Environments #

Note

This feature is in beta testing.

Environment logging and scanning#

Administrators can enhance organizational security by requiring members to enable automated logging for their local conda environments. Automated tracking of user environments offers several benefits for both administrators and users.

Administrators can monitor the packages installed in user environments, view any Common Vulnerabilities and Exposures (CVEs) associated with them and, if necessary, enforce security standards by blocking the environment from use. IT administrators can also provide a custom message to guide users through environment remediation. This telemetric data assists your IT administrators with auditing tasks by ensuring users are compliant with your security requirements and providing historical tracking for infrastructure audits.

Members can use these tools to ensure their local environments are in compliance with organizational security requirements and avoid machine quarantines or losing access to an environment due to administrator intervention.

Note

Implementing environment logging requires coordination at the organizational level to ensure all members are logging their environments properly.

Enabling environment management#

Prerequisites#

Environment logging and scanning requires the following:

  • An anaconda.cloud account

  • Python 3.10 or later in your (base) environment

    Verifying Python in your (base) environment

    Check to see which Python version you have in (base) by opening Anaconda Prompt (Terminal for macOS/Linux) and running the following command:

    python -V
    

    The output of the command might look something similar to this:

    If you need to upgrade Python, run the following command:

    conda update --name base python
    

    Caution

    Updating Python in your (base) environment can affect other installed packages. Review the proposed changes carefully before proceeding.

Installing required plugins#

Environment logging and scanning requires the installation of a few plugins in your (base) environment that expand the functionality of conda.

Obtain the necessary plugins by installing the anaconda-env-manager “metapackage” (which contains all of the plugins listed below). To install anaconda-env-manager, run the following command:

conda install --name base anaconda-cloud::anaconda-env-manager

Here is a brief description of the plugins provided by the anaconda-env-manager metapackage:

  • anaconda-env-log - Automatically logs the current state of an environment whenever a user performs a create, install, remove, rename, or update action with conda (manual logging of existing environments is also supported)

  • anaconda-activate-check - Provides checks that validate environments against administrator-defined security controls before activation and notifies users of warnings or access restrictions with guidance for resolution.

  • anaconda-audit - Allows you to scan local environments to assess the security impact of actions like installing or updating packages, so you can proactively address potential issues without requiring administrator intervention. It also serves as a valuable tool for identifying issues when troubleshooting security concerns flagged by administrators.

Note

If you already have it installed, it is a good idea to keep it updated by running conda update anaconda-env-manager.

Registering your organization#

To ensure your environments are properly logged to your organization on Anaconda Cloud, you must log in via the CLI and register your organization with conda. To register your organization:

  1. Open Anaconda Prompt (Terminal on macOS/Linux).

  2. Log in to Anaconda Cloud by running the following command:

    anaconda login --at cloud
    

    You will be prompted for your username and password. Enter your Anaconda Cloud credentials and complete the login process in the browser window that opens.

  3. After successfully logging in, return to the command line and register your organization by running the following command:

    # Replace <ORG_ID> with your ORG_ID (found in your organization's URL —
    # https://anaconda.cloud/organizations/<ORG_ID>)
    conda env-log register -o <ORG_ID>
    

With the organization registered (and anaconda-env-log installed in the (base) environment), newly created environments are logged to the registered organization.

Logging environments#

With anaconda-env-log installed, all newly created environments are automatically logged within conda, and existing environments are automatically logged whenever you perform certain conda actions (install, remove, rename, or update) in them. Existing environments can also be logged manually by running the following command:

Caution

You must log in to Anaconda Cloud using the CLI prior to manually logging an environment.

# Replace <ENV_NAME> with the  name of the environment you want to log to your organization
conda env-log log --name <ENV_NAME>

Viewing logged environments#

Environments logged with an organization can be viewed at any time from the Environments page. Members can view the environments they’ve logged, while administrators have access to view every environment logged with the organization.

  1. Navigate to your Organizations page.

  2. Select your organization.

  3. Select Environments from the left-hand navigation.

The Environments page shows you:
  • Environment names and locations

  • The number of packages in the environments

  • The number of CVEs associated with the packages in the environments

  • The environment’s creator

  • The last time the environments were updated

Tip

Use the filters at the top of the table to locate environments efficiently.

Exploring logged environments#

Environments that are logged with an organization can be browsed to gain insights into the packages that they contain. You can see which packages are present in the environment as well as any CVEs associated with them.

Viewing environment packages#

The environment’s Packages page shows you which packages are in an environment and what channels they were sourced from.

  1. Navigate to your Organizations page.

  2. Select your organization.

  3. Select Environments from the left-hand navigation.

  4. Select the package count displayed under the PACKAGES column.

Note

Use the navigation controls at the bottom to browse the environment’s packages.

Viewing CVEs#

The CVEs panel shows all of the CVEs associated with the environment by name and severity.

  1. Navigate to your Organizations page.

  2. Select your organization.

  3. Select Environments from the left-hand navigation.

  4. Select the CVE count displayed under the CVES column.

Use the filters at the top of the panel to locate critical CVEs efficiently.

Narrow your view to CVEs associated with a specific package in an environment:

  1. Navigate to your Organizations page.

  2. Select your organization.

  3. Select Environments from the left-hand navigation.

  4. Select the package count displayed under the PACKAGES column.

  5. Locate the package.

  6. Click the CVE count displayed under the CVE column beside the package.

Note

Scanning environments#

Scanning an environment checks the most recently saved conda environment log for CVEs associated with the packages it contains.

Note

Environments are automatically scanned when created, but not when they are logged or when the log updates. To ensure an accurate assessment of an environment’s current CVE state, perform a scan before you explore it in Anaconda Cloud. You can also scan environments locally to identify potential issues immediately.

To scan an environment that has been logged with an organization:

  1. Navigate to your Organizations page.

  2. Select your organization.

  3. Select Environments from the left-hand navigation.

  4. Select the environment you want to scan from the list.

  5. Click Update Scan.

    Note

    There is no visual notification that the scan has performed. After scanning, review the packages in the environment for newly associated CVEs.

Use anaconda-audit to scan a local environment.

  1. Open Anaconda Prompt (Terminal on macOS/Linux).

  2. Scan an environment by running the following command:

    # Replace <ENV_NAME> with the name of the environment you want to scan
    anaconda audit scan --name <ENV_NAME>
    

Blocking environments#

Administrators can take action on environments that don’t meet security standards by utilizing organizational environment security status controls, which allow them to place a warning on an environment or block access to it completely. In both cases, administrators can enter a personalized message with guidance on what actions must be taken to restore access. Organization members who have had their environment blocked will receive the administrator’s message next time they try to activate the environment.

  1. Navigate to your Organizations page.

  2. Select your organization.

  3. Select Environments from the left-hand navigation.

  4. Select the environment you want to take action on.

  5. Click Update Status.

  6. Select a status to apply to the environment and enter a custom message, if necessary.

  7. Click Save.

Archiving environments#

Archiving environments allows administrators to maintain an organized workspace by moving inactive or obsolete environments to a dedicated tab. This separation reduces clutter in the active environment list, making it easier to manage.

  1. Navigate to your Organizations page.

  2. Select your organization.

  3. Select Environments from the left-hand navigation.

  4. Select the environment you want to take action on.

  5. Click Archive.

Note

Archived environments are still available for use. If you would like to prevent the environment from being used, block the environment.