This is the multi-page printable view of this section. Click here to print.

Return to the regular view of this page.

Deploying Anchore Enterprise

Anchore Enterprise and its components are delivered as Docker container images which can be deployed as co-located, fully distributed, or anything in-between. Anchore Enterprise can run on a single host or be deployed in a scale out pattern for increased analysis throughput.

To get up and running, jump to the following guides of your choosing:

Anchore Enterprise Container Images

Anchore Enterprise Cloud Images

AnchoreCTL

1 - Requirements

This section details the general requirements for running Anchore Enterprise. For a conceptual understanding of Anchore Enterprise, please see the Overview topic prior to deploying the software.

Runtime

Anchore Enterprise requires a Docker compatible runtime (version 1.12 or higher) on either AMD or Intel-based amd64 architecture.

Deployment is supported on:

  • Docker Compose (only recommended for testing, for example demo or proof-of-concept < 1000 SBOMs)
  • Any Kubernetes Certified Service Provider (KSCP) as certified by the Cloud Native Computing Foundation (CNCF) via Helm.
  • Any Kubernetes Certified Distribution as certified by the Cloud Native Computing Foundation (CNCF) via Helm.
  • Amazon Elastic Container Service (ECS) via Helm.

Resourcing

Use-case and usage patterns will determine the resource requirements for Anchore Enterprise. When deploying via Helm (package manager for Kubernetes), requests and limits are set in the values.yaml file. When deploying via Docker Compose, add reservations and limits into your Docker Compose file. The following recommendations can get you started:

  • Requests specify the desired resource amounts for the container, while limits specify the maximum resource amounts the container is allowed. To achieve best QoS (quality-of-service) with Helm deployments, it’s recommended to set requests equal to limits for allocated memory units and to set requests only with no limits set for allocated CPU units.

  • It’s not recommended to set less than 1 CPU unit for any container. Less than this could result in unexpected behaviour and should only be used in testing scenarios.

  • For the api, catalog, policy, and postgresql service containers, a minimum of 2 CPU units is recommended.

  • For Production use with Helm deployments, it’s recommended to set memory units to a minimum of 16G for the analyzer and policy services and 8G for all other services - where requests equals limits for all services. Less than these values could result in OOM errors or containers restarting unexpectedly.

If you intend on using Kubernetes, the default values.yaml found in the Anchore Enterprise Helm Chart provides some resourcing recommendations to get you started.

Database

The only service dependency strictly required by Anchore Enterprise is a PostgreSQL database (17.x or higher) that all services connect to. The database is centralized simply for ease of management and operation. For an architectural overview, go to Anchore Enterprise Architecture.

For production deployments, Anchore Enterprise does not ship with a database service.

  • Helm: The Anchore Enterprise Helm chart does not include a bundled PostgreSQL database. Provision an external PostgreSQL 17 instance with the pg_cron extension before deploying. This may mean building a custom PostgreSQL 17 image that includes pg_cron and pushing it to a registry your cluster can reach.
  • Docker Compose: The Compose deployment includes a PostgreSQL container, built from a Dockerfile that adds pg_cron automatically. Docker Compose is intended for testing and evaluation only; use an external, managed database for production.

Anchore Enterprise is database-intensive. Depending on the scale of the deployment, hundreds to thousands of concurrent connections may be required. The PostgreSQL database used for Anchore Enterprise should be dedicated and not co-located with any other applications that use a PostgreSQL backend. Anchore Enterprise requires a readable and writable PostgreSQL endpoint; read replica endpoints are not supported at this time.

Anchore Enterprise uses this database to provide persistent storage for image, policy and analysis data. Database storage requirements are based on the number of SBOMs and how long these need to be stored in the active set (i.e. not archived to analysis archive/s3 or deleted). Each SBOM and its respective packages are indexed in the DB, so SBOM complexity also requires increased database storage. Runtime adds a further requirement here.

As an Anchore Enterprise deployment grows (whether through a larger volume of SBOMs, higher analysis throughput, or longer data retention), the database requires proportionally more storage, CPU, and memory. Plan to scale these resources in step with your deployment’s growth.

Shared Memory

Anchore Enterprise ingests SBOMs through PostgreSQL queries that may execute in parallel. PostgreSQL’s parallel workers communicate via dynamic shared memory (/dev/shm on Linux), and ingesting large SBOMs can request 20 MiB or more per query. Ensure the database host has sufficient shared memory available:

  • Kubernetes / Helm: If running PostgreSQL in-cluster, mount a tmpfs volume at /dev/shm of at least 1 GiB on the database container, with 2-4 GiB recommended for high-throughput deployments or when work_mem is tuned above defaults. When using an external managed database, this is handled by your provider.
  • Amazon RDS / Aurora: AWS sizes shared memory per instance class. No customer-side tuning is required, but very small instance classes (for example db.t3.micro) may struggle with large SBOMs under concurrency. Size your instance to your expected SBOM workload.
  • Self-managed PostgreSQL: The Linux tmpfs default (typically half of system RAM) is generally sufficient. If you have explicitly constrained /dev/shm, size it as roughly work_mem × max_parallel_workers_per_gather per concurrent query, with a minimum of 1 GiB.

External Object Store

Configuring an external object store can significantly reduce database size and total cost of ownership (TCO) by offloading analysis data to object storage (for example, Amazon S3).

Network

An Anchore Enterprise deployment requires the following three categories of network access:

  • Service Access
    • Connectivity between Anchore Enterprise services, including access to an external database.
  • Registry Access
    • Network connectivity, including DNS resolution, to the registries from which Anchore Enterprise needs to download images.
  • Anchore Data Service (ADS) Access
    • Anchore Enterprise requires access to the datasets in order to perform analysis and vulnerability matching. See Anchore Enterprise Data Feeds for more information.

Security

Anchore Enterprise is deployed from source repositories or container images that can be run manually using Docker Compose, Kubernetes, or any other supported container platform.

By default, Anchore Enterprise does not require any special permissions. It can be run as an unprivileged container with no access to the underlying Docker host.

Anchore Enterprise can be configured to pull images through the Docker socket. However, this configuration is not recommended, as it grants the Anchore Enterprise container added privileges and may incur a performance impact on the underlying Docker host.

Storage

Anchore Enterprise can be configured to depend on other storage for various artifacts. For full details on storage configuration, see Storage Configuration.

  • Configuration volumes: this volume is used to provide persistent storage to the container from which it will read its configuration files, and optionally - certificates. Requirement: Less than 1MB.
  • [Optional] Scratch space: this temporary storage volume is recommended but not required. During the analysis of images, Anchore Enterprise downloads and extracts all of the layers required for an image. These layers are extracted and analyzed, after which, the layers and extracted data are deleted. If a temporary storage is not configured, then the container’s/worker node’s ephemeral storage will be used to store temporary files. However, performance is likely be improved by using a dedicated volume. Scratch volumes do not need storage redundancy. For further information see Scratch
  • [Optional] Layer cache: another temporary storage volume may also be used for image-layer caching to speed up analysis. This caches image layers for re-use by analyzers when generating an SBOM / analyzing an image. For further information see Layer Caching
  • [Optional] Object Storage and Analysis Archiving: Anchore Enterprise stores image analysis data and policy documents as JSON objects. By default these are stored in PostgreSQL. For larger deployments, the active data set can be offloaded to Amazon S3 or an S3-compatible provider, and completed analyses can be moved to a separate archive to reduce database load. Requirement: approximately 10MB per image. For further information, see Object Storage Configuration and Analysis Archive Configuration.

Anchore Enterprise UI

The Anchore Enterprise UI module interfaces with Anchore API using the external API endpoint. The UI requires access to the Anchore database where it creates its own namespace for persistent configuration storage. Additionally, a Redis database deployed and managed by Anchore Enterprise through the supported deployment mechanisms is used to store session information.

  • Network
    • Ingress
      • The Anchore Enterprise UI module publishes a web UI service by default on port 3000, however, this port can be remapped.
    • Egress
      • The Anchore Enterprise UI module requires access to three network services at the minimum:
        • External API endpoint (typically port 8228)
        • Redis Database (typically port 6379)
        • PostgreSQL Database (typically port 5432)
  • Redis Service
    • Version 7.4.6 or higher

Optimize Your Deployment

Optimizing your Anchore Enterprise deployment on Kubernetes, involves various strategies to enhance performance, reliability, and scalability. Here are some key tips:

  • Ensure that your Analyzer, API, Catalog, and Policy service containers have adequate CPU and memory resources. Each service has reference recommendations which can be found in the Anchore Enterprise chart values.yaml.
  • Each pod can make between 30 and 100 connections to the database so ensure max_connections is set appropriately (at least 500).
  • Integrate with monitoring tools like Prometheus and Grafana to monitor key metrics like CPU, memory usage, analysis times, and feed sync status. You can also Set up alerts for critical thresholds. Follow our guide on Prometheus and Grafana setup Monitoring guides
  • For large deployments, it is good practice to Schedule regular vacuuming, indexing, and performance tuning to keep the database running efficiently.
  • Layer caching in Docker can significantly speed up the image build process by reusing layers that haven’t changed, reducing build times and improving efficiency. Follow our guide on Layer Caching setup
  • Ensure you enable reporting data egress.
  • Keep in mind Anchore Enterprise supports tenancy by means of Accounts. We suggest at a minimum creating an account besides the admin account to use for normal Anchore Enterprise tasks.

Next Steps

If you feel you have a solid grasp of the requirements for deploying Anchore Enterprise, we recommend following one of our installation guides.

2 - Deploy using Docker Compose

In this topic, you’ll learn how to use Docker Compose to get up and running with a stand-alone Anchore Enterprise deployment.

Before moving further with Anchore Enterprise, it is highly recommended to read the Overview sections to gain a deeper understanding of fundamentals, concepts, and proper usage.

Prerequisites and System Requirements

The following instructions assume you are using a system running Docker Engine v20.10 or later, have access to APT resources, and a version of Docker Compose that supports at least v2 of the Compose configuration format.

  • A stand-alone deployment requires at least 32GB of RAM and enough disk space available to support the largest container images or source repositories that you intend to analyze. It is recommended to consider three times the largest source repository or container image size. We suggest at least 40GB of disk space, the more the better.
  • To access Anchore Enterprise, you need a valid license.yaml file that has been issued to you by Anchore Customer Success. If you do not have a license yet, visit the Anchore Contact page to request one.
  • You need root or sudo access to the system where you will be running docker and deploying Anchore Enterprise, all commands in this document are run as root.

External Database Requirements


Get Started

Follow the steps below to get up and running!

Step 1: Authenticate with the Official Anchore Registry

You’ll need authenticated access to the anchore/enterprise and anchore/enterprise-ui repositories on Docker Hub to pull the images. The Anchore Account or Customer Success team will provide a Docker Hub PAT (Personal Access Token) for access to images. Log in with your Docker PAT to push and pull images from Docker Hub:

docker login -u <your_dockerhub_pat_user> -p <your_dockerhub_pat>

Step 2: Set Up the Deployment Directory

Create a dedicated project directory to store your configuration files, system license, and database variables. Subsequent steps assume you are working from this directory.

mkdir anchore-enterprise && cd anchore-enterprise

Step 3: Download the Deployment Files

Download the Docker Compose file and the Dockerfile database into your working directory, alongside the license file you received from Anchore. You may need to rename that file to license.yaml.

  1. Place your license.yaml file in the working directory:

    cp /path/to/your/license.yaml ./license.yaml
    
  2. Download the official Anchore Enterprise v6.0 Docker Compose configuration file:

    curl -sSfL https://docs.anchore.com/current/docs/deployment/docker_compose/docker-compose.yaml > docker-compose.yaml
    
  3. Download the Dockerfile used to build the v6.0-compatible Anchore database:

    curl -sSfL https://docs.anchore.com/current/docs/deployment/docker_compose/Dockerfile.anchore-db > Dockerfile.anchore-db
    

Step 4: Configure Secrets

Edit docker-compose.yaml to set the deployment secrets. Several of the variables ship commented out and must be uncommented and given a value, while others ship with a default. The secrets fall into two groups, configured in different services.

Database password — set this on the anchore-db service only:

VariableDescription
POSTGRES_PASSWORDThe password PostgreSQL initializes with. Set on the anchore-db service only. ANCHORE_DB_PASSWORD (below) must be set to this same value.

For example, the environment block of the anchore-db service looks like this:

# Inside docker-compose.yaml (anchore-db service)
environment:
  - POSTGRES_PASSWORD=mysecretpassword

Anchore Enterprise service secrets — set these on every Anchore Enterprise service, but not on the anchore-db service. Each value must be identical across all of those services:

VariableDescription
ANCHORE_ADMIN_PASSWORDStrong password for the Anchore Enterprise admin account.
ANCHORE_AUTH_SECRETShared authentication secret used for internal service communication.
ANCHORE_DB_PASSWORDDatabase password the Anchore Enterprise services use to connect to PostgreSQL. Must match POSTGRES_PASSWORD above.

For example, the environment block of each Anchore Enterprise service should look like this:

# Inside docker-compose.yaml (Anchore Enterprise services, not anchore-db)
environment:
  - ANCHORE_ADMIN_PASSWORD=<YourSecureAdminPasswordHere>
  - ANCHORE_AUTH_SECRET=<YourSecureAuthSecretHere>
  - ANCHORE_DB_PASSWORD=<YourSecureDBPasswordHere>

Step 5: Start the Deployment

Start your environment from the working directory. This builds the database image and starts Anchore Enterprise:

docker compose up -d
[+] up 14/14
 ✔ Network anchore-6000_default               Created                      0.4s
 ✔ Container anchore-6000-anchore-db-1        Healthy                      43.5s
 ✔ Container anchore-6000-ui-redis-1          Healthy                      43.6s
 ✔ Container anchore-6000-queue-1             Healthy                      37.3s
 ✔ Container anchore-6000-catalog-1           Healthy                      43.4s
 ✔ Container anchore-6000-reports_worker-1    Started                      43.3s
 ✔ Container anchore-6000-analyzer-1          Started                      42.8s
 ✔ Container anchore-6000-notifications-1     Started                      43.3s
 ✔ Container anchore-6000-component-catalog-1 Started                      43.3s
 ✔ Container anchore-6000-reports-1           Started                      42.8s
 ✔ Container anchore-6000-api-1               Healthy                      53.6s
 ✔ Container anchore-6000-data-syncer-1       Healthy                      48.4s
 ✔ Container anchore-6000-policy-engine-1     Started                      48.7s
 ✔ Container anchore-6000-ui-1                Started                      54.0s

Step 6: Install AnchoreCTL

anchorectl is the native CLI utility used to manage and orchestrate Anchore Enterprise.

In this step, we’ll install the lightweight Anchore Enterprise client tool, quickly test it using the version operation, and set up a few environment variables to allow it to interact with your deployment using the admin password you set during configuration.

Download and Install the Binary

Run the curl command below to download anchorectl and install it into your /usr/local/bin directory, which should be in your $PATH:

curl -sSfL https://anchorectl-releases.anchore.io/anchorectl/install.sh \
  | sh -s -- -b /usr/local/bin v6.0.0

Verify AnchoreCTL Installation

Run the following command to validate the version of anchorectl:

anchorectl version
Application:        anchorectl
Version:            6.0.0
SyftVersion:        v1.43.0
BuildDate:          2026-06-12T00:00:00Z
GitCommit:          f7604438b45f7161c11145999897d4ae3efcb0c8
GitDescription:     v6.0.0
Platform:           linux/amd64
GoVersion:          go1.23.0
Compiler:           gc

Expose Environment Variables

Configure your shell session to connect to your local Docker Compose runtime by exporting the appropriate access credentials:

export ANCHORECTL_URL="http://localhost:8228"
export ANCHORECTL_USERNAME="admin"
export ANCHORECTL_PASSWORD="<YOUR_ADMIN_PASSWORD>"

To persist these settings for future terminal sessions, append these lines to your shell profile (~/.bashrc or ~/.zshrc).

Step 7: Verify Service Availability

After a few minutes (depending on system speed) Anchore Enterprise and Anchore UI services should be up and running, ready to use. You can verify the containers are running with docker compose, as shown in the following example.

docker compose ps
NAME                               IMAGE                                                 COMMAND                  SERVICE             CREATED         STATUS                   PORTS
anchore-6000-analyzer-1            docker.io/anchore/enterprise-dev:v6.0.0-rc16          "/docker-entrypoint.…"   analyzer            2 minutes ago   Up 2 minutes (healthy)   8228/tcp
anchore-6000-anchore-db-1          anchore-6000-anchore-db                               "docker-entrypoint.s…"   anchore-db          2 minutes ago   Up 2 minutes (healthy)   5432/tcp
anchore-6000-api-1                 docker.io/anchore/enterprise-dev:v6.0.0-rc16          "/docker-entrypoint.…"   api                 2 minutes ago   Up 2 minutes (healthy)   0.0.0.0:8228->8228/tcp, [::]:8228->8228/tcp
anchore-6000-catalog-1             docker.io/anchore/enterprise-dev:v6.0.0-rc16          "/docker-entrypoint.…"   catalog             2 minutes ago   Up 2 minutes (healthy)   8228/tcp
anchore-6000-component-catalog-1   docker.io/anchore/enterprise-dev:v6.0.0-rc16          "/docker-entrypoint.…"   component-catalog   2 minutes ago   Up 2 minutes (healthy)   8228/tcp
anchore-6000-data-syncer-1         docker.io/anchore/enterprise-dev:v6.0.0-rc16          "/docker-entrypoint.…"   data-syncer         2 minutes ago   Up 2 minutes (healthy)   0.0.0.0:8778->8228/tcp, [::]:8778->8228/tcp
anchore-6000-notifications-1       docker.io/anchore/enterprise-dev:v6.0.0-rc16          "/docker-entrypoint.…"   notifications       2 minutes ago   Up 2 minutes (healthy)   0.0.0.0:8668->8228/tcp, [::]:8668->8228/tcp
anchore-6000-policy-engine-1       docker.io/anchore/enterprise-dev:v6.0.0-rc16          "/docker-entrypoint.…"   policy-engine       2 minutes ago   Up 2 minutes (healthy)   8228/tcp
anchore-6000-queue-1               docker.io/anchore/enterprise-dev:v6.0.0-rc16          "/docker-entrypoint.…"   queue               2 minutes ago   Up 2 minutes (healthy)   8228/tcp
anchore-6000-reports-1             docker.io/anchore/enterprise-dev:v6.0.0-rc16          "/docker-entrypoint.…"   reports             2 minutes ago   Up 2 minutes (healthy)   0.0.0.0:8558->8228/tcp, [::]:8558->8228/tcp
anchore-6000-reports_worker-1      docker.io/anchore/enterprise-dev:v6.0.0-rc16          "/docker-entrypoint.…"   reports_worker      2 minutes ago   Up 2 minutes (healthy)   8228/tcp
anchore-6000-ui-1                  docker.io/anchore/anchore-on-prem-ui-dev:v6.0.0-rc4   "/docker-entrypoint.…"   ui                  2 minutes ago   Up 2 minutes (healthy)   0.0.0.0:3000->3000/tcp, [::]:3000->3000/tcp
anchore-6000-ui-redis-1            docker.io/library/redis:7.4.6                         "docker-entrypoint.s…"   ui-redis            2 minutes ago   Up 2 minutes (healthy)   6379/tcp

You can then run a command to get the status of the Anchore Enterprise services:

anchorectl system status
 ✔ Status system
┌───────────────────┬────────────────────┬───────────────────────────────┬──────┬────────────────┬────────────┬──────────────┐
│ SERVICE           │ HOST ID            │ URL                           │ UP   │ STATUS MESSAGE │ DB VERSION │ CODE VERSION │
├───────────────────┼────────────────────┼───────────────────────────────┼──────┼────────────────┼────────────┼──────────────┤
│ simplequeue       │ anchore-quickstart │ http://queue:8228             │ true │ available      │ 6000       │ 6.0.0       │
│ data_syncer       │ anchore-quickstart │ http://data-syncer:8228       │ true │ available      │ 6000       │ 6.0.0       │
│ reports_worker    │ anchore-quickstart │ http://reports_worker:8228    │ true │ available      │ 6000       │ 6.0.0       │
│ notifications     │ anchore-quickstart │ http://notifications:8228     │ true │ available      │ 6000       │ 6.0.0       │
│ reports           │ anchore-quickstart │ http://reports:8228           │ true │ available      │ 6000       │ 6.0.0       │
│ analyzer          │ anchore-quickstart │ http://analyzer:8228          │ true │ available      │ 6000       │ 6.0.0       │
│ component_catalog │ anchore-quickstart │ http://component-catalog:8228 │ true │ available      │ 6000       │ 6.0.0       │
│ catalog           │ anchore-quickstart │ http://catalog:8228           │ true │ available      │ 6000       │ 6.0.0       │
│ apiext            │ anchore-quickstart │ http://api:8228               │ true │ available      │ 6000       │ 6.0.0       │
│ policy_engine     │ anchore-quickstart │ http://policy-engine:8228     │ true │ available      │ 6000       │ 6.0.0       │
└───────────────────┴────────────────────┴───────────────────────────────┴──────┴────────────────┴────────────┴──────────────┘

You can check the status of your feed sync using AnchoreCTL:

anchorectl feed list
 ✔ List feed                                                                                                                                                                                                                                   
┌────────────────────────────────┬──────────────────────────────────────┬─────────┬─────────────────────────┬──────────────┐
│ FEED                           │ GROUP                                │ ENABLED │ DATA SERVICE BUILD TIME │ RECORD COUNT │
├────────────────────────────────┼──────────────────────────────────────┼─────────┼─────────────────────────┼──────────────┤
│ ClamAV Malware Database        │ clamav_db                            │ true    │ 2026-06-12T18:40:15Z    │ 1            │
│ Vulnerabilities                │ alpine:3.10                          │ true    │ 2026-06-12T13:12:49Z    │ 2363         │
│ Vulnerabilities                │ alpine:3.11                          │ true    │ 2026-06-12T13:12:49Z    │ 2701         │
│ Vulnerabilities                │ alpine:3.12                          │ true    │ 2026-06-12T13:12:49Z    │ 3235         │
│ …                              │ … (additional feed groups omitted) │ …       │ …                       │ …            │
│ Vulnerability Match Exclusions │ anchore:exclusions                   │ true    │ 2026-06-12T18:42:24Z    │ 27568        │
│ STIG Profiles                  │ apache-tomcat-9                      │ true    │ 2026-04-30T06:55:55Z    │ 1            │
│ STIG Profiles                  │ nginx                                │ true    │ 2026-04-30T06:55:55Z    │ 1            │
│ STIG Profiles                  │ rhel8                                │ true    │ 2026-04-30T06:55:55Z    │ 1            │
│ STIG Profiles                  │ rhel9                                │ true    │ 2026-04-30T06:55:55Z    │ 1            │
│ STIG Profiles                  │ ubuntu2204                           │ true    │ 2026-04-30T06:55:55Z    │ 1            │
│ STIG Profiles                  │ ubuntu2404                           │ true    │ 2026-04-30T06:55:55Z    │ 1            │
└────────────────────────────────┴──────────────────────────────────────┴─────────┴─────────────────────────┴──────────────┘

As soon as you see RecordCount values set for all vulnerability groups, the system is fully populated and ready to present vulnerability results. Note that data syncs are incremental, so the next time you start up Anchore Enterprise it will be ready immediately. The AnchoreCTL includes a useful utility that will block until the feeds have completed a successful sync:

anchorectl system wait
 ✔ API available                                                                                        system
 ✔ Services available                        [10 up]                                                    system
 ✔ Vulnerabilities feed ready                                                                           system

Step 8: Verify Functionality and Start Using Anchore Enterprise

Add an image to confirm that analysis works end to end. The --wait flag blocks until analysis completes:

anchorectl image add docker.io/library/alpine:latest --wait
 ✔ Added Image       docker.io/library/alpine:latest
 ✔ Analyzed Image    docker.io/library/alpine:latest
Image:
  status:           analyzed (active)
  tag:              docker.io/library/alpine:latest
  digest:           sha256:1304f174557314a7ed9eddb4eab12fed12cb0cd9809e4c28f29af86979a3c870

Once the image reaches the analyzed state, your deployment is working.

Next, confirm the Anchore Enterprise GUI is reachable before opening it in a browser:

curl -sSf -o /dev/null http://localhost:3000/ && echo "Anchore Enterprise GUI is reachable"
Anchore Enterprise GUI is reachable

If the command prints the success message, point your browser at the Anchore Enterprise GUI at http://localhost:3000/ and log in with the username admin and the ANCHORE_ADMIN_PASSWORD you set in Step 4. If it instead reports a connection error, wait a few moments for the ui service to finish starting and try again.

To put your deployment to work, follow the end-to-end workflows in the documentation:

Next Steps

Now that you have Anchore Enterprise running, you can begin to learn more about Anchore capabilities, architecture, concepts, and more.


Optional Add-ons

Enable Prometheus Monitoring

  1. Uncomment the following section at the bottom of the docker-compose.yaml file:

    #  # Uncomment this section to add a prometheus instance to gather metrics. This is mostly for quickstart to demonstrate prometheus metrics exported
    #  prometheus:
    #    image: docker.io/prom/prometheus:latest
    #    depends_on:
    #      - api
    #    volumes:
    #      - ./anchore-prometheus.yml:/etc/prometheus/prometheus.yml:z
    #    logging:
    #      driver: "json-file"
    #      options:
    #        max-size: 100m
    #    ports:
    #      - "9090:9090"
    #
    
  2. For each service entry in the docker-compose.yaml file, enable metrics in the API by changing:

    ANCHORE_ENABLE_METRICS=false
    

    to

    ANCHORE_ENABLE_METRICS=true
    
  3. Download the example Prometheus configuration into the same directory as the docker-compose.yaml file, with the name anchore-prometheus.yml:

    curl https://docs.anchore.com/current/docs/deployment/anchore-prometheus.yml > anchore-prometheus.yml
    docker compose up -d
    

    Result: You should see a new container started, and can access Prometheus via your browser at http://localhost:9090.

Enable Swagger UI

  1. Uncomment the swagger-ui-nginx and swagger-ui services at the bottom of the docker-compose.yaml file (the section is labelled with a “Uncomment this section to run a swagger UI service” comment).

  2. Download the nginx configuration into the same directory as the docker-compose.yaml file, with the name anchore-swaggerui-nginx.conf:

    curl https://docs.anchore.com/current/docs/deployment/anchore-swaggerui-nginx.conf > anchore-swaggerui-nginx.conf
    docker compose up -d
    

    Result: You should see a new container started, and can access Swagger UI via your browser at http://localhost:8080.

2.1 - Deploy Air-Gapped using Docker Compose

Anchore Enterprise can run in an air-gapped environment with no outbound internet access. The only air-gapped-specific work is getting the container images onto the air-gapped network: you pull and build them on an internet-connected system, then move them across. Once the images are in place, deployment follows the standard Docker Compose procedure.

Prerequisites

  • Low side (internet-facing) — the Docker static binary, used only to pull, build, and save images.
  • High side (air-gapped) — Docker Engine/CE and a Docker Compose that supports at least v2 of the Compose configuration format, used to run Anchore Enterprise.

Detailed sizing and other requirements are in Requirements.

Prepare the Images (low side)

  1. Download the current Docker Compose file and the database Dockerfile:

    curl -sSfL https://docs.anchore.com/current/docs/deployment/docker_compose/docker-compose.yaml > docker-compose.yaml
    curl -sSfL https://docs.anchore.com/current/docs/deployment/docker_compose/Dockerfile.anchore-db > Dockerfile.anchore-db
    
  2. Pull the Anchore Enterprise images:

    docker pull docker.io/anchore/enterprise:v6.0.0
    docker pull docker.io/anchore/enterprise-ui:v6.0.0
    docker pull docker.io/redis:7.4.6
    
  3. Build the database image from Dockerfile.anchore-db. This Dockerfile produces the PostgreSQL 17 image with pg_cron that Anchore Enterprise requires; see External Database Requirements for details.

    docker build -f Dockerfile.anchore-db -t anchore:db .
    

Move the Images to the High Side

Choose one of the following. A private container registry is the recommended path; use a local image tarball only if no registry is available on the air-gapped network.

  1. Re-tag the images for your private registry, replacing <registry> with your registry domain (for example, core.harbor.domain):

    docker tag docker.io/anchore/enterprise:v6.0.0 \
      <registry>/anchore/enterprise:v6.0.0
    docker tag docker.io/anchore/enterprise-ui:v6.0.0 \
      <registry>/anchore/enterprise-ui:v6.0.0
    docker tag docker.io/redis:7.4.6 <registry>/redis:7.4.6
    docker tag anchore:db <registry>/anchore:db
    
  2. If the registry is only reachable from the high side, save the tagged images and transfer them across (along with docker-compose.yaml, Dockerfile.anchore-db, and your license.yaml), then load them on the high side:

    # Low side
    docker save -o anchore-airgap-images.tar \
      <registry>/anchore/enterprise:v6.0.0 \
      <registry>/anchore/enterprise-ui:v6.0.0 \
      <registry>/redis:7.4.6 \
      <registry>/anchore:db
    
    # High side
    docker load -i anchore-airgap-images.tar
    
  3. Push the images to your private registry from a system that can reach it:

    docker push <registry>/anchore/enterprise:v6.0.0
    docker push <registry>/anchore/enterprise-ui:v6.0.0
    docker push <registry>/redis:7.4.6
    docker push <registry>/anchore:db
    

Option 2: Local Image Tarball

  1. Save the images to a single archive:

    docker save -o anchore-airgap-images.tar \
      docker.io/anchore/enterprise:v6.0.0 \
      docker.io/anchore/enterprise-ui:v6.0.0 \
      docker.io/redis:7.4.6 \
      anchore:db
    
  2. Transfer the archive — along with docker-compose.yaml, Dockerfile.anchore-db, and your license.yaml — to the high side, then load it:

    docker load -i anchore-airgap-images.tar
    docker images
    

Deploy on the High Side

Besides the images, the air-gapped host needs your docker-compose.yaml and license.yaml in the working directory. You downloaded the Compose file on the low side in Prepare the Images; if you have not already copied it and the license across with the images, do so now. The database is deployed from the pre-built anchore:db image you moved, so there is nothing to build here. Configure the deployment as described in Step 4: Configure Secrets, with two additional air-gapped-specific changes:

Point every image: line at your air-gapped images instead of Docker Hub. Use your private-registry tags for Option 1, or the local names you loaded for Option 2. The enterprise image is referenced by many services (api, catalog, analyzer, policy-engine, and others), so update every instance. The anchore-db service builds its image from the Dockerfile by default, so replace its build: section with a reference to the anchore:db image you built and moved earlier.

For example, the api service ships referencing Docker Hub, and anchore-db builds its image locally:

  api:
    image: docker.io/anchore/enterprise:v6.0.0
  anchore-db:
    build:
      context: .
      dockerfile: Dockerfile.anchore-db

Using a private registry (Option 1), change them to your registry tags:

  api:
    image: <registry>/anchore/enterprise:v6.0.0
  anchore-db:
    image: <registry>/anchore:db

Using local images loaded from the tarball (Option 2), reference the local image names instead:

  api:
    image: anchore/enterprise:v6.0.0
  anchore-db:
    image: anchore:db

Configure the deployment for air-gapped feed handling. Because the deployment cannot reach the Anchore Data Service, you must disable the Data Syncer’s automatic feed sync and then download and import feed bundles manually with AnchoreCTL. Both steps are described in Air-Gapped Feed Configuration.

Once the edits are complete, start the stack as described in Step 5: Start the Deployment.

3 - Deploy on Kubernetes using Helm

The supported method for deploying Anchore Enterprise on Kubernetes is with Helm. The Anchore Enterprise Helm Chart includes configuration options for a full Enterprise deployment.

3.1 - Deploying Anchore Enterprise on Azure Kubernetes Service (AKS)

3.2 - Deploying Anchore Enterprise on Amazon EKS

3.3 - Deploying Anchore Enterprise on Google Kubernetes Engine (GKE)

3.4 - Deploying Anchore Enterprise on OpenShift

4 - Anchore Enterprise Cloud Image

Overview

The Anchore Enterprise Cloud Image (AECI) is a fully functional machine image with an Anchore Enterprise deployment that is pre-configured with the goal of simplifying deployment complexity for our end users.

AECI contains a proprietary tool known as Cloud Image Manager. It allows users to manage their deployment by providing an easy way to install, configure and upgrade. For more information about the Cloud Image Manager, see the Cloud Image Manager.

To get started with deploying Anchore Enterprise Cloud Image, please see AECI - AWS.

Supported Limits

The Cloud Image has the following limits, independent of instance type:

  • 10,000 Image SBOMs
  • Max Image Size is 10 GB
  • 300 Report Executions
  • 100 System Users

Non-supported Features

The Cloud Image does not currently support the following Anchore Enterprise features:

  • Air-gapped Deployment
  • Runtime Inventory
  • Application Groups and Source Code Analysis
  • Windows Image Analysis
  • Legacy Image Archive

To discuss further, contact Anchore Customer Success.

4.1 - Enterprise Cloud Image - Amazon Machine Image (AMI)

Requirements

The baseline supported instance type on Amazon Web Services is the r7a.xlarge. This gives the best mix of performance to cost for running Anchore Enterprise in alignment with the supported system limits.

For more information on Amazon EC2 Instance types Please review the following links

  • AWS Instance Types Overview

  • AWS Pricing Calculator

  • Memory Requirement - Anchore Enterprise Cloud Image (AECI) requires a minimum of 32 GB of memory to operate.

  • Disk Requirement - AECI requires a minimum of 128 GB of disk space for root volume and 1 TB for data volume to operate.

    • Note: The data volume by default will not delete on termination of your AMI.
  • CPU Requirement - AECI requires a minimum of 4 vCPU to operate.

License

The Anchore Enterprise Cloud Image requires a valid license entitlement to operate. The license is provided by Anchore during the purchase process. The license file is required to be uploaded via the Cloud Image Manager during the initial setup. Please have it available before starting the installation process.

EC2 Key Pair Type

Anchore Enterprise Cloud Image is running with FIPS enabled. When creating your Key Pair, you must use an RSA key. The ED25519 key will be rejected as a non-FIPS-compliant algorithm.

Please review the AWS documentation on using Amazon EC2 Key Pairs

Security Group

The Anchore Enterprise Cloud Image requires the following ports to be open in the security group:

  • TCP 22 - SSH
  • TCP 443 - HTTPS
  • TCP 8443 - Grafana

Please review the AWS documentation on Security Groups.

Terminals

Please review the Best Practices for the Cloud Image Manager for the recommended terminal applications to use.

Getting Started

To launch the Anchore Enterprise Cloud Image AMI, please refer to the AWS documentation on Launch an Amazon EC2 instance.

You may also want to review the AWS guide for how to Connect to your EC2 instance.

A quick Demo on getting started with Anchore Enterprise Cloud Image

Once the instance is launched, please review the Cloud Image Manager documentation for the next steps on Accessing the Cloud Image Manager. The Cloud Image Manager will walk you through the preflight checks, configuration, and management of your Anchore Enterprise Cloud Image deployment.

Operations

With AECI up and running, there is some limited feeding and watering required. You’ll want to consider the following activities:

Backups

It is important that you have a backup and restore strategy in place to protect your data. Cloud Image Manager will prompt you to create a snapshot prior to upgrading your Anchore Enterprise Cloud Image or expanding your disks. It is also reasonable for you to consider using AWS Backup and/or creating snapshots of your EBS volume on a regular basis:

Please refer to the AWS documentation on AWS Backup and Amazon EBS Snapshots.

Disk Space

During the course of using the product, you may wish to expand the size of your disks. It is strongly recommended that you create a snapshot of your EBS volume prior to expanding your disks.

Please refer to the AWS documentation on Extend or modify disk volume

Once you have expanded your disk, you will need to resize the filesystem to take advantage of the additional space. Cloud Image Manager provides a utility to resize the filesystem. Please refer to the Cloud Image Manager Configuration Disk Expansion for more information.

Upgrade

Occasionally, Anchore will release updates to the Anchore Enterprise Cloud Image and the subsequent version of Anchore Enterprise shipped with it. The Cloud Image Manager will provide you with upgrades that are available and allow you to determine when you want to upgrade. It is strongly recommended that you create a snapshot of your EBS volume prior to upgrading your Anchore Enterprise Cloud Image.

Please refer to the Cloud Image Manager upgrade documentation for more information.

Getting Support

During operation of Anchore Enterprise Cloud Image, you may require support from Anchore Customer Success. The Cloud Image Manager provides you with a seamless way to generate a support bundle and upload it to Anchore.

Please refer to the Cloud Image Manager Support documentation for more information.

4.2 - Anchore Enterprise Cloud Image Manager

Overview

The Cloud Image Manager is a proprietary tool that allows users to seamlessly manage their Anchore Enterprise Cloud Image deployments. It walks users through the process of installing, configuring, and upgrading their Anchore Enterprise Cloud Image deployment.

Best Practices

The Cloud Image Manager uses Textual (a TUI framework for Python) to provide a terminal-based interface. For your best user experience, please use the following terminal emulators when connecting to the Cloud Image Manager.

Note: We recommend against using the default macOS Terminal application as it may not render the TUI correctly. For more information on why, please see Textual FAQ.

Access the Cloud Image Manager

After your instance is launched, you can access the Cloud Image Manager by connecting to the instance via SSH. Using your private key file used for authentication (likely generated when setting up the instance) and the public IP address of the instance, connect using the following example command:

ssh -i ~/my-keypair.pem [email protected]

Potential Issues

  1. Permissions on key file - If you get a WARNING: UNPROTECTED PRIVATE KEY FILE error, fix it by setting the correct permissions on your key file. Run the following command to set the correct permissions:

    chmod 400 ~/my-keypair.pem
    
  2. Connection Issues - If you experience a Connection Timeout or Host Unreachable error, verify that the instance is running and that the security group allows SSH traffic on port 22.

You should now be connected to the Cloud Image Manager.

Welcome

Preflight Checks

The Cloud Image Manager will perform a series of preflight checks to ensure that the system is ready for installation. These checks include ensuring that the machine image has met memory, disk space, and CPU requirements. If the system does not meet the requirements, the preflight checks will fail and the installation will not proceed.

Initial Install

The Cloud Image Manager will walk you through the initial installation process. At the end of this process, the Cloud Image Manager will provide you with the URL to access the Anchore Enterprise UI as well as your administrator credentials.

Upgrade

The Cloud Image Manager will determine if there are any upgrades available for your Anchore Enterprise Cloud Image deployment. If an upgrade is available, the Cloud Image Manager will walk you through the upgrade process. If downtime is required, the Cloud Image Manager will notify you prior to proceeding. This will allow you to plan for the upgrade when it is convenient for you. It is highly recommended that you take a snapshot of your EBS volume prior to upgrade.

Configuration

The Cloud Image Manager configuration screen allows the following options:

  • Adding and updating the Anchore Enterprise License.
  • Providing any Server Certificates required for TLS access to Anchore Enterprise services.
  • Providing a custom Root Certificate if one is required for your environment.
  • Configuring any optional proxy settings required for your environment.
  • Disk Expansion

Reconfigure Proxy Settings

Changing Proxy settings after completing the installation process currently requires manual intervention for the settings to be fully applied. If you must change the Proxy settings, please contact customer support for assistance.

Expand Disks

The Cloud Image Manager provides a utility to expand the root and data volumes once your virtual hard disk has been increased in size. This step is necessary to take advantage of the additional space. The Cloud Image Manager will shut down Anchore Enterprise during this operation. It is highly recommended that you take a snapshot of your EBS volume prior to any operation that may modify your disk volumes.

System Status

The Cloud Image Manager provides a system status screen that shows the current service and container status of the Anchore Enterprise services. It also provides the list of currently deployed versions of Anchore Enterprise, Anchore Enterprise UI as well as the other infrastructure components that are automatically deployed within the Anchore Enterprise Cloud Image.

System Status

Support

The Cloud Image Manager provides a support screen that allows you to:

  • Generate a support bundle. This will result with the location of the support bundle.
  • Upload a generated support bundle. This will be automatically uploaded to Anchore. You must create a support ticket and provide the Support Bundle ID and Filename to the support team.
  • As part of the Cloud Image deployment, you have access to Grafana data that is collected for your deployment. This data can be used to monitor the health of your deployment. The Cloud Image Manager provides a link and credentials to access the Grafana dashboard.

Support

5 - Deploying AnchoreCTL

In this section you will learn how to deploy and configure AnchoreCTL, the Anchore Enterprise Command Line Interface.

AnchoreCTL is published as a simple binary available for download either from your Anchore Enterprise deployment or Anchore’s release site.

Using AnchoreCTL, you can manage and inspect all aspects of your Anchore Enterprise deployments, either as a manual human-readable configuration/instrumentation/control tool or as a CLI that is designed to be used in scripted environments such as CI/CD and other automation environments.

Installation

AnchoreCTL’s major and minor release version coincides with the release version of Anchore Enterprise, however patch versions may differ. For example,

  • Enterprise v6.0.0
  • AnchoreCTL v6.0.0

MacOS / Linux

Download a local (from your Anchore Enterprise deployment) or remote (from Anchore servers) version without installation:

Linux Intel/AMD64 [Local]

curl -X GET "https://my-anchore.example.com/v2/system/anchorectl?operating_system=linux&architecture=amd64" \
  -H "accept: */*" | tar -zx anchorectl

[Remote]

curl -o anchorectl.tar.gz \
  https://anchorectl-releases.anchore.io/anchorectl/v6.0.0/anchorectl_6.0.0_linux_amd64.tar.gz

MacOS Intel/AMD64 [Local]

curl -X GET "https://my-anchore.example.com/v2/system/anchorectl?operating_system=darwin&architecture=amd64" \
  -H "accept: */*"

[Remote]

curl -o anchorectl.tar.gz \
  https://anchorectl-releases.anchore.io/anchorectl/v6.0.0/anchorectl_6.0.0_darwin_amd64.tar.gz

MacOS ARM/M-Series [Local]

curl -X GET "https://my-anchore.example.com/v2/system/anchorectl?operating_system=darwin&architecture=arm64" \
  -H "accept: */*"

[Remote]

curl -o anchorectl.tar.gz \
  https://anchorectl-releases.anchore.io/anchorectl/v6.0.0/anchorectl_6.0.0_darwin_arm64.tar.gz

Windows

For windows, you must specify the version of AnchoreCTL to download if using a script. [Local]

curl -X GET "https://my-anchore.example.com/v2/system/anchorectl?operating_system=windows&architecture=amd64" \
  -H "accept: */*"

[Remote]

curl -o anchorectl.zip \
  https://anchorectl-releases.anchore.io/anchorectl/v6.0.0/anchorectl_6.0.0_windows_amd64.zip

Install a Specific AnchoreCTL Version

Replace <DESTINATION_DIR> with /usr/local/bin (for example)

curl -sSfL https://anchorectl-releases.anchore.io/anchorectl/install.sh \
  | sh -s -- -b <DESTINATION_DIR> v6.0.0

Configuration

Once AnchoreCTL has been installed, learn about AnchoreCTL Configuration.