Security Analysis and Reporting

Anchore Enterprise provides SBOM-powered vulnerability scanning and management capabilities that leverage curated vulnerability intelligence, with a focus on reducing false positives and producing high-confidence results at scale.

It automates continuous vulnerability management across the software supply chain, including:

  • Identifying vulnerabilities and risks that apply to components in an SBOM
  • Reducing false positives and noise to improve accuracy
  • Prioritizing findings to focus attention on meaningful risk
  • Searching, reporting, and producing evidence for vulnerability findings across the software portfolio

SBOMs Are the Foundation

Anchore Enterprise uses SBOMs as the starting point for vulnerability analysis across software artifacts in build pipelines, registries, and runtime environments.

Anchore Enterprise scans software artifacts to generate high-fidelity SBOMs, imports third-party SBOMs in SPDX or CycloneDX formats, and analyzes them to identify vulnerabilities and other compliance issues.

Because vulnerability analysis is SBOM-based, Anchore Enterprise can continue to assess deployed software as new vulnerability information becomes available, including newly disclosed or zero-day vulnerabilities, without needing to rescan software artifacts.

Two Evaluation Scopes

Anchore Enterprise evaluates vulnerabilities in two distinct scopes — pick the one that matches how your team organizes software. Both scopes draw from the same vulnerability data, though some matching behaviors are tuned differently for each (see What’s Shared and What Differs Between Scopes).

  • App-version-scoped — vulnerability findings aggregated across every asset attached to an app version. The v6-native surface, where the Anchore Score is used to prioritize vulnerabilities based on a composite index composed of CVSS severity and score, EPSS, and CISA KEV.
  • Image-scoped — vulnerability findings for a single analyzed container image. The long-standing v5 surface, fully supported in v6.

See Scans for the comparison and worked walkthroughs of each scope.

Identifying Vulnerabilities and Risks

Anchore Enterprise identifies vulnerabilities and risks by matching components in an SBOM to known vulnerability and risk data provided by the Anchore Data Service.

The Anchore Data Service is continuously updated with:

  • Aggregated vulnerability data from dozens of sources and ecosystems
  • Risk context including EPSS scores and CISA KEV data
  • Malware data sourced from ClamAV
  • Proprietary Anchore-enriched data to improve accuracy and reduce noise

In addition to vulnerabilities, Anchore Enterprise can surface additional risk signals derived from its extensive artifact metadata, including malware indicators, embedded secrets, file permissions, and other insecure practices.

Reducing False Positives and Noise

Anchore Enterprise includes built-in capabilities that automatically reduce false positives and unnecessary noise in vulnerability results.

These include:

  • Detailed artifact metadata to improve accuracy of vulnerability matching
  • Ecosystem-aware matching processes
  • Optimized vulnerability feed selection
  • Enriched vulnerability data exclusive to Anchore Enterprise — additional context and corrections that paid customers receive beyond what is available in the open source Grype scanner

Anchore Enterprise also provides two user-controlled mechanisms — Corrections and Hints — that let organizations further refine matching behavior and improve result quality.

Prioritizing Vulnerability Findings

Anchore Enterprise enables organizations to triage vulnerabilities and risks based on technical and operational context.

You can:

  • Prioritize risks based on severity, exploitability, deployment status, or fix availability
  • Use the Anchore Score — a composite risk index that combines CVSS severity and score, EPSS, and CISA KEV data — to prioritize vulnerabilities that matter most within an app version
  • Use policies to generate warnings or stop a build or deployment
  • Annotate vulnerabilities with VEX data fields to express how each finding impacts your software — see Annotations

Search, Reporting, and Evidence

Anchore Enterprise supports two distinct reporting jobs — both documented under Reporting.

  • Search — find vulnerabilities across assets through the Reports view in the GUI, saved reports, custom templates, and the query API
  • Evidence — produce formal documents for downstream consumers: VEX (Vulnerability Exploitability eXchange), VDR (Vulnerability Disclosure Report), and vulnerability data exports from images and app versions

For long-running registry coverage, repositories automatically analyze new image tags as they appear. For runtime visibility, Kubernetes inventory keeps Anchore Enterprise aware of containers active in your clusters, and continuously checks them against the latest set of security vulnerabilities.

Last modified June 16, 2026