Anchore STIG for Kubernetes Containers

The Anchore Enterprise STIG capability requires an additional license entitlement. Please contact Anchore Customer Success for more information.

Introduction

The Anchore STIG for Kubernetes Containers feature is intended to allow users to perform STIG evaluations against running containers in a Kubernetes deployment. The STIG evaluation can be generated by using an AnchoreCTL workflow, described below. AnchoreCTL will generate a STIG evaluation using the cinc-auditor tool and a specified STIG profile.

Performing STIG checks

STIG evaluations can be generated using an AnchoreCTL workflow.

Prerequisites of running STIG checks locally

AnchoreCTL STIG evaluations are performed locally and as such there are some dependencies that must be present where anchorectl is invoked.

AnchoreCTL - Install docs
Cinc Auditor - Install docs
Cinc Auditor train-k8s-container plugin - Install docs
Kubectl - Install docs
- A valid KUBECONFIG must be present in the default path $HOME/.kube/config, exposed via the KUBECONFIG environment variable, or you must be running in a Kubernetes job that has cluster access via a service account
Anchore Runtime STIG AddOn entitlement - This is a static entitlement that must be added to your Anchore license and enabled on your Anchore Enterprise deployment. Please contact your Anchore Customer Success Team to obtain your entitlement.

STIG Profiles

Anchore provides a set of STIG profiles that can be used to perform STIG evaluations against container images. You may also use any STIG profile that is compatible with cinc-auditor.

Anchore provides the following OS STIG profiles:

ubi8
ubi9
ubuntu2204
ubuntu2404

Before these profiles can be used, they need to be writen to disk in an accessible location for subsequent AnchoreCTL invocations to reach.

anchorectl stig write-profiles <PATH_TO_WRITE_PROFILES> [--include-experimental]

This could be a one time operation in some persistent storage for CI use. For an air-gapped deployment, this command must have connectivity with your Anchore Enterprise deployment. These profiles can be written to disk on a ‘connected’ device and then transferred as needed.

Anchore also provides an option to include experimental profiles that are not yet fully supported.

Generating STIG Evaluations

In order to generate a STIG evaluation of a Kubernetes Container you must call the anchorectl stig k8s container execute command, with the profile you wish to use. You must provide at minimum the namespace and pod of the container you wish to evaluate. If a pod contains more than one container then you must also specify the container with the --container flag.

Example:

anchorectl stig k8s container execute my-namespace my-pod --stig-profile ./stig-profiles/ubi8/anchore-ubi8-disa-stig-1.0.0.tar.gz

Last modified September 5, 2025