Anchore Enterprise Capabilities
Anchore Enterprise provides a comprehensive set of capabilities for securing the software supply chain, from SBOM generation and management through vulnerability remediation and compliance enforcement. It builds and integrates Anchore’s proven open source tooling; Syft, Grype and more.
SBOM Generation
Anchore Enterprise generates SBOMs using Syft, Anchore’s open-source SBOM tool. Both AnchoreCTL (the command-line client) and the server-side Analyzer embed Syft, so SBOMs produced locally on a CI runner, on a developer workstation, or centrally by the Anchore Enterprise deployment are consistent in structure and fidelity.
Two analysis modes are supported:
- Distributed analysis — AnchoreCTL generates the SBOM locally on a CI runner or workstation and uploads the result to Anchore Enterprise. Image content never leaves the build environment.
- Centralized analysis — The Analyzer service pulls images from registries, unpacks them, and generates SBOMs server-side. Required for malware scanning.
See SBOM Generation for detailed workflows.
High-Fidelity SBOM Content
Anchore Enterprise generates SBOMs that include a rich superset of data beyond what standard SBOM formats capture. This additional metadata enables detection of secrets, file permissions issues, misconfigurations, and malware — in addition to standard package identification.
Anchore Enterprise SBOMs identify:
- Open source and proprietary packages with ecosystem metadata (OS, language, binary)
- Nested dependencies in archive files (JAR, WAR, EAR, and more)
- Package details including name, version, creator, and license information
- Filesystem metadata including file name, size, permissions, creation time, modification time, and hashes
- Malware and cryptominers (via ClamAV signatures)
- Embedded secrets, keys, and credentials
Supported Ecosystems
Anchore Enterprise supports the following packaging ecosystems for SBOM content identification:
Operating System Packages: RPM, DEB, APK, Linux kernel archives (vmlinuz), Linux kernel modules (ko)
Language Packages: C/C++ (conan), Dart (pubs), Dotnet (deps.json), Elixir (mix), Erlang (rebar3), Go (go.mod, Go binaries), Haskell (cabal, stack), Java (jar, ear, war, par, sar, nar, native-image), JavaScript (npm, yarn), Jenkins Plugins (jpi, hpi), Nix (outputs in /nix/store), Objective-C (cocoapods), PHP (composer), Python (wheel, egg, poetry, requirements.txt), Ruby (gem), Rust (cargo.lock), Swift (cocoapods, swift-package-manager)
Binary Detection: Apache httpd, BusyBox, Consul, Golang, HAProxy, Helm, Java, Memcached, Node.js, PHP, Perl, PostgreSQL, Python, Redis, Rust, Traefik
SBOM Management
Generated SBOMs — whether produced by Anchore Enterprise or imported from external tooling — are stored in a centralized repository. Anchore Enterprise continuously re-evaluates stored SBOMs as new vulnerability data or policy rules arrive, so existing artifacts do not need to be re-scanned to pick up newly disclosed issues. This storage-first model turns SBOMs from a point-in-time artifact into an ongoing source of insight.
Insights delivered from stored SBOMs include:
- Vulnerability matching — SBOMs are matched against vulnerability feeds from the Anchore Data Service on every sync cycle, with EPSS and CISA KEV enrichment applied.
- Policy evaluation — Policies are re-evaluated automatically when the SBOM, the policy, or the underlying data feeds change.
- Drift detection — Changes between successive SBOMs for the same artifact are surfaced (see below).
- Secrets, malware, and misconfiguration findings — Rich SBOM metadata drives additional checks beyond CVE matching.
- Application-level aggregation — Per-image SBOMs roll up into application groups for program-wide visibility.
See SBOM Management for detailed workflows.
SBOM Drift Detection
Anchore Enterprise detects changes in SBOMs between builds — components added, removed, or changed. Policy rules can alert or block deployments when unexpected changes occur, helping identify developer errors, unauthorized modifications, or supply chain attacks. See SBOM Drift for more information.
SBOM Export and Compliance
SBOMs can be exported via the UI or API in SPDX and CycloneDX formats, as well as Anchore’s native Syft JSON format. Anchore Enterprise can export aggregated SBOMs for entire applications to meet customer and federal compliance requirements including Executive Order 14028 and NTIA minimum element guidelines.
Vulnerability and Security Scanning
Anchore Enterprise scans for vulnerabilities and security risks at every stage of the software development process: source code repositories, CI/CD pipelines, container registries, and runtime environments.
Precision Vulnerability Matching
Anchore Enterprise applies a precision matching algorithm that selects the most accurate vulnerability data source for each component. When the SBOM identifies a specific Linux distribution (such as RHEL or Ubuntu), Anchore Enterprise automatically uses that vendor’s security advisory feed rather than generic NVD data. This approach significantly reduces both false positives and false negatives.
Multiple Vulnerability Data Sources
Vulnerability data is sourced from 20+ providers, including the National Vulnerability Database (NVD), GitHub Security Advisories (GHSA), and vendor-specific feeds for all major Linux distributions. Anchore also maintains a curated dataset of known false-positive matches for automatic suppression. See Anchore Data Service for the complete list of sources.
EPSS and KEV Enrichment
Vulnerability findings are enriched with EPSS (Exploit Prediction Scoring System) scores that provide a probability estimate of exploitation, and CISA KEV (Known Exploited Vulnerabilities) flags that identify vulnerabilities with confirmed active exploitation in the wild. These data points help security teams prioritize remediation based on real-world risk.
Zero-Day Vulnerability Response
When a zero-day vulnerability is disclosed, Anchore Enterprise can instantly identify impacted components by querying stored SBOMs. There is no need to re-scan images or repositories — the existing SBOM data is matched against the updated vulnerability records.
Malware Detection
Anchore Enterprise scans container image layers for malware, cryptominers, and other malicious content using ClamAV signatures that are kept current through the Anchore Data Service.
Vulnerability Management and Remediation
Anchore Enterprise provides tools beyond detection to help teams manage and remediate security findings efficiently.
Manage False Positives
Anchore Enterprise reduces false positives through precision matching, Anchore-curated match exclusions, and user-defined corrections. Corrections allow teams to override CPE-based matching for specific packages, improving accuracy over time. Allowlists and time-limited allowlists provide exceptions for known acceptable risks.
VEX Annotations
Anchore Enterprise supports VEX (Vulnerability Exploitability eXchange) annotations that allow teams to document the exploitability status of specific vulnerabilities. Annotations can be set to Not Affected, Affected, Fixed, or Under Investigation, and can include action statements describing planned remediation. VEX documents can be exported in CycloneDX and OpenVEX formats.
Reporting and Notifications
Anchore Enterprise includes a reporting service with scheduled report generation, filterable by vulnerability severity, annotation status, and account scope. Reports can be exported as CSV or JSON. Notifications can be routed through webhooks, Slack, Jira, and email to alert teams when vulnerability states change, policy evaluations update, or analysis completes.
Policy Enforcement and Compliance
Anchore Enterprise includes a policy engine that enables automated compliance checking against customizable rules, industry standards, and regulatory requirements.
Gate-and-Trigger Policy Model
Policies use a gate-and-trigger model. Gates define categories of checks (vulnerabilities, licenses, secrets, file permissions, metadata), and triggers define specific conditions within each gate. Each trigger evaluation produces a stop, warn, or go action. Multiple rule sets can be combined into a single policy and mapped to specific registries, repositories, or tags.
See Policies for more information.
Pre-Built Policy Packs
Anchore Enterprise ships with policy packs mapped to common compliance standards:
- FedRAMP — Validates container images against FedRAMP Vulnerability Scanning Requirements and controls specified in NIST 800-53 Rev 5 and NIST 800-190.
- DISA Image Creation and Deployment Guide — Aligns with DoD Container Image Creation and Deployment Guide requirements.
- DoD Iron Bank — Validates images against U.S. Air Force security standards at Platform One and Iron Bank.
- CIS — Validates against container image best practices and a subset of NIST 800-53 and NIST 800-190 controls. Customizable for alignment with CIS Benchmarks.
- NIST — Validates content against NIST 800-53 and NIST 800-190 controls.
DISA STIG Compliance
Anchore Enterprise can scan container images against DISA Security Technical Implementation Guides (STIGs). Scan results are output in OASIS Heimdall Data Format (OHDF) and can be converted to XCCDF and CKL formats for import into STIG Viewer using MITRE SAF CLI tools.
CI/CD Pipeline Integration
Policies can be enforced directly in CI/CD pipelines using AnchoreCTL. The anchorectl image check command evaluates images against the active policy and returns a pass/fail result that can gate pipeline progression. Distributed analysis mode allows SBOM generation to happen locally on CI runners for faster feedback.
Kubernetes Admission Control
The Kubernetes Admission Controller evaluates container images against Anchore Enterprise policies before allowing deployment. Images that fail policy evaluation can be blocked, providing a runtime enforcement point for production environments.
Runtime Monitoring
Anchore Enterprise integrates with container orchestration platforms to provide continuous visibility into running workloads.
Kubernetes Runtime Inventory
The Kubernetes Inventory Agent (anchore-k8s-inventory) runs inside your cluster and continuously reports running container images back to Anchore Enterprise. This enables real-time vulnerability monitoring and policy compliance checking of production workloads.
ECS Runtime Inventory
The ECS Inventory Agent (anchore-ecs-inventory) provides the same runtime inventory capability for Amazon ECS environments.
Open Source Dependency and License Management
Anchore Enterprise identifies open source dependencies incorporated at any stage of the software lifecycle, including both direct and transitive dependencies. License information is extracted for all identified packages, and license policies can be configured to enforce compliance with organizational open source requirements.