Enabling environment management allows organization administrators to monitor the packages installed in your local environments, view any common vulnerabilities and exposures (CVEs) associated with them, and, if necessary, enforce security standards by temporarily blocking your environment from use while offering guidance on remediating the issue. You can use these tools to ensure your local environments are in compliance with organizational security requirements and avoid machine quarantines or losing access to an environment due to administrator intervention.

Enabling environment management

In order to utilize the Environments feature, you must first complete the required setup steps.

Prerequisites

Environment logging and scanning requires the following:
  • An Anaconda.com account
  • Python 3.10 or later in your (base) environment

Installing required plugins

Environment logging and scanning requires the installation of a few plugins in your (base) environment that expand the functionality of conda. Obtain the necessary plugins by installing the anaconda-env-manager “metapackage” (which contains all of the plugins listed below). To install anaconda-env-manager, run the following command: 
conda install --name base anaconda-cloud::anaconda-env-manager

Registering your organization

To ensure your environments are properly logged to your organization on Anaconda.com, you must log in via the CLI and register your organization with conda. To register your organization:
  1. Open Anaconda Prompt (Terminal on macOS/Linux).
  2. Authenticate to Anaconda by running the following command: 
    anaconda login --at anaconda.com
    When prompted for your username and password, enter your Anaconda.com credentials and complete the login process in the browser window that opens.
  3. After successfully logging in, return to the command line and register your organization by running the following command: 
    # Replace <ORG_ID> with your ORG_ID — found in your organization's URL —
# https://anaconda.com/app/organizations/<ORG_ID>
conda env-log register --organization-name <ORG_ID>
With the organization registered (and anaconda-env-log installed in the (base) environment), newly created environments are logged to the registered organization.

Logging environments

With anaconda-env-log installed, all newly created environments are automatically logged within conda, and existing environments are automatically logged whenever you perform certain conda actions (install, remove, rename, or update) in them. Existing environments can also be logged manually by running the following command:
You must log in to Anaconda.com using the CLI prior to manually logging an environment.
anaconda login --at anaconda.com

# Replace <ENV_NAME> with the name of the environment you want to log to your organization
conda env-log log --name <ENV_NAME>

Viewing logged environments

Environments logged with an organization can be viewed at any time from the Environments page.
  1. Navigate to your Organizations page.
  2. Select your organization.
  3. Under Org Management, select Environments.
The Environments page shows you:
  • Environment paths
  • The number of CVEs associated with the packages in the environments and how many have an Active status.
  • The number of packages in the environments
  • The last time the environments were updated
Use the search and filters at the top of the table to locate environments efficiently.

Exploring logged environments

Browse your logged environments to gain insights into the packages that they contain. You can see which packages are present in the environment as well as any CVEs associated with them.

Viewing environment packages

The environment’s Packages page shows you which packages are in an environment and what channels they were sourced from.
  1. Navigate to your Organizations page.
  2. Select your organization.
  3. Under Org Management, select Environments.
  4. Select the package count displayed under the PACKAGES column.
    Use the navigation controls at the bottom to browse the environment’s packages.

Viewing environment CVEs

The CVEs panel shows all of the CVEs associated with the environment by name and severity.
  1. Navigate to your Organizations page.
  2. Select your organization.
  3. Under Org Management, select Environments.
  4. Select the CVE count displayed under the CVES column. Use the filters at the top of the panel to locate critical CVEs efficiently.
The active filter is automatically applied to the CVE panel’s displayed results.
For additional information about a CVE, search for it in a channel that has no policy applied.

Scanning environments

Scanning an environment checks the most recently saved conda environment log for CVEs associated with the packages it contains.
Environments are automatically scanned when created, but not when they are logged or when the log updates. To ensure an accurate assessment of an environment’s current CVE state, perform a scan before you explore it in Anaconda.com. You can also scan environments locally to identify potential issues immediately.
Use anaconda-audit to scan a local environment.To scan an environment, open Anaconda Prompt (Terminal on macOS/Linux) and run the following command:
# Replace <ENV_NAME> with the name of the environment you want to scan
anaconda audit scan --name <ENV_NAME>
This command uses the default conda environment path prefix — opt/anaconda3/envs/.If you have environments in non-default locations, you can use the --prefix flag to specify the path to the environment. For example:
# Replace <ENV_NAME> with the name of your environment
anaconda audit scan --prefix /path/to/env/<ENV_NAME>
To scan an environment for a specific CVE:
Open Anaconda Prompt and run the following command:
# Replace <ENV_NAME> with the name of your environment
# Replace <CVE_NAME> with the name of the CVE you want to check for
anaconda audit scan --prefix /path/to/env/<ENV_NAME> | findstr "<CVE_NAME>"
The audit scan returns a list of environment packages, and displays the following information for each package:
  • Version number
  • Build number
  • Source channel
  • CVE curation status
  • CVSS score
  • CVE status
A summary of the scan results is displayed at the end of the scan that shows a matrix of the number of CVEs and their statuses by severity level.
Scan results are color coded to help you identify the CVE severity, and a checkmark is displayed beside a CVE name to indicate that it has undergone Anaconda curation. CVEs that are stricken through have a status of cleared and are safe to use in your environment.