ServiceNow

This documentation serves as a comprehensive reference for integrating Anchore Enterprise with ServiceNow’s Container Vulnerability Response (CVR) module. This integration enables organizations to “hydrate” ServiceNow with Anchore security data, allowing teams to utilize their established vulnerability grouping, reporting, and remediation workflows for containerized assets.

Overview and Release Information

Anchore provides a dedicated plugin that bridges the gap between Anchore Enterprise scans and ServiceNow Security Operations (SecOps).

Availability: Accessible via GitHub for licensed Anchore customers.
Version Support: Available as of Anchore Enterprise 5.0.
Source Code: https://github.com/anchore/servicenow (private)

Anchore SNOW Integrations

Anchore currently focuses on the Security Operations (SecOps) side of the ServiceNow platform:

  • ServiceNow Container Vulnerability Response (CVR)
    Vulnerabilities identified in container images are pulled into ServiceNow CVR via the Anchore CVR plugin.

  • ServiceNow IT Service Management (ITSM)
    Anchore does not currently provide a native SNOW ITSM integration for automatic ticket generation.

Installation and Setup

Prerequisites

Ensure the following ServiceNow applications are active before installation:

  • Vulnerability Response
  • Vulnerability Response and Configuration Compliance for Containers
  • Vulnerability Response Integration with NVD

Deployment Steps

The integration is installed directly from GitHub into the ServiceNow Studio application:

  1. Select Import from Source Control
  2. URL: https://github.com/anchore/servicenow/
  3. Branch: snow_import (fully bundled application)
  4. Credentials:
    • Create a GitHub Personal Access Token
    • In ServiceNow, navigate to Connections & Credentials > Credentials
    • Create a new Basic Auth Credential
      • Username: GitHub username
      • Password: Personal Access Token

Architecture: Anchore ServiceNow Integration

Hydrates ServiceNow’s Container Vulnerability Response module with Anchore Enterprise scan results.

Reference: https://docs.servicenow.com/en-US/bundle/vancouver-security-management/page/product/vulnerability-response/concept/vuln_integrations.html

Theory of Operation: Integration Overview

The integration relies on JavaScript-based scripts to move data from the Anchore API into ServiceNow tables.

1. Integration Script (Data Retrieval)

The Integration Script handles the initial handshake and data preparation:

  • Queries ServiceNow for images with a known image_digest
  • Compares them against Anchore API summary (/v2/summaries/image-tags)
  • Processes images in batches (default: 50)
  • Retrieves full vulnerability and ancestry data (including base image layers)
  • Uses image digest for matching
  • Bundles merged vulnerability and metadata into a JSON document
  • Attaches JSON to a ServiceNow Import Set

2. Processor Script (Data Ingestion)

Once the JSON attachment is created, the Processor Script automatically ingests the data:

  • Iterates through JSON per image digest
  • Retrieves vulnerability IDs and package metadata
  • Uses CMDB Lookup Rule to link findings to cmdb_ci_docker_image
  • Creates Container Vulnerable Items (CVITs)
  • Updates first found and last found timestamps based on Anchore detectedAt data

Detailed Data Flow

Data Import into ServiceNow

  • Anchore data imported into ServiceNow Vulnerability Response
  • Vulnerability data merged with image metadata
  • Images matched by digest

Vulnerability Item Creation

  • Vulnerability data compared against existing ServiceNow records
  • If a match is found, a Vulnerable Item (VI) is created or updated

Configuration Settings

The following settings are configured within the Anchore Integration module in ServiceNow:

SettingDescription
Anchore APIFull URL (including port) of the Anchore Enterprise instance
MID ServerMID server used for communication between ServiceNow and Anchore
SNOW Image ListEncoded Glide Query to filter images from cmdb_ci_docker_image
Add Missing Repos?If TRUE, creates new repositories in CMDB if absent
Batch SizeNumber of images processed per Import Set (default: 50)

Performance Tuning

Batch Size Optimization

Adjust the batch size so that:

  • REST API processing time
  • Import queue processing time

remain balanced (recommended ~5 minutes per batch).

MID Server Considerations

Because requests are synchronous:

  • MID server load directly impacts speed
  • High-scale deployments (10,000+ images) may require:
    • Increasing mid.eccq.max_payload_size
    • Disabling glide.http.outbound.max_timeout.enabled

ServiceNow Integration Documentation

ServiceNow Vulnerability Response Container Integration Implementation Guide (JavaScript):

https://docs.servicenow.com/en-US/bundle/vancouver-security-management/page/product/vulnerability-response/concept/vuln_integrations.html

Last modified February 20, 2026