Anchore Enterprise Release Notes - Version 5.23.0

Anchore Enterprise v5.23.0

Enterprise Service

Requirements

If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
If upgrading from a release in the range of v5.0.0 - v5.22.x
- The upgrade will result in an automatic schema change that will require database downtime. Below are the estimated downtime durations for version that require significant downtime:
  - The v5.3.0 schema change may take more than an hour to complete depending on the amount of data in your reporting system.
  - The v5.6.0 schema change may take 2 hours or more depending on the amount of data in your system.
  - The v5.11.x schema change will take approximately 1-2 minutes to complete for every 1 million vulnerable artifacts in your reporting system.
- If your Anchore Enterprise deployment is on FIPS enabled hosts and your database is being hosted on Amazon RDS, an upgrade to Postgres 16 or greater is required. For more information please see the FIPS section in Requirements.

New Features

CycloneDX Vulnerability Disclosure Reports
- Image vulnerabilities can now be retrieved in the form of a CycloneDX Vulnerability Disclosure Report.
  - GET /v2/images/{image_digest}/vuln/{vuln_type}/cyclonedx-json
  - GET /v2/images/{image_digest}/vuln/{vuln_type}/cyclonedx-xml
- The resulting document contains the set of vulnerabilities satisfying the given request parameters and the set of components (packages) affected by those vulnerabilities.
Enforce Gates are now available via the One Time scan feature This includes the following gates, as before these gates are configured the same as other image gates in your policy, and existing policies with these gates will now start evaluating them for One Time scans.

Improvements

API
- GET /v2/sources{source_id}/sbom/native-json endpoint will now also return the file data on newly imported sources.
- GET /exp/sboms/{sbom_uuid}/packages response object now provides the PURL field.
- VEX now provides generated documents in the CycloneDX formats
  - GET /v2/images/{image_digest}/vex/cyclonedx-json
  - GET /v2/images/{image_digest}/vex/cyclonedx-xml
Fix Observed at Date
- This date previously indicated when the deployment first observed that a fix for a vulnerability was available.
- This date is now provided by our vulnerability_db which is received from the Anchore Data Service. It is no longer calculated within your deployment.
- The change provides a single source of truth across all deployments.
- On upgrade, the system will remove policy_engine_vulnerabilities_metadata and policy_engine_vulnerabilities_package_fix_metadata tables from your database as this data will no longer be utilized.
- GET /v2/images/{image_digest}/vuln/all response now includes suggested_fix_version which will help inform which fix version was used to determine the fix_observed_at date.
STIG Profiles
- The STIG Profiles are now available from the Anchore Data Service. The change allows Anchore to update them as the need arises instead of waiting for the next release cycle.
- You will see a new dataset called stig_profiles_db after updating your deployment.
- The STIG Profiles will be retrieved from your enterprise deployment by AnchoreCTL using the same commands. The GET /v2/stig-profiles API endpoint was added in support of this workflow. Please see AnchoreCTL Release Notes for more information.
- Access to the Anchore supported STIG Profiles requires an entitlement. If you are interested in learning more about Anchore STIG support, please contact Anchore Customer Success.
Prometheus Metrics
- Adds Prometheus metrics that track the number and size of objects by type stored in the Object Store.
  - anchore_object_store_bucket_object_count
  - anchore_object_store_total_bucket_size

Fixes

When setting the configuration option of services.policy_engine.vulnerabilities.nvd_fallback_to_secondary_cvss to true, the GET /v2/query/vulnerabilities endpoint returns the correct value for is_kev.
Fixes a typo in the Anchore NIST 800-190 v20250101 policy pack name.
The system.analyzer.clamav_sync.completed event is sent only when a new clamav_db has been synced with the analyzer. Previously it was occurring every minute.
Fixes an issue where GET /v2/images/{image_digest}/sboms endpoint failed to retrieve the sbom when provided with the parent digest.
Addresses an issue where the removal of a VEX annotation did not immediately get reflected in the image vulnerability data.

Deprecations

Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.
The enterprise-gitlab-scan plugin is being deprecated in favor of using AnchoreCTL directly in your pipelines. Please see GitLab for more information on integrating Anchore Enterprise with GitLab.
The webhook system managed in the configuration file is being deprecated in favor of the more advanced notification system which can be configured to send notifications to webhook endpoints. Please see Notifications for more information on configuring notifications.

UI Updates

Improvements

Within Imported SBOMs, a new Package URL (PURL) column has been added to the Contents table, positioned after the Version column. This provides identifiers for better package identification and traceability across different ecosystems.
Within Image Analysis > Vulnerabilities:
- The pie chart breakdown by vulnerability severity has been replaced by simpler linear metrics for faster insights at-a-glance. They display four key dimensions: severity distribution, EPSS Score ranges, KEV status, and fix availability.
- A new Filters button has been introduced which offers more options and a more intuitive and controlled way to filter the vulnerability data in the table.
- Vulnerability data can now be exported in VDR and VEX formats. These new options are available alongside the existing data export within a new dialog launched via the Export button above the table.
- Vulnerability annotators are now provided with additional detail in the tooltip shown in the Annotation Status column header, guiding them toward recommended completion of the annotation form.
Within Reports, various vulnerability-related report templates now include EPSS Score, KEV, PURL, and Annotation Status fields and filters for assessing risk.
We’ve also enhanced session management to improve automatic logout on session expiry.

Fixes

Fixed an issue with SSO redirect error pages returning unstyled.
Fixed validation to allow relative paths (e.g., /swagger/, /grafana/) alongside absolute URLs in Custom Links configuration.
Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.

Recommended Component Versions

Component	Supported Version	Helm Chart Version	Additional Info
Enterprise	v5.23.0	v3.17.0	With `Syft v1.33.0` and `Grype v0.100.0`
Enterprise UI	v5.23.0
AnchoreCTL	v5.23.0		Deploying AnchoreCTL
Anchore ECS Inventory	v1.3.4	v0.0.13	https://github.com/anchore/ecs-inventory
Anchore Kubernetes Inventory	v1.7.7	v0.5.7	https://github.com/anchore/k8s-inventory
Kubernetes Admission Controller	v0.7.0	v0.7.3	https://github.com/anchore/kubernetes-admission-controller
Jenkins Plugin	v3.3.0		https://plugins.jenkins.io/anchore-container-scanner
Harbor Scanner Adapter	v1.4.1		https://github.com/anchore/harbor-scanner-adapter

Anchore Helm Chart can be found at https://github.com/anchore/anchore-charts

Syft Release Notes can be found at https://github.com/anchore/syft/releases/tag/v1.33.0

Grype Release Notes can be found at https://github.com/anchore/grype/releases/tag/v0.100.0

Last modified November 4, 2025