Anchore Enterprise Release Notes - Version 5.24.0

Anchore Enterprise v5.24.0

Enterprise Service

Requirements

  • If upgrading from a v4.x release, please refer to the v4.x –> v5.x Migration Guide.
  • If upgrading from a release in the range of v5.0.0 - v5.23.x
    • The upgrade will result in an automatic schema change that will require database downtime. Below are the estimated downtime durations for version that require significant downtime:
      • The v5.3.0 schema change may take more than an hour to complete depending on the amount of data in your reporting system.
      • The v5.6.0 schema change may take 2 hours or more depending on the amount of data in your system.
      • The v5.11.x schema change will take approximately 1-2 minutes to complete for every 1 million vulnerable artifacts in your reporting system.
    • If your Anchore Enterprise deployment is on FIPS enabled hosts and your database is being hosted on Amazon RDS, an upgrade to Postgres 16 or greater is required. For more information please see the FIPS section in Requirements.

New Features

  • Chainguard Library Support
    • Anchore Enterprise provides the functionality to exclude vulnerabilities against components that have been marked as unaffected by their provider.
  • Imported SBOM Policy Evaluation
    • Policy now supports a new artifact type of sbom for evaluating imported SBOMs against policies. This allows users to create policies that specifically target SBOM imports and evaluate them based on vulnerability criteria.
    • Vulnerability gate supports package, denylist, and stale feed data triggers for SBOM artifacts.
    • New endpoint GET /exp/sboms/{sbom_uuid}/check has been added to allow users to check the policy evaluation status of an imported SBOM.
  • CIS 1.8 Policy
    • A new Anchore CIS Docker Benchmark V1.8.0 Policy has been included in this release. Any new accounts created after the release of v5.24.0 will automatically have this policy applied. Existing accounts can manually add this policy via the UI or API. Please see CIS Docker Benchmark Policy for more information on this policy pack.
  • Matched CPEs in Vulnerability Findings
    • Vulnerability findings returned from the GET /v2/images/{image_id}/vuln, GET /v2/vulnerability-scan, and GET /v2/scan (used as part of anchorectl image one-time-scan command) endpoints now include a matched_cpes field. This field contains a list of CPEs that were matched for the vulnerable package, providing more context around how the vulnerability was identified.

Improvements

  • A new System Statistic image_reanalysis is being tracked. The is available via the GET /v2/system/statistics endpoint and in the UI System Statistics page. This statistic tracks the number of images that have been reanalyzed.
  • Imported SBOM type field will default to unknown when the user does not provide a type during the import process.
  • The GET /v2/stig-profiles endpoint is no longer restricted to users with full-control or system-admin RBAC roles. The endpoint continues to require a proper license entitlement.

Fixes

  • Provides a clear error messages when trying to add an image with an unsupported media type. (i.e. application/vnd.docker.ai.model.config.v0.1+json, or application/vnd.in-toto+json)
  • AWS SOCI images are properly rejected by Anchore Enterprise as they are not truly images.
  • Addresses an issue where the internal service SSL verify_cert value was not being respected for the API to Report Service communication.
  • Improved handling of PURLs that contain qualifiers to ensure proper parsing and processing.
  • Audit log entry now correctly captures POST /v2/oauth/token requests.
  • The Policy vulnerability gate package trigger with known exploited vulnerability parameter set to False will correctly produce policy findings for vulnerabilities that are NOT on the KEV list.

Deprecations

  • Support for OpenStack Swift, which is an open-source object storage system, has been deprecated. Please see Object Storage for a list of supported Object Stores.
  • The enterprise-gitlab-scan plugin is being deprecated in favor of using AnchoreCTL directly in your pipelines. Please see GitLab for more information on integrating Anchore Enterprise with GitLab.
  • The webhook system managed in the configuration file is being deprecated in favor of the more advanced notification system which can be configured to send notifications to webhook endpoints. Please see Notifications for more information on configuring notifications.

UI Updates

Improvements

  • Within Imported SBOMs:
    • When viewing vulnerabilities associated with an SBOM or SBOM Group, the Last Found filter now supports two new preset options of 270 and 365 days, alongside a custom date range.
    • Individual SBOMs can be evaluated against policies containing SBOM-specific rule sets and mappings, with results displayed in a similar manner to image policy evaluations under the Compliance tab.
  • Within Policies:
    • The annotation_status policy parameter now displays as a multi-select dropdown in the Policy Editor, allowing users to select multiple VEX annotations statuses (affected, fixed, not_affected, under_investigation) when configuring policy rules,
    • Policies can now be formulated to apply to Imported SBOMs. To do so, simply create an SBOM-specific rule set and add mappings to match the rule set to the SBOMs you want to evaluated, by specifying the SBOM name and version (with wildcard pattern support).
  • Within System:
    • The System > Configuration view now provides comprehensive viewing and editing of UI-specific configuration items. Administrators can now set optional UI configurations directly through the web interface when not already defined via config-ui.yaml or environment variables, eliminating the need to modify deployment configurations for runtime adjustments.
      • Each setting displays helpful metadata including the config-ui.yaml key and environment variable name, providing clear guidance on all available configuration methods.
      • This enhancement brings parity to configuration management across both UI and Platform service settings.
    • Administrators can now configure the session timeout duration ot align with their organization’s security policies. The new session_timeout setting (configurable via config-ui.yaml, ANCHORE_SESSION_TIMEOUT environment variable, or System > Configuration) specifies the maximum idle time in seconds before automatic session termination.
      • The timeout implements rolling session behavior, meaning any user activity - including page refreshes, API calls, or navigation - resets the countdown timer.
      • The minimum configurable value is 60 seconds to prevent accidental account lockout, with no maximum limit.
      • When not configured, the default remains 14 days (1,209,600 seconds) for backward compatibility.
      • Note that configuration changes only affect new client sessions created after a change is made; existing active sessions retain their original timeout value until the user re-authenticates.
    • The System > Usage view now displays an image_reanalysis metric in the Total SBOMs card. It is also available for download alongside other usage metrics. This allows for separate tracking of initial image scans vs. forced reanalyses of existing images.

Fixes

  • If the reports_uri setting is removed from config-ui.yaml or the ANCHORE_REPORTS_URI environment variable is unset ,the Reports feature (and any reports-related UI components) should become inaccessible in the UI. A regression in a previous release caused these components to remain accessible even when this configuration was removed. Now fixed.
    • Note that this configuration is deprecated and will be replaced with a boolean setting in a future major release.
  • A quick-paced user could sometimes open the Annotation Status form before the status had been set via the table dropdown, leading to an error when trying to save the details. The button is now disabled until the update is complete.
  • Application startup no longer fails when the configured log directory is unavailable or has incorrect permissions. The application now starts successfully in console-only logging mode and automatically enables file logging when the directory becomes accessible.
    • Optional health monitoring (configured via log_dir_retry_interval) provides bidirectional protection - detecting both when unavailable directories become accessible and when previously accessible directories become unavailable - ensuring continuous logging without manual intervention or application restarts.
  • After failing to create an SBOM Group (for example, because of a duplicate name), the error was incorrectly retained and displayed again the next time another SBOM Group was created. It is now cleared upon closing the form.
  • Various supporting libraries have been updated in order to improve security, performance, and also to remove deprecation warnings from browser and server output logs. Redundant libraries have been removed to reduce the app startup time and overall size.
ComponentSupported VersionHelm Chart VersionAdditional Info
Enterprisev5.24.0v3.20.0With Syft v1.33.0 and Grype v0.104.1
Enterprise UIv5.24.0
AnchoreCTLv5.24.0Deploying AnchoreCTL
Anchore ECS Inventoryv1.4.0https://github.com/anchore/ecs-inventory
Anchore Kubernetes Inventoryv1.8.1v0.6.1https://github.com/anchore/k8s-inventory
Kubernetes Admission Controllerv0.7.0v0.7.3https://github.com/anchore/kubernetes-admission-controller
Jenkins Pluginv3.3.0https://plugins.jenkins.io/anchore-container-scanner
Harbor Scanner Adapterv1.5.1https://github.com/anchore/harbor-scanner-adapter

Anchore Helm Chart can be found at https://github.com/anchore/anchore-charts

Syft Release Notes can be found at https://github.com/anchore/syft/releases/tag/v1.33.0

Grype Release Notes can be found at https://github.com/anchore/grype/releases/tag/v0.104.1

Last modified December 12, 2025