AnchoreCTL Release Notes - Version 5.21.0

Note: AnchoreCTL v5.21.x versions are compatible with Enterprise v5.21.x deployments.

AnchoreCTL v5.21.0

New Features

  • STIG Evaluations on Kubernetes Containers
  • RHEL Extended Update Support (EUS)
    • AnchoreCTL commands now have indications included in the output of the anchorectl image get and anchoretl image vulnerabilities commands when the -o json option is supplied.
      • Extended Support in the anchorectl image get output indicates that EUS was detected during image analysis.
      • Extended Support in the anchorectl image vulnerabilities output indicates that EUS data was used during the vulnerability scan.
      • See Anchore Secure - Vulnerability Management for more information.

Improvements

  • Datasets
    • Air-gagged workflow downloads will no longer list the CISA Known Exploitable Vulnerabilities (KEV) Database and Exploit Prediction Scoring System (EPSS) Database as separate downloads, as this data is now included in the primary Vulnerability Database.
    • These datasets continue to be required:
      • Vulnerability Database
      • Vulnerability Match Exclusions Database
      • ClamAV malware Database
  • KEV and EPPS data has been added to the output of the anchorectl image vulnerabilities command.
    • The KEV indicator can be found in the table output as well as the json output.
    • The EPSS data is included only in the json output.
  • STIG
    • The anchorectl image stig commands have been deprecated in favour of the new anchorectl stig docker image commands.
    • See the STIG documentation for more information.
  • The anchorectl system artifact-lifecycle-policy add and update commands have been updated to support the new --include-failed-analysis flag.

Fixes

  • Resolves an issue with filenames in the output of the anchorectl airgap feed upload command which caused errors on NTFS filesystems.
  • Resolves an issue with the handling of the –enabled flag in the anchorectl system artifact-lifecycle-policy add and anchorectl system artifact-lifecycle-policy update commands.
  • Resolves an issue with the value of the Last Updated field in the output of the anchorectl registry update command not being populated correctly.
  • The Ubuntu 2004 STIG profile has been removed.
Last modified September 5, 2025