What is Anchore Enterprise
Anchore Enterprise is a software supply chain security platform that uses SBOMs (Software Bills of Materials) to provide continuous visibility, vulnerability detection, policy enforcement, and compliance management for container images, filesystems (including source code repositories, build artifact directories, and mounted VMs), and externally supplied SBOMs. It is designed for organizations that need to secure software at scale across development, CI/CD, and production environments.
Watch: an introduction to Anchore Enterprise v6 and what’s changed since v5.How Anchore Enterprise Secures the Software Supply Chain
Anchore Enterprise takes a data-driven approach to software supply chain security. At the core of every operation is a high-fidelity SBOM that captures detailed metadata about software components, dependencies, licenses, file permissions, and more. This SBOM becomes the foundation for all downstream security analysis — see SBOMs for what an SBOM is in the context of Anchore Enterprise and the full set of uses a stored SBOM supports.
Organize SBOMs into Apps and Versions
Anchore Enterprise organizes SBOM data around a three-level hierarchy:
- App — a piece of software you ship or host (a service, a product line, a microservice).
- Version — a point-in-time release of an app.
- Asset — a concrete artifact analyzed and attached to a version: a container image, a filesystem, or an externally supplied SBOM document.
A version aggregates packages, vulnerabilities, and policy results across every asset it contains, so a release made up of multiple components produces one unified vulnerability and compliance surface. See Apps for how to model your software and Add Assets to an App Version for the asset-attachment workflow.
Container images can also be analyzed in a standalone image catalog without being attached to an app, which fits ad-hoc CI gating and image-level workflows. See Scan a Container Image for the image-scope path.
Generate and Store SBOMs
Anchore Enterprise automatically generates SBOMs when analyzing container images or filesystem artifacts. Filesystem analysis covers source code repositories, build artifact directories, mounted VMs, and any other directory tree the AnchoreCTL filesystem analyzer can read. SBOMs can be generated server-side (centralized analysis) or locally on a CI runner using AnchoreCTL (distributed analysis). Anchore Enterprise stores all SBOMs in a centralized repository, enabling continuous monitoring for new vulnerabilities even after deployment. SBOMs can be exported in industry-standard formats including SPDX and CycloneDX.
Identify Vulnerabilities and Security Risks
Using the SBOM, Anchore Enterprise matches software components against multiple vulnerability data sources including the National Vulnerability Database (NVD), GitHub Security Advisories (GHSA), and vendor-specific feeds for distributions like RHEL, Debian, Ubuntu, Alpine, and more. A precision matching algorithm selects the most accurate data source for each component, reducing false positives and false negatives. Anchore Enterprise also enriches vulnerability data with EPSS (Exploit Prediction Scoring System) scores and CISA KEV (Known Exploited Vulnerabilities) status. The computed Anchore Score, our composite multi-factor risk index, helps to organize vulnerabilities by impact to prioritize remediation.
Beyond vulnerabilities, Anchore Enterprise detects malware using ClamAV signatures, identifies embedded secrets and credentials, and flags misconfigurations.
Enforce Compliance with Policy-as-Code
Anchore Enterprise includes a policy engine that evaluates SBOMs and their associated scan results against customizable rules. Policies use a gate-and-trigger model where gates define categories of checks (vulnerabilities, licenses, file permissions, secrets, metadata) and triggers define specific conditions within each gate. Policy evaluations return pass, warn, or fail results that can be used to gate CI/CD pipelines, block non-compliant deployments via Kubernetes admission control, or generate compliance reports.
Anchore Enterprise ships with pre-built policy packs mapped to industry standards including NIST 800-53, FedRAMP, CIS Benchmarks, and DoD requirements.
Monitor Runtime Environments
Anchore Enterprise integrates with Kubernetes and Amazon ECS to maintain a real-time inventory of container images running in production. The Kubernetes Inventory Agent and ECS Inventory Agent report running workloads back to Anchore Enterprise, enabling continuous policy evaluation and vulnerability monitoring of live deployments. Combined with the Kubernetes Admission Controller, organizations can prevent non-compliant images from being deployed.
Key Components
| Component | Description |
|---|---|
| Anchore Enterprise API | RESTful API (v2) providing all platform capabilities for automation and integration |
| Anchore Enterprise GUI | Web-based interface for managing apps, versions, and assets — plus policies, reports, and system configuration |
| AnchoreCTL | Go-based CLI tool for interacting with Anchore Enterprise, with built-in SBOM generation via Syft |
| Anchore Data Service | Hosted service providing vulnerability databases, malware signatures, EPSS data, and STIG profiles |
Learn More
- SBOMs for the foundational concept Anchore Enterprise is built around
- Anchore Enterprise Capabilities for a detailed breakdown of features
- Architecture Overview for the service-level architecture
- Core Concepts for foundational concepts like SBOMs, images, policies, and remediation
- Anchore Data Service for vulnerability data sources and synchronization