What is Anchore Enterprise
Anchore Enterprise is a software supply chain security platform that uses software bills of materials (SBOMs) to provide continuous visibility, vulnerability detection, policy enforcement, and compliance management for container images, source code repositories, and filesystem artifacts. It is designed for organizations that need to secure software at scale across development, CI/CD, and production environments.
How Anchore Enterprise Secures the Software Supply Chain
Anchore Enterprise takes a data-driven approach to software supply chain security. At the core of every operation is a high-fidelity SBOM that captures detailed metadata about software components, dependencies, licenses, file permissions, and more. This SBOM becomes the foundation for all downstream security analysis.
Generate and Store SBOMs
Anchore Enterprise automatically generates SBOMs when analyzing container images or source code. SBOMs can be generated server-side (centralized analysis) or locally on a CI runner using AnchoreCTL (distributed analysis). Anchore Enterprise stores all SBOMs in a centralized repository, enabling continuous monitoring for new vulnerabilities even after deployment. SBOMs can be exported in industry-standard formats including SPDX and CycloneDX.
Identify Vulnerabilities and Security Risks
Using the SBOM, Anchore Enterprise matches software components against multiple vulnerability data sources including the National Vulnerability Database (NVD), GitHub Security Advisories (GHSA), and vendor-specific feeds for distributions like RHEL, Debian, Ubuntu, Alpine, and more. A precision matching algorithm selects the most accurate data source for each component, reducing false positives and false negatives. Anchore Enterprise also enriches vulnerability data with EPSS (Exploit Prediction Scoring System) scores and CISA KEV (Known Exploited Vulnerabilities) status to help prioritize remediation.
Beyond vulnerabilities, Anchore Enterprise detects malware using ClamAV signatures, identifies embedded secrets and credentials, and flags misconfigurations.
Enforce Compliance with Policy-as-Code
Anchore Enterprise includes a policy engine that evaluates SBOMs and their associated scan results against customizable rules. Policies use a gate-and-trigger model where gates define categories of checks (vulnerabilities, licenses, file permissions, secrets, metadata) and triggers define specific conditions within each gate. Policy evaluations return pass, warn, or fail results that can be used to gate CI/CD pipelines, block non-compliant deployments via Kubernetes admission control, or generate compliance reports.
Anchore Enterprise ships with pre-built policy packs mapped to industry standards including NIST 800-53, FedRAMP, CIS Benchmarks, and DoD requirements.
Monitor Runtime Environments
Anchore Enterprise integrates with Kubernetes and Amazon ECS to maintain a real-time inventory of container images running in production. The Kubernetes Inventory Agent and ECS Inventory Agent report running workloads back to Anchore Enterprise, enabling continuous policy evaluation and vulnerability monitoring of live deployments. Combined with the Kubernetes Admission Controller, organizations can prevent non-compliant images from being deployed.
Key Components
| Component | Description |
|---|---|
| Anchore Enterprise API | RESTful API (v2) providing all platform capabilities for automation and integration |
| Anchore Enterprise UI | Web-based interface for managing images, policies, reports, and system configuration |
| AnchoreCTL | Go-based CLI tool for interacting with Anchore Enterprise, with built-in SBOM generation via Syft |
| Anchore Data Service | Hosted service providing vulnerability databases, malware signatures, EPSS data, and STIG profiles |
Learn More
- Anchore Enterprise Capabilities for a detailed breakdown of features
- Architecture Overview for the service-level architecture
- Core Concepts for foundational concepts like images, policies, and analysis
- Anchore Data Service for vulnerability data sources and synchronization