Compliance Management via Policy Enforcement

Anchore Enterprise gives security and platform teams a consistent, scalable way to enforce software standards across container images, SBOMs, and the apps that contain them — from development through production.

It supports the full compliance lifecycle, from policy authoring to enforcement and audit, including:

  • Defining policies and rules that govern what is acceptable in a software artifact
  • Mapping policies to artifacts to control which policy applies to which images or SBOMs
  • Managing exceptions to handle edge cases and reduce noise
  • Evaluating compliance against both individual container images and the app versions that aggregate them

Policies Turn Findings into Decisions

Anchore Enterprise uses policies to translate SBOM analysis into actionable compliance outcomes. Once an artifact has been analyzed, a policy evaluates it and produces a Pass or Fail verdict — giving CI/CD pipelines, admission controllers, and security teams a clear, consistent signal to act on.

Policies are reusable and account-scoped, with multiple policies supported per account — making them suitable for enforcing consistent standards across teams, artifact types, and deployment environments.

Define Compliance Policies

Anchore Enterprise provides a flexible policy engine that lets organizations define compliance rules tailored to their security and regulatory requirements. Policies are structured around gates and triggers:

  • Gates group checks into broad categories such as packages, vulnerabilities, secrets, licenses, file permissions, and Dockerfile configuration. The full gate set is available for container-image rule sets; at this time, SBOM rule sets only support the Vulnerabilities gate.
  • Triggers define specific conditions to check within a gate, with configurable actions (STOP, WARN, GO).

To accelerate compliance adoption, Anchore Enterprise provides pre-built policy packs mapped to common regulatory frameworks. The Secure policy pack ships with every Anchore Enterprise deployment. The NIST and CIS packs require the Anchore Enforce license entitlement; the FedRAMP and DoD packs require Anchore Enforce plus an additional pack-specific add-on.

  • Secure — the default policy pack included in every deployment
  • FedRAMP — validates against FedRAMP Vulnerability Scanning Requirements and NIST 800-53 Rev 5 and NIST 800-190 controls
  • NIST — covers NIST 800-53 and NIST 800-190 (Application Container Security Guide)
  • CIS — based on the CIS Docker Benchmark for container image security
  • DoD — validates against DISA Image Creation and Deployment Guide and IronBank requirements

For policy CRUD — creating, listing, updating, activating, and deleting policies — see Manage Policies.

Map Policies to Artifacts

Anchore Enterprise uses policy mappings to control which policies and allowlists are applied to which artifacts during evaluation.

You can:

  • Define mapping rules per artifact type — container images and SBOMs each have their own mapping configuration
  • Use wildcard rules to apply policies broadly across registries, repositories, or tags
  • Specify which policy and which allowlists to use for each mapping match

Manage Exceptions

Anchore Enterprise provides mechanisms to suppress or override policy findings without modifying the underlying policy rules. The two mechanisms live together under Exceptions:

  • Define allowlists that exclude specific findings — such as a CVE — from policy evaluation. Multiple allowlists can be attached to a single policy for granular exception management.
  • Configure allowed and denied image lists to unconditionally pass or fail specific images regardless of policy content.

Evaluate Policy Compliance

Anchore Enterprise evaluates policies in two scopes — pick the one that matches how your team organizes software. See Evaluate Policy Compliance for the comparison and worked walkthroughs.

  • App-version-scoped — evaluate a policy against every asset attached to an app version, with results aggregated and a single per-version status returned. This is the v6-native surface for teams that have adopted the apps/versions/assets model.
  • Image-scoped — evaluate a policy against a single analyzed container image. The image is identified by digest, the result returns a Pass / Fail verdict and the per-trigger findings. This is the long-standing evaluation surface and remains fully supported in v6.

Both modes are integrated into CI/CD pipelines using AnchoreCTL or the REST API to gate deployments on policy outcomes.

Specialized Frameworks

Anchore Enterprise also provides two specialized compliance features that sit alongside the policy engine:

  • STIG — Security Technical Implementation Guide evaluation against analyzed container images. STIG evaluation requires an additional license entitlement.
  • SBOM Drift — detects when SBOM content changes between successive builds of the same image tag and surfaces the drift through the tag_drift gate.
Last modified June 16, 2026