and the earliest image in the familytree. The default behavior now is to analyze only images marked as 'base' in the familytree, as well as the specified image and the earliest image in the tree.
+ Added ability to use a prefix wildcard (*) character in anchore global whitelists
+ Added new triggers (PKGVULN*) to the ANCHORESEC gate, which allows global whitelisting of CVE+PKG vulnerabilities

+ Lots of new anchore modules (run 'anchore query' for a list of new queries, and 'anchore gate --show-gatehelp' for a list of new policy/gate items)
+ Added gate modules for checking status of NPM and GEM packages (npm_check and gem_check)
+ Added gate modules for specifying license and package blacklists (license_blacklist and package_blacklist)
+ Added gate module that checks for package existance (check_package_info)
+ Added gate module that checks that base image up-to-date (check_image)
+ Added trigger to the dockerfile gate module for ensuring HEALTHCHECK is present in Dockerfiles
+ Added trigger to the dockerfile gate module for ensuring that a Dockerfile exists
+ Added query for listing files that are not known to be owned by any installed package
+ Added queries for getting more detail about installed packages (list-package-detail, list-package-licenses)
+ Minor bug fixes and error reporting improvements