Anchore Enterprise Release Notes - Version 5.19.0
Anchore Enterprise v5.19.0
Enterprise Service Updates
Requirements
- If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
- If upgrading from a release in the range of v5.0.0 - v5.18.x
- The upgrade will result in an automatic schema change that will require database downtime. Below are the estimated downtime durations for version that require significant downtime:
- The v5.3.0 schema change may take more than an hour to complete depending on the amount of data in your reporting system.
- The v5.6.0 schema change may take 2 hours or more depending on the amount of data in your system.
- The v5.11.x schema change will take approximately 1-2 minutes to complete for every 1 million vulnerable artifacts in your reporting system.
- If your Anchore Enterprise deployment is on FIPS enabled hosts and your database is being hosted on Amazon RDS, an upgrade to Postgres 16 or greater is required. For more information please see the FIPS section in Requirements.
- The upgrade will result in an automatic schema change that will require database downtime. Below are the estimated downtime durations for version that require significant downtime:
Improvements
- Anchore STIG
- Anchore now has support for running STIG evaluations against container images. This feature is available through a new entitlement called Static STIG AddOn.
- New API endpoints have been added to support the STIG workflow:
GET /v2/images/{image_digest}/stig
allows users to list the current STIG evaluations for the specified image digest.POST /v2/images/{image_digest}/stig
allows users to upload a STIG evaluation for the specified image digest.GET /v2/images/{image_digest}/stig/{evaluation_uuid}/file
allows users to download a STIG evaluation for the specified image digest and STIG evaluation UUID.DELETE /v2/images/{image_digest}/stig/{evaluation_uuid}
allows users to delete a STIG evaluation for the specified image digest and STIG evaluation UUID.PUT /v2/images/{image_digest}/stig/{evaluation_uuid}
allows users to update a STIG evaluation for the specified image digest.
- Policy Gate
stig
is now available to ensure that images have STIG evaluations associated with them. - A new system statistic called
stig_evaluation_inventory
has been added to track the number of STIG evaluations in the system. - Deployment metrics were added for our users who monitor their deployments with Prometheus.
- Please see the Anchore STIG documentation for more information.
- Anchore One Time Scan - A stateless scan feature that allows users to scan images without persisting the data in the Anchore Enterprise deployment.
- This feature is designed for users who want a light weight vuln and policy scan of an image.
- API endpoint
POST /v2/scan
allows users to submit an image for a one time scan. - The policy evaluation will be performed against the active policy bundle in the account provided with the Secure Module gates of vulnerabilities and secret_scans.
- A new system statistic called
stateless_sbom_evaluation
has been added to track the number of stateless scans performed. - An AnchoreCTL command has been added to support this feature:
anchorectl image one-time-scan <pull string>
.
Please see the AnchoreCTL Release Notes for more information.
- Priority Analysis Queue
- New priority analysis queue feature allows users to prioritize image and source analysis jobs that are received via the API. This allows user requested analysis jobs to be processed before background jobs that are generated by various subscription watchers.
- Configuration is accessible via the UI or Helm chart value of
services.catalog.analysis_queue_priority
. - Please Note: that changes to the priority will not effect any jobs that are already in the queue.
- Identification of old analysis data
- In a future release of Anchore Enterprise, analysis data generated prior to the
v4.0
release will no longer be supported. If these images are still important to your organization, we highly recommend that you force reanalyze them to ensure that you have the most current analysis data for them. Many improvements have been made to our scanning and analysis capabilities including improvements to package and vulnerability detection, license identification, and more. - To assist in identifying older artifacts in your system, a warning message for each artifact analyzed before the
v4.0
release will be printed during the upgrade job. It will include the account name, image pull string and image digest. This will allow you to identify which images need to be force reanalyzed.
- In a future release of Anchore Enterprise, analysis data generated prior to the
- SBOM Management Vulnerabilities listing has been updated with a small performance improvement.
- Improved a few API endpoints to more quickly close database transactions. This will result in fewer
idle in transaction
states in Postgres. - Improved the consistency of the Fix Observed At date across the deployment.
- Improved the performance of events being added to the event queue when you have large number of events being generated.
- Various supporting libraries have been updated in order to improve security.
Fixes
- Resolves an exception within Policy Engine which caused a 404 error back to the user during a policy evaluation.
- Reduces the amount of debug logging that is generated by each service.
- Addresses a corner case where concurrent policy evaluations could result in a errors back to the user.
- Fixes an issue where a scheduled report executions would occasionally create two reports.
- Fixes an issue where the SBOM Group Vulnerability view could return duplicate vulnerabilities in the report.
- Provides better error messages when an unsupported SBOM is uploaded to the system.
- In deployments with large numbers of analyzers (40+), the reports worker service could overload the system with calls to gather image data.
This has been fixed to ensure that the worker service does not overload the system with requests. - Addresses an issue in policy-engine where an exception would be thrown and the user would receive a 404 error instead. The exception reason will not be returned with a 500 error.
- Addressed a timing issue found in the reports worker service that resulted in a stack trace. No other adverse effect were found.
- Fixes an issue that prevented an image SBOM added from distributed analysis (AnchoreCTL) from being downloaded as a CycloneDX SBOM.
- Corrects when the Prometheus metric
anchore_analyzer_status
is setprocessing
to accurately reflect the state of the analyzer.
Deprecations
- Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.
- The enterprise-gitlab-scan plugin is being deprecated in favor of using AnchoreCTL directly in your pipelines. Please see GitLab for more information on integrating Anchore Enterprise with GitLab.
- The webhook system managed in the configuration file is being deprecated in favor of the more advanced notification system which can be configured to send notifications to webhook endpoints. Please see Notifications for more information on configuring notifications.
UI Updates
Improvements
- You can now add custom banners to share helpful or important info with your users. Banners can appear at the top or bottom of the app and be shown either on all pages or just the login screen. You can set everything up through the UI deployment configuration, making it easy to tailor to your needs.
- Security Technical Implementation Guide (STIG) evaluation management for container artifacts is now supported. Users can view, download, and delete STIG compliance evaluations associated with images directly from the Artifact Analysis view.
- The Artifact Analysis view now loads immediately, with data displayed progressively as it becomes available. If any tab (such as policy compliance or vulnerabilities) fails to load, only the affected sections will show an error message — the rest remain fully accessible.
- The Artifact Analysis view no longer requires the
getActions
permission to be present in order to display the page. Instead, users without this permissions will be blocked from accessing the Action Workbench and adding compliance items to an action plan. - When previewing a New Report, the Artifact Type filter in various reports is now enforced to be lowercased to match backend expectations
- Added support for LDAP authentication with
posixGroup
object classes. Users can now authenticate with bothgroupOfUniqueNames
(viauniqueMember
attribute) andposixGroup
(viamemberUid
attribute) LDAP configurations. - The
stateless_sbom_evaluation
metric is now available in the System > Usage charts and for download alongside other usage metrics - The User Groups column within the System > Accounts > Users view has been expanded to now display all groups that a user is a member of. For account user admins, the current behavior of only showing groups with roles assigned to their primary account has not changed.
- Social links have found a new home in the About dialog
Fixes
- The Artifact Analysis > SBOM view now displays a more accurate message when malware scanning is not enabled due to deployment configuration
- In previous versions, bulk deletion of events in the Events view could sporadically trigger a UI exception. This issue has now been resolved.
- Added a custom websocket heartbeat mechanism to improve connection reliability and automatically recover from network interruptions, reducing sporadic timeout issues that previously required manual page refreshes
- Prior to this release, the spinner displayed during long SBOM content loading operations would persist in the view, even after navigating elsewhere within the SBOM feature. Now fixed.
- Fixed an issue in Imported SBOMs where error messages from failed group assignment updates would incorrectly persist when reopening the modal for different SBOMs
- Resolved an issue where error notifications about invalid context switches would incorrectly appear under certain conditions
- The sidebar navigation now correctly displays the Kubernetes tab as disabled when the user does not have the ability to view it. Previously, it would appear enabled and provide a 403 Forbidden error when clicked.
- The sidebar navigation now correctly displays enabled options on initial load, rather than showing a select couple as disabled and then enabling them after a brief delay
- Fixed an issue where tooltips in the sidebar navigation could shift position after several seconds of hovering. Tooltip positioning is now stable and accurate.
- Fixed an issue where the dimmer would persist after navigating to the Events view from the Incomplete Analyses modal, causing the background to remain dimmed. The dimmer now correctly disappears when the modal is closed.
- Fixed an issue where the Compliance Alert Summary header would disappear after collapsing and expanding the widget. The header now remains visible as expected.
- Health check requests from monitoring tools and load balancers are now intelligently redirected to a dedicated health service endpoint, reducing unnecessary server-side rendering overhead. This optimization improves response times for health checks and reduces resource usage on the main application server
- The system automatically detects common health check user agents from Kubernetes, cloud providers, and monitoring services. Note that this redirection only takes place for agent requests that carry no authentication headers.
- Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.
Recommended Component Versions
Component | Supported Version | Helm Chart Version | Additional Info |
---|---|---|---|
Enterprise | v5.19.0 | v3.11.0 | With Syft v1.26.1 and Grype v0.87.0 |
Enterprise UI | v5.19.0 | ||
AnchoreCTL | v5.19.0 | Deploying AnchoreCTL | |
Anchore ECS Inventory | v1.3.3 | v0.0.12 | https://github.com/anchore/ecs-inventory |
Anchore Kubernetes Inventory | v1.7.7 | v0.5.6 | https://github.com/anchore/k8s-inventory |
Kubernetes Admission Controller | v0.7.0 | v0.7.3 | https://github.com/anchore/kubernetes-admission-controller |
Jenkins Plugin | v3.3.0 | https://plugins.jenkins.io/anchore-container-scanner | |
Harbor Scanner Adapter | v1.4.1 | https://github.com/anchore/harbor-scanner-adapter |
Anchore Helm Chart can be found at https://github.com/anchore/anchore-charts
Syft Release Notes can be found at https://github.com/anchore/syft/releases/tag/v1.26.1
Grype Release Notes can be found at https://github.com/anchore/grype/releases/tag/v0.87.0
Last modified July 2, 2025