1 - AnchoreCTL Release Notes - Version 5.12.0
Note: AnchoreCTL v5.12.x
versions are compatible with Enterprise v5.12.x
deployments.
AnchoreCTL v5.12.0
Improvements
- The command
anchorectl user add
now supports all RBAC Roles. - The command
anchorectl usergroup role add
now supports all RBAC Roles except theaccount-view
which is restricted from addition into an usergroup. - Provide better error messages when downloading datasets or uploading datasets to Anchore Enterprise while in air-gapped environments.
- The air gapped workflow has been improved to download and upload the EPSS dataset.
2 - AnchoreCTL Release Notes - Version 5.11.0
Note: AnchoreCTL v5.11.x
versions are compatible with Enterprise v5.11.x
deployments.
AnchoreCTL v5.11.0
Improvements
- With the addition of integration health updates in
Enterprise v5.11.0
, the following command will provide you data on the health of the integration and Anchore Enterprise:- New command
anchorectl system integration list
to list all the integrations registered with the system. - New command
anchorectl system integration get <UUID>
to get the details of a specific integration.
- New command
Fixes
- The
event list
command can now support filtering events by theresource-id
of the event.- Example:
anchorectl event list --resource-id grypedb
- Example:
- The
anchorecl system smoke-tests
command now correctly returns a non-zero exit code when a test fails. The test has also been updated to use an image with known vulnerabilities.
3 - AnchoreCTL Release Notes - Version 5.10.1
Note: AnchoreCTL v5.10.x
versions are compatible with Enterprise v5.10.x
deployments.
AnchoreCTL v5.10.1
- Fixes the command
anchorectl system smoke-tests run
4 - AnchoreCTL Release Notes - Version 5.10.0
Note: AnchoreCTL v5.10.x
versions are compatible with Enterprise v5.10.x
deployments.
AnchoreCTL v5.10.0
AnchoreCTL has been updated to support the new Data Syncer service. AnchoreCTL has been enhanced to handle Air Gapped imports of datasets with the data syncer service.
- Updated Commands:
anchorectl feeds list
: List all available feeds, this list now includes other datasets like CISA KEV and ClamAV Malware signatures.anchorectl feeds sync
: Sync all feeds, this command will sync all available feeds.
- New Commands
anchorectl airgap feed download
: Download all feeds for air-gapped environments.anchorectl airgap feed upload
: Import the downloaded feeds into Enterprise.
5 - AnchoreCTL Release Notes - Version 5.9.1
Note: AnchoreCTL v5.9.x
versions are compatible with Enterprise v5.9.x
deployments.
AnchoreCTL v5.9.1
- Fixes the command
anchorectl system smoke-tests run
6 - AnchoreCTL Release Notes - Version 5.9.0
Note: AnchoreCTL v5.9.x
versions are compatible with Enterprise v5.9.x
deployments.
AnchoreCTL v5.9.0
A feature and bug fix release which includes:
- The command
anchorectl repo add <repo name>
now supports the--exclude-existing-tags
flag. When set, this flag will exclude tags that are already present in the repository. Only newly created tags will be added to the Enterprise system. - Various supporting libraries have been updated in order to improve security.
7 - AnchoreCTL Release Notes - Version 5.8.1
Note: AnchoreCTL v5.8.x
versions are compatible with Enterprise v5.8.x
deployments.
AnchoreCTL v5.8.1
- Various supporting libraries have been updated in order to improve security.
8 - AnchoreCTL Release Notes - Version 5.8.0
Note: AnchoreCTL v5.8.x
versions are compatible with Enterprise v5.8.x
deployments.
AnchoreCTL v5.8.0
A feature and bug fix release which includes:
- Improves an error message when deleting images without a force flag.
- Fixed an issue that prevented images from being analyzed when the cataloger scope was set to Scoped or AllLayers.
- Various supporting libraries have been updated in order to improve security.
9 - AnchoreCTL Release Notes - Version 5.7.0
Note: AnchoreCTL v5.7.x
versions are compatible with Enterprise v5.7.x
deployments.
AnchoreCTL v5.7.0
A feature and bug fix release which includes:
- Cataloger scope specified from the configuration file is now respected during the image content command.
- Improvements to golang release version extraction from go binary ldflags.
- Various supporting libraries have been updated in order to improve security.
10 - AnchoreCTL Release Notes - Version 5.6.0
Note: AnchoreCTL v5.6.x
versions are compatible with Enterprise v5.6.x
deployments.
AnchoreCTL v5.6.2
A maintenance release which includes:
- Updates to the
Syft
version of v1.5.0
AnchoreCTL v5.6.1
A bug fix release which includes:
- Fails the creation of a user within the
admin
account when an RBAC Role is specified. If the user is not being created in theadmin
account, the default RBAC Role isread-write
unless otherwise specified.
AnchoreCTL v5.6.0
A feature and bug fix release which includes:
- The addition of a
system smoke-tests run
command. This can be used as a tool to aid the assessment of the health of your Anchore Enterprise deployment by executing a few basic operations.- The command requires the caller to have
admin
credentials. - The command does not have the ability to assess the health of the feed service, the report service, or the notification service.
- The command requires the caller to have
- The command
feed list
now includes the Last Updated column which is the last successful update time of the specific feed groups. - Updates the
system artifact-lifecycle-policy
commands to expose a new policy condition which allows for the preservation of base images. - Improved an error message during creation of a user within the
admin
account when an RBAC Role is specified. - Various supporting libraries have been updated in order to improve security.
11 - AnchoreCTL Release Notes - Version 5.5.0
The latest version of AnchoreCTL is 5.5.0. Note: AnchoreCTL v5.5.x versions are compatible with Anchore Enterprise v5.5.x deployments.
AnchoreCTL v5.5.0 is a maintenance release
- Various supporting libraries have been updated in order to improve security
12 - AnchoreCTL Release Notes - Version 5.4.0
The latest version of AnchoreCTL is 5.4.0. Note: AnchoreCTL v5.4.x versions are compatible with Anchore Enterprise v5.4.x deployments.
AnchoreCTL v5.4.0 is a feature and bug fix release which includes:
RBAC Role Support
- Addition of the following commands that are accessible by users with admin, account-user-admin, or full-control.
anchorectl system role list
- returns the list of supported RBAC Roles.anchorectl system role get <rbac role name>
- returns description and list of permissions of the specified role.
- Addition of the following commands that are accessible by users with admin, account-user-admin, or full-control.
User Group Support
- Commands for the management of User Groups
anchorectl usergroup add <usergroup name or uuid> [--description <string>]
anchorectl usergroup delete <usergroup name or uuid>
anchorectl usergroup get <usergroup name or uuid>
anchorectl usergroup list [--contains-user <username>] [--contains-account <account name>] [--user-group-name <usergroup name>]
anchorectl usergroup update <usergroup name> --description <string>
anchorectl usergroup role add <usergroup name> <account name> --role <rbac role name>
anchorectl usergroup role delete <usergroup name> <account name> --role <rbac role name>
anchorectl usergroup role list <usergroup name>
anchorectl usergroup user add <usergroup name> --user <username>
anchorectl usergroup user delete <usergroup name> --user <username>
anchorectl usergroup user list <usergroup name>
anchorectl system wait
command now defaults to waiting only on the Enterprise API Service. The –services flag can be used to specify other services that should be waited on as well.Return the image content even when the parent digest is being used for the request. This was seen in a error in
anchorectl image content
.Various supporting libraries have been updated in order to improve security
13 - AnchoreCTL Release Notes - Version 5.3.0
The latest version of AnchoreCTL is 5.3.0. Note: AnchoreCTL v5.3.x versions are compatible with Anchore Enterprise v5.3.x deployments.
AnchoreCTL v5.3.0 is a feature and bug fix release which includes:
- Enable the dotnet-deps-cataloger for image analysis
- Various supporting libraries have been updated in order to improve security
14 - AnchoreCTL Release Notes - Version 5.2.0
The latest version of AnchoreCTL is 5.2.0. Note: AnchoreCTL v5.2.x versions are compatible with Anchore Enterprise v5.2.x deployments.
AnchoreCTL v5.2.0 is a feature and bug fix release which includes:
- Adds the ability to delete runtime inventory with
inventory delete
. - Adds the ability for admins to edit the email field of accounts with
account update
. - Addresses an exception in the
system artifact-lifecycle-policy update
command when the policy uuid was not provided. - Adds a new field,
password_last_updated
, to the response ofuser list
anduser get
commands. image content
command correctly displays thelicenses
property in the response.image vuln
command provides an optional flag,--include-description
, that is available with the json output format. Using this flag will include the description for each vulnerability listed.
15 - AnchoreCTL Release Notes - Version 5.1.0
The latest version of AnchoreCTL is 5.1.0.
AnchoreCTL 5.1.0 is a feature and bug fix release which includes:
- Commands to manage artifact lifecycle policies
- Removes errant ‘status’ string at beginning of
anchorectl image check <img> --detail
output which caused invalid json. - Updates Syft version to v0.97.1 aligned with Enterprise 5.1.0
AnchoreCTL 5.1.x versions are compatible with Anchore Enterprise 5.1.X deployments.
16 - AnchoreCTL Release Notes - Version 5.0.1
The latest version of AnchoreCTL is 5.0.1.
AnchoreCTL 5.0.1 is a bug fix release which includes:
- A fix for a stack overflow that can be seen when executing the command
anchorectl image check <image> --detail
. This can occur when the image has an allowlisted policy finding.
AnchoreCTL 5.0.x versions are compatible with Anchore Enterprise 5.0.X deployments.
17 - AnchoreCTL Release Notes - Version 5.0.0
The latest version of AnchoreCTL is 5.0.0.
NOTE: This version of AnchoreCTL only supports Anchore Enterprise 5.0.x
AnchoreCTL 5.0.0 is a feature and bug fix release which includes:
- Dependency updates, and general client updates to support Anchore Enterprise v5.0.0
- Change to version scheme, switching to keep version of AnchoreCTL inline with the version of Anchore Enterprise that the client supports (by semver compatibility)
- Add sub-command for policy update
- Add single java version column to the table output for java content
- Remove rbac-url requirement from configuration in support of Anchore Enterprise v5.0.0’s single API feature
- Remove the fix_observed_at date from table output for image vulnerability operation
- Update the inventory watch commands
- Update source policy check output to be more inline with image policy check output
- Fix to some cases where the command could hang or terminal could get scrambled
Update to Syft 0.90.0, inline with the version of Syft used in Anchore Enterprise 5.0.0
AnchoreCTL 5.0.x versions are compatible with Anchore Enterprise 5.0.X deployments.
18 - End-of-Life Releases
18.1 - AnchoreCTL Release Notes - Version 4.9.0
AnchoreCTL 4.9.0 is a V2 API-compatibility release that is otherwise identical to 1.8.0.
Warning
AnchoreCTL 4.9.0 is compatible Enterprise 4.9.x ONLY and requires the V2 API.To minimize impact to automated installations, the V2 API compatible AnchoreCTL will not be automatically upgraded using the install script. See Installation for more information.
AnchoreCTL v4.9.0 uses Syft 0.84.1, the same as AnchoreCTL v1.8.0
AnchoreCTL 4.9.x versions are compatible with Anchore Enterprise 4.9.X deployments.
18.2 - AnchoreCTL Release Notes - Version 1.8.0
The latest version of AnchoreCTL is 1.8.0.
AnchoreCTL 1.8.0 is a feature and bug fix release which includes:
- Adds the ability to create explicit SAML users with
user add --idp_name
- Adds the ability to list, activate and deactivate runtime inventory watchers with
inventory watch
- Extends
image content
command to support the typecontent_search
- Extends
image content
command to support the typeretrieved_files
- Extends
image content
command to support the typesecret_search
- Adds the ability to specify the image platform to retrieve and analyze when using the
--from registry
source in theimage add
command so that local analysis can be done on images of a different architecture than the local host where the analysis occurs. - Add an API version check to prevent accidental use of 1.8.0 against an Anchore V2 API endpoint. See Configuration for more information.
Update to using Syft 0.84.1
18.3 - AnchoreCTL Release Notes - Version 1.7.0
The latest version of AnchoreCTL is 1.7.0.
AnchoreCTL 1.7.0 is a feature and bug fix release which includes:
- Adds more detail from the Anchore Enterprise service for error responses, exposing the server side error detail to the user
- Adds new formats (spdx, cycloneDX) to the SBOM output options when using the content get options during
image add
operations - Add support for new
ancestor list
command - Add new
recommendation
field to policy evaluation table output for theimage check
operation - Changed the policy evaluation level of detail from basic to full detail when fetching policy evaluation during
image add
operation - Fixed issue where the
sbom
content was not being fetched when theall
type was given to the get option, in theimage add
operation
Update to using Syft 0.80.0
18.4 - AnchoreCTL Release Notes - Version 1.6.0
The latest version of AnchoreCTL is 1.6.0.
AnchoreCTL 1.6.0 is a feature and bug fix release which includes:
- Adds ability to generate container image SBOMs using a new ‘–from’ option to
anchorectl image add
. This removes the need to use Syft with anchorectl. AnchoreCTL can now perform all the analysis itself and upload it to your Enterprise deployment. See Using CLI for Images for mor information. - Adds extra analysis locally in addition to the SBOM generation. Filesystem metadata, secret scans, content scans, and file retrieval are now supported as they are when doing analysis of an image inside and Anchore Enterprise deployment
- The additional analysis features of secret scans, filesystem metdata, and content searches are only compatible with Anchore Enterprise 4.7+
- Fixes the –help output for the ‘completion’ commands to provide correct autocompletion setup guidance
- Fixes duplication of vulns shown when no type is specified in
anchorectl image vuln <digest>
usage
Update to using Syft 0.79.0
18.5 - AnchoreCTL Release Notes - Version 1.5.0
The latest version of AnchoreCTL is 1.5.0.
AnchoreCTL 1.5.0 is a bug fix release which includes:
- Updates a help string for subscription update command to include the runtime_inventory subscription type
- Fixes
image add <tag> --wait
failure withimage not found
if the same tag is added with another image digest by another client while waiting for the original image to analyze
Update to using Syft 0.75.0
18.6 - AnchoreCTL Release Notes - Version 1.4.0
The latest version of AnchoreCTL is 1.4.0.
AnchoreCTL 1.4.0 is a feature release which includes:
- Adds full output format option support to ‘source sbom’ command similar to ‘image sbom’ operation, including spdx and cyclonedx formats
- Adds new command to get a list of vulnerabilities in a specific application version across all artifacts (images and sources)
- Adds csv output format for source-repo vulnerability and policy evaluation commands
- Fixes adding of incorrect image to application version when using a tag reference in cases where more than one image with that tag is present in the system
Update to using Syft 0.72.1
18.7 - AnchoreCTL Release Notes - Version 1.3.0
The latest version of AnchoreCTL is 1.3.0.
AnchoreCTL 1.3.0 is a maintenance release which includes:
- Added SPDX, CycloneDX and other format options alongside the default JSON format, to the ‘image sbom’ fetch operation
- Added CSV format option to ‘image vulnerabilities’ and ‘image check’ operations
- Enable ability add container images to Anchore Enterprise by image digest
- Add a new ‘CVEs’ column to default table output for ‘image vulnerabilities’ operation for non-CVE findings that refer to one or more CVEs
- Update ‘image add’ from SBOM to respect the –no-auto-subscribe flag
- Fixes segfault when adding application association to an image that is in analyzing state
Update to using Syft 0.62.3
18.8 - AnchoreCTL Release Notes - Version 1.2.0
The latest version of AnchoreCTL is 1.2.0.
AnchoreCTL 1.2.0 is a maintenance release which includes:
- Support for ‘recommendation’ fields from policy evaluations when used with Enterprise 4.1.1
- Fixed to only show a vulnerability once in
anchorectl image vuln
when not using the-t/--type
option - Help and command typo fixes
Updated to using Syft v0.58.0
18.9 - AnchoreCTL Release Notes - Version 1.1.0
The latest version of AnchoreCTL is 1.1.0.
AnchoreCTL 1.1.0 is a maintenance release which includes:
inventory list
command to show all images in the inventory- compatability with Syft v0.56.0
Updated to using Syft v0.56.0
18.10 - AnchoreCTL Release Notes - Version 1.0.0
The latest version of AnchoreCTL is 1.0.0.
AnchoreCTL 1.0.0 represents the first stable release of the tool as the primary CLI for Anchore Enterprise users. Configuration, command structure and capabilities have all been renovated to support the usage of the client by administrators, users, and within scripting environments for automated integration
Added new administrative command groupings:
- Account commands (add, get, list, delete, enable, disable)
- User commands (add, get, list, delete, set-password)
- Analysis archive rule commands (add, get, list, delete)
- Analysis archive image commands (add, get list, delete, restore)
- Event commands (get, list, delete)
- Feed commands (list, sync)
- Policy commands (add, get, list, delete, activate)
- Registry commands (add, get list, delete, update)
- Repo commands (add, get, list, delete, watch, unwatch)
- Subscription commands (get, list, delete, activate, deactivate)
- System commands (status, wait, delete)
The image add
and source add
commands have been revisited to additionally provide a simple way to extract common data from Anchore Enterprise:
anchorectl image add <my-image> --get vulnerabilities,content
: get a summary of content and vulnerabilities to stdoutanchorectl image add <my-image> --get all=/path/to/store/results
: get policy evaluation, vuln, and content results, and store all raw JSON files to/path/to/store/results
anchorectl image add <my-image> --get policy-evaluation
: will get the policy evaluation results and set the return code to 1 if the policy evaluation is not passing (allowing use as a quality gate)
Added the ability to associate images and sources with an application name and version when adding into the system (e.g. anchorectl image add <my image> --application <name>@<version>
).
The UI for all commands has been enhanced to convey intermediate progress and be transparent about actions taken to any result. For instance, using ANCHORECTL_DEBUG_API=true
and increasing log levels to “debug” or “trace” (-vv
or -vvv
) will show individual API events and responses
The anchorectl.yaml
application configuration has changed, use anchorectl --help
to see the latest configuration schema
Added flag to switch output format for most commands to one of text
, json
, json-raw
, or ID
Updated to using syft v0.52.0
18.11 - AnchoreCTL Release Notes - Version 0.2.0
The latest version of AnchoreCTL is 0.2.0. AnchoreCTL is dependent on Syft v0.39.3 as a library.
The current features that are supported are as follows:
- Ability to add sboms via anchorectl using stdin to provide an existing SBOM without re-creating it.
18.12 - AnchoreCTL Release Notes - Version 0.1.4
The latest version of AnchoreCTL is 0.1.4. AnchoreCTL is dependent on Syft v0.39.3 as a library.
The current features that are supported are as follows:
- Source Repository Management: Generate an SBOM and store the SBOM in Anchore’s database. Get information about the source repository, investigate vulnerability packages by requesting vulnerabilities for a single analyzed source repository, or get any policy evaluations.
- Download full image SBOMs for images analyzed with Enterprise 4.0.0.
- Compliance Reports: View and operate on runtime compliance reports, such as STIGs, created by the
rem
tool. - Corrections Management: View and modify corrections information to help reduce false positives in your vulnerability results.
- Image Management: View, list, import local analysis, and request image analysis by the system.
- Runtime Inventory Management: Add, update, and view cluster configurations for Anchore to scan, as well as for the inventory reports themselves.
- System Operations: View and manage system information for your Enterprise deployment.