POA&M

Use Anchore Enterprise to enforce a POA&M

This guide provides examples of how to setup a policy gate to enforce development teams to comply with organizational Plan of Actions & Milestones (POA&M).

The POA&M Challenge

POA&Ms can easily become an administrative nightmare to track, maintain and update. With Anchore Enterprise, POA&Ms can now be done via code configuring CI/CD policy gates that enforce compliance.

POA&M Solution

Generate an enforceable POA&M using policy as code

The example is shown using a policy from scratch but these direction could be used to add to an existing policy.

  1. Create a new policy

    Policy

  2. Name and describe your policy, then click save

    Policy_save

  3. Now we will edit the default rule, by clicking edit:

    edit_rule

  4. From here we will configure a rule:

    rule_make

    1. Name the rule: RA-5 Vulnerability Monitoring & Scanning
    2. Gate: Vulnerabilities
    3. Trigger: Package
    4. package type: all
    5. severity comparison: >=
    6. severity: unknown
    7. fix available: true

    Scroll down to the bottom and click the action of STOP and click Save and Close.

    stop

  5. Next, we will make an Allowlists for the item we want to POA&M by editing a default Allowlist or adding a New Allowlist:

    allow_list_make

  6. Now we will edit the Allowlist:

    allowlist_poam

    1. Name the Allowlist: POA&M
    2. Gate: Vulnerabilities
    3. CVE/Vulnerability Identifier: CVE-2025-66293
    4. Package: libpng16-16t64

    Note: Another way to get the CVE and Package information is to obtain the Trigger ID on the Policy Compliance Tab which is CVE ID+package as seen in image below:

    triggerid

  7. We have a rule and an Allowlist but we want to make this a POA&M item that expires so lets make an expiration by clicking on the calendar:

    POA&M_expiration

  8. A calendar will pop-up and you can select a date or or a time frame of days, weeks or months:

    date

  9. Next we will make a mapping to limit where this specific POA&M or Allowlist is applied by clicking Mappings, Container Images and Edit:

    date

  10. Next we will associate a Registry, Repository and Tag with the POA&M Allowlist we just made.

    poam_allow_list

    1. Name the Mapping: nginx-libpng
    2. Registry: nginx-libpng
    3. Repository: nginx
    4. Tag: *

    Note: Wildcards “*” can be used for Registry, Repository, and Tag

  11. Our POA&M via an Allowlist with an expiration has been created. Let’s validate:

    validation

    1. Toggle on Go
    2. Show Allowlisted Entries
    3. The TriggerID matches what was put in the Allowlist

You have now created a POA&M enforced by code

Last modified December 5, 2025