Anchore Secure - Vulnerability Management
Anchore Enterprise provides SBOM-powered vulnerability scanning and management capabilities that leverage curated vulnerability intelligence, with a focus on reducing false positives and producing high-confidence results at scale.
It automates continuous vulnerability management across the software supply chain, including:
Identifying vulnerabilities and risks that apply to components in an SBOM
Reducing false positives and noise to improve accuracy
Filtering and prioritizing findings to focus attention on meaningful risk
Reporting and remediation to streamline workflows
SBOMs Are the Foundation
Anchore Enterprise uses SBOMs as the starting point for vulnerability analysis across software artifacts in repositories, build pipelines, and runtime environments.
Anchore Enterprise scans software artifacts to generate high-fidelity SBOMs, imports third-party SBOMs in SPDX or CycloneDX formats, and analyzes them to identify vulnerabilities and other security risks.
Because vulnerability analysis is SBOM-based, Anchore Enterprise can continue to assess deployed software as new vulnerability information becomes available, including newly disclosed or zero-day vulnerabilities.
Identifying Vulnerabilities and Risks
Anchore Enterprise identifies vulnerabilities and risks by matching components in an SBOM to known vulnerability and risk data provided by the Anchore Data Service.
The Anchore Data Service is continuously updated with:
- Aggregated vulnerability data from dozens of sources and ecosystems
- Risk context including CISA KEV and EPSS scores
- Malware data sourced from ClamAV
- Proprietary Anchore-enriched data to improve accuracy and reduce noise
In addition to vulnerabilities, Anchore Enterprise can surface additional risk signals derived from its extensive artifact metadata, including malware indicators, embedded secrets, file permissions, and insecure practices.
Reducing False Positives and Noise
Anchore Enterprise includes built-in capabilities that automatically reduce false positives and unnecessary noise in vulnerability results.
These include:
- Detailed artifact metadata to improve accuracy of vulnerability matching
- Ecosystem-aware matching processes
- Optimized vulnerability feed selection
- Enriched vulnerability data provided by Anchore Enterprise
Anchore Enterprise also provides two user-controlled mechanisms (Corrections and Hints) that allow organizations to further refine matching behavior and improve result quality.
Prioritizing Vulnerability Findings
Anchore Enterprise enables organizations to triage vulnerabilities and risks based on technical and operational context.
You can:
- Prioritize risks based on severity, exploitability, deployment status, or fix availability
- Use policies to generate warnings or stop a deployment
- Annotate vulnerabilities based on the impact in your application
- Consume VEX data from upstream providers to suppress irrelevant findings
Efficient Reporting and Remediation
Anchore Enterprise supports reporting and remediation by enabling organizations to assess impact, coordinate response, and communicate vulnerability context across systems and stakeholders.
You can:
- Enable remediation workflows through integration with Slack, Jira, and other systems
- Support impact analysis for vulnerabilities and zero-day disclosures across SBOMs
- Report on vulnerabilities and other risks using flexible, queryable criteria
- Share vulnerability context with downstream consumers through VEX and vulnerability disclosure reports (VDR)