Anchore Enforce - Compliance Management
Anchore Enterprise gives security and platform teams a consistent, scalable way to enforce software standards across repositories, SBOMs, and container images — from development through production.
It supports the full compliance lifecycle, from policy authoring to enforcement and audit, including:
Defining policies and rules that govern what is acceptable in a software artifact
Mapping policies to artifacts to control which policies apply to which repositories, SBOMs, or images
Managing exceptions and overrides to handle edge cases and reduce noise
Evaluating and enforcing compliance across CI/CD pipelines, registries, and runtime environments
Policies Turn Findings into Decisions
Anchore Enterprise uses policies to translate SBOM analysis into actionable compliance outcomes. Once an artifact has been analyzed, a policy evaluates it and produces a Pass or Fail verdict — giving CI/CD pipelines, admission controllers, and security teams a clear, consistent signal to act on.
Policies are reusable and account-scoped, with multiple policies supported per account — making them suitable for enforcing consistent standards across teams, artifact types, and deployment environments.
Define Compliance Policies
Anchore Enterprise provides a flexible policy engine that allows organizations to define compliance rules tailored to their security and regulatory requirements.
Policies are structured around gates and triggers:
- Gates group checks into broad categories such as vulnerabilities, secrets, licenses, file permissions, and Dockerfile configuration — the full gate set is available for container image rule sets; source repository and SBOM rule sets support the Vulnerabilities gate only
- Triggers define specific conditions to check within a gate, with configurable actions (STOP, WARN, GO)
To accelerate compliance adoption, Anchore Enterprise provides pre-built policy packs mapped to common regulatory frameworks. The Secure policy pack is included and enabled in every deployment. All other policy packs require contacting Anchore Customer Success to obtain.
- Secure — the default policy pack included in every Anchore Enterprise deployment
- FedRAMP — validates against FedRAMP Vulnerability Scanning Requirements and NIST 800-53 Rev 5 and NIST 800-190 controls
- NIST — covers NIST 800-53 and NIST 800-190 (Application Container Security Guide)
- CIS — based on the CIS Docker Benchmark for container image security
- DoD — validates against DISA Image Creation and Deployment Guide and IronBank requirements
Anchore Enterprise also provides STIG evaluation support for organizations subject to formal government security configuration requirements. STIG evaluations can be performed against container images and running Kubernetes containers, and require an additional license entitlement.
Map Policies to Artifacts
Anchore Enterprise uses policy mappings to control which policies and allowlists are applied to which artifacts during evaluation.
You can:
- Define mapping rules per artifact type — source repositories, SBOMs, and container images each have their own mapping configuration
- Use wildcard rules to apply policies broadly across registries, repositories, or tags
- Specify which policy and which allowlists to use for each mapping match
Manage Exceptions and Overrides
Anchore Enterprise provides mechanisms to suppress or override policy findings without modifying the underlying policy rules.
You can:
- Define allowlists that exclude specific findings — such as a CVE — from policy evaluation
- Attach multiple allowlists to a single policy for granular exception management
- Configure allowed and denied image lists to unconditionally pass or fail specific images regardless of policy content
Enforce and Monitor Compliance
Anchore Enterprise enables organizations to assess compliance continuously and integrate enforcement into automated workflows.
You can:
- Use the Evaluation Preview feature to test a policy against an image before enforcing it, verifying mappings and rule behavior
- Enforce compliance in CI/CD pipelines using
anchorectl image checkor the REST API to gate deployments on policy outcomes - Manage policies across accounts, with multiple policies supported per account for audit and historical comparison
- Detect SBOM drift by triggering policy violations when SBOM content changes between builds of the same image tag