The ASD Essential 8 policy pack maps the Australian Signals Directorate’s Essential Eight mitigation strategies to checks that the Anchore Enterprise policy engine can evaluate against container images. The pack covers Maturity Levels 1 through 3 and ships as a single bundle ready to import as a policy.
What’s in the Pack
- Pack name: Anchore ASD Essential 8 — Maturity Levels 1 to 3
- Frameworks covered: Australian Signals Directorate (ASD) Essential Eight, Maturity Levels 1–3
- Artifact coverage: container images and SBOMs. The pack ships rule sets for both, plus the mappings that bind each rule set to its artifact type.
- Rule set organization: rule sets are named by Essential Eight control identifier (for example
Patch OS ISM-1876), covering the subset of mitigation strategies that are reachable from artifact content.
The pack maps the Essential Eight controls that depend on artifact content — patching status, package version currency, configuration of distributed software — into rule sets the engine can evaluate. Controls that depend on organizational process, network configuration, or runtime posture are out of scope for a container-image or SBOM policy and are not represented in the bundle.
How to Use the Pack
Import the pack like any other policy — see Manage Policies for the GUI, AnchoreCTL, and API workflows. Once imported, scope it to the registries and repositories it should apply to through Policy Mappings, and attach any allowlists you need before activating it as the account’s default policy.
The ASD Essential 8 pack is intended as a starting point. Most teams customize mappings, attach allowlists for accepted risks, or layer additional rule sets on top before activating the pack against production registries.