SBOM Management

Anchore Enterprise makes software composition visible and manageable at scale — supporting the full Software Bill of Materials (SBOM) lifecycle across container images, filesystems, and externally supplied SBOMs from third-party vendors and open-source suppliers.

It brings together the tools and workflows needed to add, organize, analyze, and monitor SBOM data, including:

Adding SBOMs from build pipelines, registries, and external tools
Organizing SBOMs into versioned apps for portfolio-level visibility
Analyzing SBOMs for vulnerability and compliance risk
Observing app health across the software delivery lifecycle
Exporting SBOMs in industry-standard formats for downstream consumers

SBOMs as a Source of Truth

In Anchore Enterprise, the SBOM is the authoritative record of what a software artifact contains. All security analysis, policy enforcement, and compliance evaluation operate against SBOM data — making the SBOM the single reference point for understanding software composition across the supply chain.

The reliability of every security and compliance result depends on the accuracy and completeness of the underlying SBOM. Gaps in coverage or missing metadata translate directly into gaps in security visibility — making SBOM quality a foundational concern for any software assurance program.

Add SBOMs to Apps

Anchore Enterprise organizes SBOM data around a three-level hierarchy: an application (app) represents a piece of software you ship or host, an application version captures a point-in-time release of that application, and each application version contains one or more assets — the concrete things that were analyzed. See How It Works for the full model.

You add SBOMs by attaching an asset to an application version. AnchoreCTL exposes three asset-add paths:

Existing SBOMs — upload a CycloneDX, SPDX, or Syft-native JSON document produced outside Anchore Enterprise. See SBOM Assets.
Container images — analyze an image either locally with AnchoreCTL or by handing the reference to Anchore Enterprise for server-side analysis. See Container Image Assets.
Filesystems — analyze a local directory (i.e., source repo, build artifact dir, or a mounted VM) and upload the resulting SBOM as an asset. See Filesystem Assets.

Anchore Enterprise validates uploaded SBOMs for schema correctness and required content before accepting them for vulnerability and policy analysis.

Coming soon: standalone SBOM generation — producing an SBOM locally without sending it to Anchore Enterprise. See Generate.

Organize SBOMs Into Apps

Anchore Enterprise organizes SBOMs into apps that model how your teams build and deliver software. An app represents the top-level building block in a hierarchical view and can contain multiple versions, each holding the container images, filesystems, and externally supplied SBOMs that belong to that release.

You can:

Create apps and app versions to track security health across the release lifecycle
Attach assets to an app version as a release takes shape
Browse package, vulnerability, and policy data aggregated across every asset in a version
Pivot from a finding back to the assets that contain the affected package

Apps and app versions are managed through AnchoreCTL or the Anchore API. See Manage Apps and Manage App Versions.

Analyze Vulnerability and Compliance Risk

Anchore Enterprise continuously analyzes asset SBOMs for vulnerability and compliance risk.

You can:

Queue assets for vulnerability scanning, with automatic re-scans as new vulnerability data becomes available
Filter and prioritize vulnerability findings by age, minimum severity, and minimum CVSS score using the Anchore Score — a composite index of CVSS score and severity, EPSS percentage, and CISA KEV status
Evaluate policy compliance across every asset in an app version, with results showing the final action, evaluation outcome, and a summary of findings by action, vulnerability severity, and allowlisted findings

See Vulnerability Management and Compliance Management for the full workflows.

Observe App Health

Anchore Enterprise provides a portfolio-level view of app security health through the Observe capability.

From an app version, you can:

List the assets that make up a version and inspect each one in turn
Browse aggregated packages and vulnerabilities for the version, then pivot to the assets that contain a given package
Locate where a package lives within an asset using the asset-locations-by-package view
Review SBOMs, vulnerability findings, and policy evaluation results for individual assets

Export SBOMs and Security Reports

Anchore Enterprise produces combined downstream artifacts in standard formats.

You can:

Export a combined SBOM for an app version in CycloneDX 1.6 or SPDX 2.3 format containing all packages across all contained assets
Export a combined Vulnerability Disclosure Report (VDR) with a complete listing of all security vulnerabilities as a companion to the SBOM in industry standard formats
Export a combined Vulnerability Exploitability eXchange (VEX) document containing all of the security vulnerability annotations as a companion to the SBOM in industry standard formats

Last modified June 16, 2026