Anchore STIG for Container Images

The Anchore Enterprise STIG capability requires an additional license entitlement. Please contact Anchore Customer Success for more information.

Introduction

The Anchore STIG for Container Images feature is intended to allow users to perform STIG evaluations against container images and then manage them from within Anchore Enterprise. The STIG evaluation can be generated by using an AnchoreCTL workflow, described below. AnchoreCTL will generate a STIG evaluation using the cinc-auditor tool and a specified STIG profile.

Performing STIG checks

STIG evaluations can be generated using an AnchoreCTL workflow.

Prerequisites of running STIG checks locally

AnchoreCTL STIG evaluations are performed locally and as such there are some dependencies that must be present.

Docker - Install docs
Cinc Auditor - Install docs
AnchoreCTL - Install docs
Anchore Static STIG AddOn entitlement - This is a static entitlement that must be added to your Anchore license and enabled on your Anchore Enterprise deployment. Please contact your Anchore Customer Success Team to obtain your entitlement.
The AnchoreCTL instance much be running on a linux host or a linux container that has access to the docker socket.
At this time a route for /exp/ to API (along with the existing /v2/ and /version/) is required.

STIG profiles

Anchore provides a set of STIG profiles that can be used to perform STIG evaluations against container images. You may also use any STIG profile that is compatible with cinc-auditor.

Anchore provides the following OS STIG profiles:

ubi8
ubi9
ubuntu2204
ubuntu2404

Before these profiles can be used, they need to be writen to disk in an accessible location for subsequent AnchoreCTL invocations to reach.

anchorectl image stig write-profiles <PATH_TO_WRITE_PROFILES> [--include-experimental]

This could be a one time operation in some persistent storage for CI use.
For an air-gapped deployment, this command must have connectivity with your Anchore Enterprise deployment. These profiles can be written to disk on a ‘connected’ device and then transferred as needed.

Anchore also provides an option to include experimental profiles that are not yet fully supported.

Generating STIG evaluations

There are two methods of generating a STIG evaluation.

Image Add Workflow
- To perform a STIG evaluation as part of the image add command you must pass in the --stig flag as well as --stig-profile with the path to the STIG profile you want to use. Example:
```
anchorectl image add docker.io/redhat/ubi8:latest --stig --stig-profile ./stig-profiles/ubi8/anchore-ubi8-disa-stig-1.0.0.tar.gz
```
Independent STIG evaluation
- Perform a STIG evaluation on an existing image that is already in the analyzed state. Use the anchorectl image stig run command. You must provide the fully qualified image reference when using the run command to ensure that the correct image is pulled locally to STIG. Example:
```
anchorectl image stig run docker.io/redhat/ubi8:latest@sha256:3e6410626323e6f11af16b28b8e73faa4799fe0dbdb4b1cfbf6f029c34b038f3 --stig-profile ./writeTEST/ubi8/anchore-ubi8-disa-stig-1.0.0.tar.gz
```

Managing STIG evaluations

AnchoreCTL provides commands to manage STIG evaluations that have been uploaded to your Anchore Enterprise deployment. You can list, download, delete and add STIG evaluations for a specific image digest.

Uploading new STIG evaluations can be done using the anchorectl image stig add command. This command allows you to upload a STIG evaluation for a specific image digest. If using the same profile, the new STIG evaluation will overwrite the existing one when specifying the evaluation UUID of the existing evaluation. Example:

anchorectl image stig add docker.io/redhat/ubi8:latest@sha256:3e6410626323e6f11af16b28b8e73faa4799fe0dbdb4b1cfbf6f029c34b038f3 ./ubi8-stig-evaluation.json --stig-eval-uuid 12345678-1234-1234-1234-123456789012

STIG Compliance

Anchore Enterprise also provides STIG policy gate and triggers to ensure that your images are compliant. For more information on how to use the STIG policy gate, please see the STIG Policy Gate documentation.

STIG Metrics

For monitoring purposes, Anchore Enterprise has included a set of metrics that can be used to monitor STIG evaluations.

anchore_stig_image_counts - Number of images with STIG evaluations uploaded
anchore_stig_counts - Total number of STIG evaluations uploaded

For more information on Prometheus metrics, please see the Prometheus documentation.

Last modified August 22, 2025