Anchore SBOM - SBOM Management
Anchore Enterprise makes software composition visible and manageable at scale — supporting the full Software Bill of Materials (SBOM) lifecycle across source repositories, container images, and externally supplied software from third-party vendors and open-source suppliers.
It brings together the tools and workflows needed to generate, organize, analyze, and monitor SBOM data, including:
Generating and importing SBOMs from build pipelines, registries, and external tools
Organizing SBOMs into groups and versioned applications for portfolio-level visibility
Analyzing SBOMs for vulnerability and compliance risk
Observing application health across the software delivery lifecycle
SBOMs as a Source of Truth
In Anchore Enterprise, the SBOM is the authoritative record of what a software artifact contains. All security analysis, policy enforcement, and compliance evaluation operate against SBOM data — making the SBOM the single reference point for understanding software composition across the supply chain.
The reliability of every security and compliance result depends on the accuracy and completeness of the underlying SBOM. Gaps in coverage or missing metadata translate directly into gaps in security visibility — making SBOM quality a foundational concern for any software assurance program.
Generate and Import SBOMs
Anchore Enterprise supports two paths for building an SBOM inventory:
- Generate SBOMs from source repositories and container images using AnchoreCTL as part of a command-line or CI/CD workflow, by pulling content from a registry, or by submitting an artifact to the Anchore API
- Import external SBOMs (Bring Your Own SBOM) created outside of Anchore Enterprise using other SCA tools or vendor sources, in SPDX, CycloneDX, or Syft native formats
Imported SBOMs are validated for proper schema and data requirements before being accepted for vulnerability scanning. Anchore Enterprise calculates an SBOM Quality score for each imported SBOM based on document completeness metrics — including whether artifacts, dependencies, author, supplier, and timestamp are documented.
For API-based SBOM generation and management for source repositories, see Generating SBOMs for a Source Repository using the API.
Organize SBOMs into Applications
Anchore Enterprise allows SBOMs to be organized into application groups that model how your teams build and deliver software. Applications represent the top-level building block in a hierarchical view and can contain multiple versions, each associated with the relevant source repositories and container image artifacts.
You can:
- Create applications and application versions to track security health across the project lifecycle
- Associate artifacts with application versions as projects grow and change
- Group imported SBOMs into SBOM groups to reflect logical organization structures
- View aggregate SBOM quality scores across all SBOMs within a group
Applications and application versions can be managed via the Anchore API or AnchoreCTL.
Analyze Vulnerability and Compliance Risk
Anchore Enterprise continuously analyzes imported SBOMs for vulnerability and compliance risk.
You can:
- Queue imported SBOMs for vulnerability scanning, with automatic re-scans every six hours as new vulnerability data becomes available
- Filter and prioritize vulnerability findings by age, minimum severity, and minimum CVSS score using the Anchore Score — a composite index of CVSS score and severity, EPSS percentage, and CISA KEV status
- Evaluate policy compliance against imported SBOMs using the Vulnerabilities gate, with results showing the final action, evaluation outcome, and a summary of findings by action, vulnerability severity, and allowlisted findings
Observe Application Health
Anchore Enterprise provides a portfolio-level view of application security health through the Observe Applications capability.
From the application view, you can:
- Drill down into the source repositories and container images that make up each application
- Browse SBOMs, vulnerability findings, and policy evaluation results for individual artifacts
- Download application and artifact reports in JSON, SPDX, and CycloneDX formats