AnchoreCTL Release Notes - Version 6.0.0
Note: AnchoreCTL v6.0.x versions are compatible with Enterprise v6.0.x deployments.
AnchoreCTL v6.0.0
AnchoreCTL v6.0.0 adds a new anchorectl app command family for the Anchore Enterprise v6.0.0 SBOM Management platform, providing command-line management of Applications, Application Versions, Assets, Jobs, VEX annotations, policy results, and exports.
Improvements
- Adds
anchorectl appcommands to list, get, add, update, and delete Applications. - Adds
anchorectl app versioncommands to list, get, add, update, and delete Application Versions, and to list vulnerabilities for a version. - Adds
anchorectl app version assetcommands to list, get, update, and delete Assets, andanchorectl app version asset sbom getto download an Asset’s SBOM. - Adds
anchorectl app version asset add container-image-remoteto add a container image Asset using centralized (server-side) analysis, where Enterprise pulls and analyzes the image from the registry. - Adds
anchorectl app version asset add container-imageto analyze a container image and add it as an Asset using distributed (client-side) analysis. Pulls from a registry by default and supports--from docker,--from podman, and--from docker-archive:<path>sources for analyzing local images. - Adds
anchorectl app version asset add sbomto import an existing SBOM file as an Asset. - Adds
anchorectl app version asset add filesystemto generate an SBOM from a local directory and add it as an Asset. - Filesystem SBOM generation now supports
--authorand--supplierparameters and includes a generation timestamp in the SBOM document, improving SBOM quality scores for filesystem scans. - Adds
anchorectl app jobcommands to list, get, and cancel jobs. The list command supports filtering by version, status, jobs owned by the calling user (--mine), and jobs created since a relative duration or absolute timestamp (--created-since). - Adds
anchorectl app version policycommands:status getreturns the policy evaluation status (pass/fail), policy name, and finding statistics;findings listreturns paginated policy findings with gate, trigger, action, message, and affected asset count. - Adds
anchorectl app version package listto list the aggregated package contents of an Application Version. - Adds
anchorectl app version vexcommands to list, get, add, update, and delete VEX (vulnerability annotation) records. - Adds
anchorectl app version exportcommands to export an Application Version’s SBOM (CycloneDX or SPDX), VDR, VEX statements, vulnerabilities (CSV), package contents (CSV), and policy compliance findings (CSV). Each command creates an export job, waits for completion, and writes the result to stdout or a file. - The
anchorectl system waitcommand can now also wait for the component-catalog service.
Fixes
- Fixes an issue where
anchorectl image add --from dockerwith STIG checks (--stig) failed the STIG evaluation when the local image had not been pushed to a registry and therefore had no assigned digest. - Fixes an issue where the generated SBOM for an image analyzed via distributed analysis was missing the
osandarchitecturedetails in the source metadata. - Fixes an issue where
anchorectl image add --platformdid not pull the requested platform when the platform specifier included a variant (for example,linux/arm64/v8). - Fixes an issue where
anchorectl image one-time-scan --dockerfiledid not submit the supplied Dockerfile, so Dockerfile policy gates never triggered during the scan.
Deprecations
- The legacy application commands,
anchorectl application, are deprecated and hidden in favor of the newanchorectl appcommand family. - The legacy source commands,
anchorectl source, are deprecated and hidden in favor of the newanchorectl app version asset add filesystemcommands. - The
anchorectl stig k8scommands are deprecated.
Removals
- The
anchorectl sbom addcommand has been removed. Useanchorectl app version asset add sbomto import SBOMs. - The Artifact Lifecycle Policy (ALP) rule type for imported SBOMs has been removed.