AnchoreCTL Release Notes - Version 5.19.0

Note: AnchoreCTL v5.19.x versions are compatible with Enterprise v5.19.x deployments.

AnchoreCTL v5.19.0

Improvements

  • Anchore STIG - Anchore now has support for running STIG evaluations against container images.
    • The feature provides the ability to download STIG profiles, generate STIG evaluations and upload them to your Anchore Enterprise deployment. This feature requires the cinc-auditor tool to be installed on the system where anchorectl is being run. This feature is available through a new entitlement called Static STIG AddOn.
    • The following new commands and command updates are added in support of this workflow:
      • New command anchorectl image stig write-profiles <path to write profiles> [--include-experimental] allows users to download the Anchore STIG profiles and write them to a specified directory. This command also allows users to download experimental profiles that are not yet formally supported.
      • New command anchorectl image stig run <image reference> <-p path to profile file> generates and uploads a STIG evaluation to Anchore Enterprise.
      • New command anchorectl image stig list <image digest> returns the metadata for all STIG evaluations uploaded to Anchore Enterprise for the specified image digest.
      • New command anchorectl image stig delete <image digest> <stig evaluation uuid> deletes a STIG evaluation for the specified image digest and STIG evaluation UUID.
      • New command anchorectl image stig add <image digest> <path to stig evaluation> uploads a STIG evaluation for the specified image digest.
      • New command anchorectl image stig download <image digest> <stig evaluation uuid> downloads a STIG evaluation for the specified image digest and STIG evaluation UUID.
      • Updated command anchorectl image add to support the --stig and --stig-profile flags to allow users to generate and upload a STIG evaluation during the image add workflow.
      • For more detail on this feature, please see the Anchore STIG documentation.
  • Anchore One Time Scan - A stateless scan feature that allows users to scan images without persisting the data in the Anchore Enterprise deployment.
    • New command anchorectl image one-time-scan <pull string> allows users to submit an image for a one time scan.
    • The command will return the policy evaluation summary and vulnerabilities found in the image. If provided with a destination directory, the command will output three documents in the specified directory:
      • SBOM
      • policy evaluation
      • vulnerability list
    • The policy evaluation will be performed against the active policy bundle in the account provided with the Secure Module Gates of vulnerabilities and secret_scans.
  • The anchorectl system integration list command has been updated to include the name of each integration.
  • Various package updates to improve security and performance.

Fixes

  • When running anchorectl airgap feed download with debug logging enabled, the command will no longer print any tokens.
Last modified July 2, 2025