Anchore Enterprise Architecture

Anchore Enterprise is a distributed application that runs on supported container runtime platforms. The product is deployed as a series of containers that provide services whose functions are made available through APIs. These APIs can be consumed directly via included clients such as the AnchoreCTL and GUI or via out-of-the-box integrations for use with container registries, Kubernetes, and CI/CD tooling. Alternatively, users can interact directly with the APIs for custom integrations.



  • Enterprise API (REST)

    The Enterprise API is the primary RESTful API for Anchore Enterprise and is the one used by the Anchore CLI, GUI, and other plugins. This API is used to upload data such as a software bill of materials (SBOM) and container images, execute functions and retrieve information (SBOM data, vulnerabilities and the results of policy evaluations).The API also exposes the user and account management functions. See Using the Anchore API for more information.

  • Enterprise RBAC Manager API (REST)

    The RBAC manager is the user-facing API for configuring the roles and assigning users to roles in the system. The API served by this component is also RBAC enabled.

  • Reporting APIs (GraphQL and REST)

    The reporting service is fronted by a GraphQL API service that allows for highly customizable queries against the data processed and stored by Anchore Enterprise. The reporting service in the GUI interacts with the same GraphQL API.

There is also an additional RESTful API for retrieving scheduled report results.

Stateful Services

Vulnerability Feed Service

The Anchore Enterprise Feed Service downloads vulnerability data from public sources (OS vendors, NVD, and others), normalizes it in a consistent format, and stores it in a local database. This is the only service that requires internet access and so enables air-gapping of all services outlined below. Data sources are defined by individual drivers that can be enabled or disabled by the user with a download frequency also defined by the user. This data is then used as part of the policy engine when performing vulnerability scanning and can also be queried directly through the Enterprise API. See Anchore Enterprise Feeds for more information.

Policy Engine

The policy engine is responsible for loading an SBOM and associated content and then evaluating it against a set of policy rules. This resulting policy evaluation is then passed to the Catalog service. The policies are stored as a series of JSON documents that can be uploaded and downloaded via the Enterprise API or edited via the GUI.


The catalog is the primary state manager of the system and provides data access to system services from the backend database service (PostgreSQL).


The SimpleQueue is another PostgreSQL-backed queue service that the other components use for task execution, notifications, and other asynchronous operations.



An Analyzer is the component that generates an SBOM from an artifact or source repo (which may be passed through the API or pulled from a registry), performs the vulnerability and policy analysis, and stores the SBOM and the results of the analysis in the organization’s Anchore Enterprise repository. Alternatively the AnchoreCTL client can be used to locally scan and generate the SBOM and then pass the SBOM to the analyzers via the API. Each Analyzer can process one container image or source repo at a time. You can increase the number of Analyzers (within the limits of your contract) to increase the throughput for the system in order to process multiple artifacts concurrently.


AnchoreCLI and AnchoreCTL

There are two command-line clients for use with Anchore Enterprise. AnchoreCLI is the original client written in Python. Its role is to send instructions to the API services of Anchore Enterprise and contains no independent functions. Most functions available in the RESTful APIs are instrumented in anchore-cli.

The successor to AnchoreCLI is AnchoreCTL. This is a Go-based client that is the downstream, supported version of the Syft codebase and can be used to generate an SBOM from a source repo, filesystem, or container image. It can then also be used to upload that content to Anchore Enterprise via the API for further processing by the Analyzers.

AnchoreCTL is the recommended client for developing custom integrations with CI/CD systems or other situations where local processing of content needs to be performed before being passed to the Enterprise API. AnchoreCTL will ultimately include all of the functions provided by anchore-cli.

Anchore Enterprise GUI

The Anchore Enterprise GUI is a front end to the API services and simplifies many of the processes associated with creating policies, viewing SBOMs, creating and running reports, and configuring the overall system (notifications, users, registry credentials, and more).

Kubernetes Admission Controller

The Kubernetes Admission Controller is a plugin that can be used to intercept a container image as it is about to be deployed to Kubernetes. The image is passed to Anchore Enterprise which analyzes it to determine if it meets the organization’s policy rules. The policy evaluation result can then allow, warn, or block the deployment.

Kubernetes Automated Inventory (KAI)

KAI is an agent that creates an ongoing inventory of the images that are running in a Kubernetes cluster. KAI can run inside a Kubenetes cluster (under a service account) or outside (via a Kubeconfig profile) and connects to the Kubernetes API. KAI polls the Kubernetes API on an interval to retrieve a list of container images that are currently in use.

Remote Execution Manager (REM)

REM is an agent that runs inside a container instance. It executes commands in the instance and sends the resulting output back to an Anchore Enterprise API. This agent is currently used to generate data to help enforce STIG compliance for running containers.

Third-Party Plugins

Anchore provides a number of out-of-the-box plugins for CI/CD systems such as Jenkins, CircleCI, and others. These plugins are typically based on AnchoreCtl and allow an SBOM to be generated locally on a CI worker node before being uploaded to Anchore Enterprise for an evaluation.



Accounts in Anchore Enterprise are a boundary that separates data, policies, notifications, and users into a distinct domain. An account can be mapped to a team, project, or application that needs its own set of policies applied to a specific set of content. Users may be granted access to multiple accounts.


Users are local to an account and can have roles as defined by RBAC. Usernames must be unique across the entire deployment to enable API-based authentication requests. Certain users can be configured such that they have the ability to switch context between accounts, akin to a super user account.

Last modified March 22, 2022