Policy Packs
Policy packs are pre-built policies that map to common regulatory frameworks. Each pack ships as a complete bundle — rule sets, mappings, and allowlists — ready to import, customize, and activate against your account.
The Secure pack ships with every Anchore Enterprise deployment. The remaining packs require additional license entitlements:
| Pack | Frameworks covered | Entitlement |
|---|---|---|
| Secure | Anchore’s default checks — feed data availability, low and moderate vulnerabilities with fixes, and critical-severity vulnerabilities | Included with every deployment |
| NIST | NIST 800-53 and NIST 800-190 (Application Container Security Guide) | Anchore Enforce |
| CIS | CIS Docker Benchmark | Anchore Enforce |
| FedRAMP | FedRAMP Vulnerability Scanning Requirements, NIST 800-53 Rev 5, NIST 800-190 | Anchore Enforce plus the FedRAMP add-on |
| DoD | DISA Image Creation and Deployment Guide, IronBank requirements | Anchore Enforce plus the DoD add-on |
| CMMC | CMMC compliance via NIST 800-171r3 controls | Anchore Enforce |
| ASD Essential 8 | Australian Signals Directorate (ASD) Essential Eight, Maturity Levels 1–3 | Anchore Enforce |
The NIST SSDF sub-pack covers the Secure Software Development Framework (NIST SP 800-218); see the NIST page for how it relates to the broader NIST pack.
How Packs Are Used
Each pack page covers the same workflow: download the bundle, import it into Anchore Enterprise, activate it, and adjust its mappings or allowlists for your environment. The mechanics — anchorectl policy add, the GUI’s Import action, and the POST /policies endpoint — are the same as for any policy. See Manage Policies for the general CRUD workflow.
Packs are a starting point, not a final shape. Most teams customize the pack they import — adjusting mappings to scope the pack to specific registries or repositories, attaching allowlists for known false positives, or layering additional rule sets on top — before activating the result as the account’s default policy.
Last modified June 16, 2026