Anchore Enterprise is an software bill of materials (SBOM) - powered software supply chain management solution designed for a cloud-native world. It provides continuous visibility into supply chain security risks. Anchore Enterprise takes a developer-friendly approach that minimizes friction by embedding automation into development toolchains to generate SBOMs and accurately identify vulnerabilities, malware, misconfigurations, and secrets for faster remediation.
Start by going to the Overview of Anchore Enterprise to learn more about the basic concepts and functions.
If you already have an Anchore Enterprise deployment and want to get started with common tasks, consider looking at our Quickstarts.
For information about deploying and operating an Anchore Enterprise instance:
Anchore Enterprise plays a crucial part in meeting Federal Authorization to Operate (ATO) requirements and Risk Management Framework (RMF). From implementation, assessment, to monitoring, Anchore Enterprise bakes in security compliance, vulnerability & malware scanning by constantly checking registries and running images to protect and enhance security posture. As industry continues to migrate to containerization and microservices, Anchore Enterprise supports multiple regulatory requirements using software bill of materials (SBOM) and policy as code to meet the demands through automated policy enforcement and continuous monitoring. SBOMs are vital to comply with Executive Order (EO) 14028 and understanding software inventory (NIST 800-53, 800-171, 800-218, and 800-190). As software delivery changes so should the ATO process by using code to ensure secure, quality, and reproducible results. Anchore Enterprise allows organizations to shift left, start secure, bake in compliance, and standardize security across the container, filesystem, virtual machine (VM) and source code landscape.
Security Controls
The security controls are described below with hyperlinks to the applicable documentation.
SBOM is essentially the ingredient list for a software product allowing the consumer to understand and manage the associated risks. Not only do our scans produces SBOMs but they can be imported as well. SBOMs are used to maintain compliance with CM-8 Information System Component Inventory.
Generating a vulnerability report of both container images, virtual machine files, and source code that map to CVEs (Common Vulnerabilities & Exposures), KEV (Known Exploited Vulnerabilities) and EPSS (Exploit Prediction Scoring System) data. The reports reflect all applicable CVEs, if there are known exploits and the probability of a CVE being exploited.
Use DISA STIGs for container images to establish and document configuration settings for images. Container images can be scanned against DISA STIGS in heimdall json format which can be easily converted using MITRE SAF™ into XCCDF and CKL files to import within STIG Viewer.
Use CI/CD pipelines to not only automate deployment but to ensure your security posture requirements are met each time, every time. Gates can be configured to only allow certain packages installed or be denied if there is a known exploit in a vulnerability.
Always know what images are running in your kubernetes clusters and ensure they meet organizational requirements for vulnerability and policy compliance.
This guide provides examples of how to setup a policy gate to enforce development teams to comply with organizational Plan of Actions & Milestones (POA&M).
The POA&M Challenge
POA&Ms can easily become an administrative nightmare to track, maintain and update. With Anchore Enterprise, POA&Ms can now be done via code configuring CI/CD policy gates that enforce compliance.
POA&M Solution
Generate an Enforceable POA&M Using Policy as Code
The example is shown using a policy from scratch but these directions could be used to add to an existing policy.
Create a new policy
Name and describe your policy, then click save
Now we will edit the default rule, by clicking edit:
From here we will configure a rule:
Name the rule: RA-5 Vulnerability Monitoring & Scanning
Gate: Vulnerabilities
Trigger: Package
package type: all
severity comparison: >=
severity: unknown
fix available: true
Scroll down to the bottom and click the action of STOP and click Save and Close.
Next, we will make an Allowlists for the item we want to POA&M by editing a default Allowlist or adding a New Allowlist:
Now we will edit the Allowlist:
Name the Allowlist: POA&M
Gate: Vulnerabilities
CVE/Vulnerability Identifier: CVE-2025-66293
Package: libpng16-16t64
Note: Another way to get the CVE and Package information is to obtain the Trigger ID on the Policy Compliance Tab which is CVE ID+package as seen in image below:
We have a rule and an Allowlist but we want to make this a POA&M item that expires so lets make an expiration by clicking on the calendar:
A calendar will pop-up and you can select a date or or a time frame of days, weeks or months:
Next we will make a mapping to limit where this specific POA&M or Allowlist is applied by clicking Mappings, Container Images and Edit:
Next we will associate a Registry, Repository and Tag with the POA&M Allowlist we just made.
Name the Mapping: nginx-libpng
Registry: nginx-libpng
Repository: nginx
Tag: *
Note: Wildcards “*” can be used for Registry, Repository, and Tag
Our POA&M via an Allowlist with an expiration has been created. Let’s validate:
Toggle on Go
Show Allowlisted Entries
The TriggerID matches what was put in the Allowlist
You have now created a POA&M enforced by code.
1.1.2 - STIG
Use Anchore Enterprise to STIG a container image
This guide provides examples of how to scan a container with DISA STIGs and import the data into Heimdall for a visualization or STIGViewer to create a checklist to provide as an ATO artifact.
This guide requires the dependencies located here to be installed along with the dependency below.
Once these dependencies are installed, the STIG profiles are written as indicated in the here link and a STIG evaluation has been completed, you are ready to begin.
We will assume that the output of the scan is located in our working directory for the examples below and the STIG --stig-output-dir was saved as results.json like the example below:
The native format for STIG output in Anchore Enterprise is OASIS Heimdall Data Format (OHDF) and can be easily uploaded to heimdall-lite.mitre.org
From here, you can upload the results.json file and obtain charts and a map of the NIST 800-53 controls like the images below:
You can easily filter what passed, failed, not reviewed and not applicable. The data can be exported as a DISA Checklist or as XCCDF Results as indicated in the picture below:
The data can be imported back into STIGViewer to audit a checklist as indicated in Step 4 under Work with STIGViewer.
Work with STIGViewer
With safcli installed run the following command to convert the results.json to XCCDF:
saf convert hdf2xccdf -i results.json -o xccdf-results.xml
Now we want to convert the same results.json to a ckl file:
saf convert hdf2ckl -i results.json -o ubi9-check.ckl
Let’s open STIGViewer and import the results-xccdf.xml file we created in step 1.
Now we can click the Home Icon and load our checklist:
Click the hamburger menu
Click Import V2 Checklist and upload ubi9-check.ckl
The container STIG checklist can now be saved once the findings as either Open, Not a Finding, Not Applicable and submitted with the applicable Body of Evidence (BOE) documentation.
You have now STIG’d a container image and created a checklist.
1.2 - Create & Store SBOMs
Use Anchore Enterprise to create SBOMs for your assets and store them
This guide provides a quick start for creating, viewing, and storing Software Bill of Materials (SBOMs) in Anchore Enterprise.
Understand SBOM Basics and Use Cases
Supported Industry-Standard Formats
Anchore Enterprise supports the following industry-standard SBOM formats:
Format
Description
SPDX
Software Package Data Exchange: An open standard for communicating software bill of material information.
CycloneDX
A lightweight SBOM standard designed for use in application security and supply chain contexts.
Anchore Enterprise also supports the below rich/analysis document format for creating standard SBOMs.
Format
Description
Syft (Native)
SBOM generated in the Anchore Syft (Open Source) format.
Meet NTIA Requirements
Anchore-generated SBOMs adhere to the minimum required elements defined by the U.S. National Telecommunications and Information Administration (NTIA):
Data Fields: Supplier name, component name, version, unique identifier (e.g., purl), and dependency relationship.
Automation: Support for automated generation and updates.
Practices & Processes: Covers frequency of generation, depth of component coverage, and accessibility.
Create SBOMs
Anchore Enterprise can create SBOMs from container images or directly from a filesystem artifact.
Create and Store SBOM from a Container Image
Anchore Enterprise uses its component analysis capabilities to inspect a container image and create a comprehensive SBOM.
Create and Store via UI
Note You need credentials to be able to add a registry. Learn more about adding a registry, here.
Add Image
In the Images tab, click Analyze Tag. You can either enter the Docker pull string for the container image you want to analyze or provide the registry, repository, and tag details in their respective fields. To learn more about adding a registry, see this guide.
Add Image!
Analyze Image
After the image is added, Anchore Enterprise automatically analyzes it and generates an SBOM as part of the analysis process.
Analysis complete!
View SBOM
To view the SBOM, go to the Images tab and open the image’s detail view. Select the image tag, then navigate to the Content tab on the tag report page. Here, you can browse the SBOM components organized by content type. If you need to download the SBOM, an export/download icon is available in the upper-right corner of the page.
Ready for download!
Download the SBOM
On the Images tab, select the repository or registry that contains the image for which you want to download the SBOM. This opens a page listing all available image tags.
Click the tag of interest, then look to the upper-right corner of the screen for the Download icon. From the dropdown menu, choose your preferred SBOM format and click the Download icon to begin the download.
Download SBOM!
Create and Store via AnchoreCTL
Use the anchorectl command-line utility to generate an SBOM for a container image.
anchorectl image add <image_tag_or_digest>
Once the image analysis is completed, you can view the generated SBOM via anchorectl using:
This command will create an SBOM ready for upload to Anchore Enterprise.
Note: You can use the -o flag to select the SBOM format you want to generate. Available formats include: cyclonedx-json, cyclonedx-xml, github-json, purls, spdx-json, spdx-tag-value, syft-json, syft-table, and syft-text.
Store the SBOM:
Once the SBOM is created, upload it to Anchore Enterprise for analysis using:
This command creates an SBOM and stores it under the Imported SBOMs section of the UI. You can view and download this SBOM by navigating to that section of the UI.
Ready for download
1.3 - Customize the Anchore Enterprise UI
Customize the Anchore Enterprise UI
When managing a complex security platform like Anchore Enterprise, communication and accessibility are key. Whether you’re alerting your security and development teams to upcoming maintenance or providing quick access to API documentation, the ability to customize your Anchore Enterprise Deployment makes for a better user experience, that is tailored to your organization and use case.
These customizations are outlined below and can be easily made through the Web UI System Configuration or programmatically via Helm values or Manual Config. Let’s run through what and how you can configure these.
Custom Message
A Custom Message can be displayed on the Anchore Enterprise Client Web UI login view. You can specify a title and a message, both of which support Markdown formatting with any HTML tags removed.
Below is an example of a custom message title with a handy message below.
Custom Message
Recommendation: This can be a useful place to display messages, such as Legal Disclaimers. You can utilize Unicode characters, such as emojis, to help draw attention if required.
Configuration: Edit the config-ui.yaml file under the key ‘custom_message’ and if you are using Helm tweak your values for anchoreConfig.ui.custom_message. Below is an example yaml configuration:
custom_message:title:"Custom message"message:"This is a handy custom message you can set"
Custom Banners
Custom Banners can be displayed on the Anchore Enterprise Client Web UI across the top and/or bottom of the view. Each banner can have its own text, display mode (always, or login-only, where the banner is only displayed on the login view), as well as an optional background color and text color.
Below is an example of a top banner with always display mode, green background with white text ‘🚨🚨 ENVIRONMENT: DEMO 🚨🚨’
Custom Banner
Recommendation: This can be a useful place to signpost users towards gaining access or displaying suitable messages, such as an upcoming maintenance window. You can utilize Unicode characters, such as emojis, to help draw attention if required.
Configuration: You can simply configure your Custom Banner via the Web UI. Alternatively, edit the config-ui.yaml file under the key ‘banners’ and if you are using Helm tweak your values for anchoreConfig.ui.banners. Below is an example yaml configuration:
banners:top:text:"🚨🚨 ENVIRONMENT: DEMO 🚨🚨"text_color:"white"background_color:"#32a883"display:"always"bottom:text:"Here is an example login only banner"text_color:"white"background_color:"#1e6ee6"display:"login-only"
Custom Links
Custom links can be displayed on the Anchore Enterprise Client Web UI on the login page and also within the system dropdown menu (top-right in the main view). You can specify a title and up to 10 links with their own titles and URIs. This feature is only enabled if a main title and at least one link and associated title are provided. HTML tags will be removed.
An example below shows how the custom links section on mouse click/hover can be expanded on both the login page:
Login Links
and the system dropdown menu:
Top Nav links
Recommendation: This might be a useful place to link to your deployments copies of AnchoreCTL for the distributions used in your organisation (Windows, Linux, MacOS). This allows users to quickly find and download AnchoreCTL, and importantly, it will download the latest compatible version of AnchoreCTL. Developers also find having links to the Anchore Enterprise Swagger API docs useful.
Configuration: You can simply configure your Custom Links via the Web UI. Alternatively, edit the config-ui.yaml file under the key ‘custom_links’ and if you are using Helm, tweak your values under anchoreConfig.ui.custom_links. Below is an example Helm yaml configuration:
Users with an Administrator role can configure Custom Message, Custom Banners and Custom Links directly through the Anchore Enterprise Client Web UI by navigating to System > Configuration.
You can make these changes, without the need to change Helm or application values requiring a redeployment of Anchore Enterprise. However, configuring these custom elements within the Web UI, only works if you have NOT already defined the relevant custom values via config-ui.yaml, Helm values or environment variables.
The Web UI offers a helpful WYSIWYG editor allowing you to make changes instantly. Once you click ‘apply’ and then click ‘save’ on the configuration, refresh the page to see your custom changes. The example below shows adding a Top Custom Banner that has its display mode set to always appear.
Custom Banner Config
1.4 - Evaluate SBOMs Using Policies
Use Anchore Enterprise to scan an SBOM against policies
This guide provides an example of how to scan an SBOM of a filesystem generated with AnchoreCTL.
This requires a minimum of Anchore Enterprise 5.24 installed.
Create a new SBOM policy mapping:
Within Policies navigate to Mappings
Select SBOMs tab
Click Let’s add a policy first!
Now let’s name a rule set that maps to SBOMs which we will name: sbom-demo
This will prompt us to make a rule set configuration:
Gate: vulnerabilities
Trigger: package
package type: all
severity comparison: >=
severity: medium
fix available: true
Scroll down to the bottom and click the red STOP button.
It will now look like this and can you can save the policy:
Click Save 1 new rule, and Close
We have a rule set but now we need to make a rule map to SBOMs:
Click Mappings
Click SBOMs
Click Let’s add one!
Now we will map the ruleset to SBOMs by giving it a name, the Rule Sets of ‘sbom-demo’ is applied and we will map this to all SBOM Names and Versions. Click OK when done.
The result will look like this:
SBOMs can be generated using the commands below. It works for applications, containers, files, filesystems, firmware, libraries, modules and mounted virtual disks. Here are is an example below:
1. Navigate to Imported SBOMs
2. Click on the user_bin_binaries 1.0 object
From here we can see that the SBOM has been analyzed against policy:
SBOM analyzed against policy.
1. The Final Action was a STOP due to the policy rule map
2. The mapping is: SBOM Map All and Rule Sets: sbom-demo
You have now mapped a policy to an SBOM.
1.5 - Find Zero-day Vulnerabilities
Find vulnerabilities across your inventory of SBOMs.
This page outlines the workflow for locating zero-day vulnerabilities using Anchore Enterprise’s capabilities, most notably UI, reports and API queries, by both package and vulnerability ID.
When a zero-day vulnerability is disclosed, your first response will be to try and understand your exposure: where in your software supply chain are the affected packages and versions used? In such situations, the Common Vulnerabilities and Exposures (CVE) record may not be fully published yet. This means that you might be searching for specific package versions and by vulnerability identifier, such as a GitHub Security Advisory (GHSA) number.
Check Your Feeds
Anchore Enterprise relies on a large number of vulnerability data sources to bring you the most accurate vulnerability matching as possible. It could be that upstream sources already have knowledge of the vulnerability. Your first step should be to quickly check whether Anchore Enterprise has the latest vulnerability dataset.
In environments talking directly to the Anchore Data Service, you can force a feed sync by running the following command as the Anchore Enterprise administrator:
anchorectl feed sync
You can verify the latest feed updates using the following command:
anchorectl feed list
If you are using Anchore Enterprise in an air-gapped environment, you may need to refresh the vulnerability database (grypeDB) by sneaker-copying a bundle into the high-side environment or through the use of a Cross Domain Solution (CDS). See Air-gapped for further guidance.
Feed sync status can also be found in the Anchore Enterprise UI under System and Feeds Sync.
Note that the Last Full Sync timestamp will reflect when the last necessary update was performed, by default Anchore Enterprise will check to determine whether an update is required every hour.
Feed sync status.
Search by Vulnerability ID
You can also use the Query API to list information about a given vulnerability ID, which can be a useful way to determine if your system is aware of the vulnerability. See /query/vulnerabilities in the API Reference
If you know the vulnerability ID, which could be either a CVE, GHSA, or other identifier, you can utilize the native reporting capability in Anchore Enterprise.
Click the Reports menu item
Choose a new report of Artifacts by Vulnerability.
Choose the Vulnerability Id filter and enter the appropriate identifier.
As you preview results, you can toggle the report scope. If you are the administrator you can run the report against all assets across all accounts.
Changing account scope: local or global
Once you have validated the desired outcome in the report preview, you can opt to Save Report, provide some details, and tick the option to Generate immediately on save.
You can also use this panel to schedule report generation for future dates and times, see Reporting & Remediation
Saving the report.
The report will then be generated in order to provide you results across the SBOMs for all of your assets. Once complete, the results are ready for download.
Ready for download!
You now have an understanding of where in your software supply chain this vulnerability can be found. Go remediate!
Search for Affected Packages
Sometimes you won’t have a vulnerability record available because it has not been created or appropriately updated. Another way to assess impact during a zero-day is to search for the specific package or library version known to be vulnerable. Fortunately, this can be done via the Anchore Enterprise API.
Use the Query API to look for specific package versions. In the case of CVE-2025-1974 (GHSA-mgvx-rpfc-9mpv), the impacted packages were k8s.io/ingress-nginx with versions v1.11.0 - 1.11.4.
The following query would be used to look for a particular version:
With this information, you can now remediate the impacted asset!
1.6 - Identify & Evaluate Images in Kubernetes Clusters
Identifying and analyzing images running in a Kubernetes cluster
Summary
This quickstart page outlines how Anchore Enterprise integrates directly with Kubernetes environments to support continuous security and operational assurance. By connecting the Kubernetes Inventory Agent and running it in your cluster, Anchore Enterprise collects a real-time software inventory of running workloads, aligning containerized operations with vulnerability detection, configuration assessment, and policy controls.
As organizations scale Kubernetes deployments, Anchore Enterprise enables continuous monitoring of runtime images, automated policy evaluation, and actionable reporting to strengthen workload hardening and operational compliance. Through runtime inventory and policy enforcement, teams can standardize security across clusters, surface risk early, and ensure that live container images meet organizational and regulatory requirements.
Prerequisites
Anchore Enterprise deployed and accessible.
kubectl configured for your target Kubernetes cluster.
Cluster access with sufficient privileges to deploy agents.
Helm (optional, for easier deployment of the agent).
Create a native user in Anchore Enterprise that uses the inventory-agent role permissions.
Build your values.yaml file by setting your username, password, Anchore Enterprise URL and cluster name:
k8sInventory:# Path should not be changed, cluster value is used to tell Anchore Enterprise which cluster this inventory is coming fromkubeconfig:cluster:<unique-name-for-your-cluster>anchore:url:<URL for your deployment># Note: recommend using the inventory-agent roleuser:<user>password:<password>
Install the Kubernetes Inventory Agent using Helm and the values file we just built:
After deployment, verify the pod is up and running:
kubectl get pods -n anchore
The agent will automatically:
Discover all running pods and containers.
Collect image metadata and digest information.
Submit inventory to Anchore Enterprise.
Verification & Best Practices
Once your cluster is connected, verify agent connectivity by checking the logs to confirm it’s reporting inventory and status as expected:
kubectl logs -n anchore <inventory-agent-pod>
View the Vulnerability Results of Running Images
Log in to the Anchore Enterprise UI.
Navigate to the Kubernetes tab to access your running cluster data. Be aware that you may need to wait for a brief period for discovered data to appear.
Select your desired cluster. From here, You will get a real-time snapshot of what images are running and also be able to view:
The complete list of the running container images currently in use.
Vulnerabilities associated with each image, mapped to known CVEs.
CVSS scoring, severity distribution, and other helpful risk indicators so you can quickly spot anything that needs attention.
View and Enforce Policy Evaluations
Anchore Enterprise also lets you apply and enforce security policies directly against your running images—so you’re not just observing problems, you’re controlling them.
In the UI, go to Policies → Evaluation.
Choose the policy bundle you want to assess or enforce (for example, minimum CVSS severity thresholds, banned packages, or disallowed images).
Review the results, including:
Pass/Fail status for each image or cluster.
Detailed reasoning for policy violations, helping to guide remediation.
Optionally - if you want to take things a step further, configure notifications or enforcement actions (e.g., blocking deployment of non-compliant workloads) to keep risky images out of production.
Notes:
Confirm version compatibility between Anchore Enterprise and the Kubernetes Inventory Agent—mismatched versions can cause subtle reporting gaps or failed collections.
Keep the agent and policy bundles current, so you’re always scanning against the latest CVE data and enforcement rules rather than working off stale definitions.
Consider using role-based access control(RBAC) in Anchore Enterprise to protect sensitive results, ensuring that only authorized users can view vulnerability and policy data—especially in environments where findings may have compliance or confidentiality implications.
1.7 - Identify and Remediate Vulnerabilities
Start identifying and remediating vulnerabilities found in your assets.
This page outlines the workflow for identifying and remediating security vulnerabilities using a number of different Anchore Enterprise platform features which combined provide a layered approach for augmenting your organization’s security posture.
Analyze and View Security Vulnerabilities on an Asset
In order to remediate a given vulnerability, we must first identify whether one exists in the underlying asset through analysis.
The asset in this case could represent a container image which can be analyzed either through the UI or anchorectl — both of which are described in detail below. Once analysis is complete, we can then view any identified vulnerabilities to start the process of remediation.
Flag Vulnerabilities for Remediation Using VEX Annotations
Anchore Enterprise leverages use of VEX (Vulnerability Exploitability eXchange) annotations that allows your organization to add context to identified vulnerabilities which helps prioritize remediation efforts by assessing real-world risk.
Click the Images menu item.
Select an image which has been analyzed with identified vulnerabilities.
Click the Vulnerabilities tab.
Under Annotation Status (VEX) select your intended status for the target vulnerabilities (i.e., Not Affected, Affected, Fixed, or Under Investigation).
Click the caption box directly to the right to add annotation details in the Vulnerability Exploit Statement. Annotation details would include information such as how an identified vulnerability would be remediated (via an Action Statement).
For example, if you wanted to add an annotation for all CRITICAL vulnerabilities which meets the below criteria:
Package Name: java/jdk
Version: 1.8.0_452-b09
Annotation Status: Affected
Critical vulnerabilities with Affected annotation
Annotation details with Action Statement
These vulnerabilities have now been annotated accordingly per their level of severity and can be prioritized for remediation per the Action Statement.
The Images API can also be used to add, list, or delete annotations or update annotation details for a given image similar to the functionality provided through the UI. Refer to /images/{image_digest}/vuln-annotations and /images/{image_digest}/vuln-annotations/{vuln_annotation_uuid} in: API Reference
Further detail regarding the annotation classifications and VEX taxonomy in Anchore Enterprise can be found here: Vulnerability Annotations and VEX
Create a Report on Images With Annotated Vulnerabilities
Anchore Enterprise features a robust reporting service that allows your organization to create, manage, and save reports using pre-defined or custom templates for key stakeholder awareness and remediation.
Click the Reports menu item.
Choose a New Report of Images Affected by Vulnerability.
Choose the Vulnerability Severities and Vulnerability Annotation Status filters and select the appropriate filter patterns.
For example, if you wanted to create a report with annotated vulnerabilities which meets the below criteria:
Vulnerability Severities: Critical
Vulnerability Annotation Status: affected
Once you’ve set the desired filter patterns, you can then click on Preview Results which will return a listing of all images with Critical vulnerabilities that have been annotated as affected.
Images report on Critical and affected annotated vulnerabilities
The Account Scope is a default filter/option which controls whether the report should return global results encompassing all accounts, or if the results should be limited to only the local account. If you’re running the report as the admin user or as a user within the admin account, you’ll have the option to select either Local or Global as an Account Scope selection.
Once you’ve validated the Preview Results, you can either click on Download Full Report which will allow you to download the report in CSV (default) or JSON format or you can opt to click on Save Report.
Preview Results
If saving the report, you should specify a report Name and optional Description. Additionally, you should also set the frequency (i.e., Daily, Weekly, or Monthly), day of the week, and time that report generation should occur. You also have the option to toggle Generate immediately on save which will generate a report for immediate download upon clicking the Save button.
Save Report dialog
If you toggled Generate immediately on save, the saved report will be available for download in CSV (default) or JSON format and can be accessed by clicking on the Saved Reports tab.
Saved Reports view
Further detail regarding report generation via the UI can be found here: Reporting & Remediation
anchorectl can also be utilized to generate a list of images with annotated vulnerabilities that require remediation, providing you have the image identifier from anchorectl image list, it allows you to filter affected images by both Vulnerability Severity and Vulnerability Annotation Status (limited to Vulnerability Annotation Status only).
Syntax:
anchorectl image vulnerabilities <image ID, digest, or name:tag> --annotations <not affected, affected, fixed, under investigation>
With example, for all vulnerabilities annotated as Affected:
The Images API can also be used to list annotations for a given image similar to the functionality provided through the UI. Refer to /images/{image_digest}/vuln-annotations in the API Reference.
Export and Download a VEX Document
Anchore Enterprise can be used to generate a VEX (Vulnerability Exploitability eXchange) document for review with key stakeholders for security state awareness.
Click the Images menu item.
Select an image which has been analyzed where annotations have previously been added.
Click the Export button above the Annotation Status (VEX) column.
Exporting VEX annotations
From the Export dialog box, select the VEX radio button and desired export format (i.e. CycloneDX JSON, CycloneDX XML, or OpenVEX) from the drop-down box.
Click the Download button to download the VEX document.
Further detail regarding the CycloneDX specification can be found here: CycloneDX Spec
Further detail regarding the OpenVEX specification can be found here: OpenVEX Spec
Export dialog showing VEX options
The Images API can also be used to generate/download a VEX document for a given image similar to the functionality provided through the UI. Refer to /images/{image_digest}/vex/openvex, /images/{image_digest}/vex/cyclonedx-xml, and /images/{image_digest}/vex/cyclonedx-json in: API Reference
Further detail regarding generating a VEX document for an image in Anchore Enterprise can be found here: Vulnerability Annotations and VEX
Track Changes to Vulnerabilities
Anchore Enterprise features the ability to send notifications if the vulnerabilities within an image change.
For instance, changes made by the upstream providers of vulnerability data may cause CVEs to be added, removed, or modified. From a vulnerability management standpoint, it’s important to track such changes as a CVE severity level could be upgraded prompting the need to add a VEX annotation for vulnerability remediation.
Tracking changes to vulnerabilities is a core function of the Vulnerability Update subscription as described below.
Notifications can be selectively routed using a Selector. For changes or updates to vulnerabilities, configure the Selector as outlined in the Notifications Quick Selection guide.
Use Policies for Vulnerability Management
Anchore Enterprise features a sophisticated policy engine that allows your organization to perform evaluations against source repositories or container images using a set of rules.
Further detail regarding compliance management and policy taxonomy in Anchore Enterprise can be found here: Compliance Management
Click the Policies menu item.
Click on Create New Policy or click on Edit to modify the existing Active policy.
Click on Add New Rule Set and select either Source Repositories or Container Images from the drop-down box.
Provide a Name and Description for the ruleset and proceed to select and configure the ruleset Gate and Trigger.
Select an action (i.e., STOP, WARN, or GO) which should be associated with the ruleset.
For example, if you wanted to create a ruleset associated with the existing Anchore Enterprise - Secure policy to detect all CRITICAL vulnerabilities:
Further detail regarding the vulnerabilities gate and package trigger can be found here: Gate: vulnerabilities
Click on the Mappings tab followed by the Container Images tab.
Click on Edit for the default container Mapping Name.
Policy Mappings view
From the Edit Container Image Mapping dialog box, add the newly created ruleset to the Rule Sets list by selecting it from the drop-down menu. Once added, click OK.
Container Image Mapping dialog
Click the Images menu item and select an image which has been analyzed where annotations have previously been added.
Click the Policy Compliance tab. Check to make sure the correct policy and newly added ruleset are listed next to Policy and under Rule Sets.
Type in the name of the newly added ruleset in the Search box to filter on just the vulnerabilities that match the ruleset.
Under the Gate Action column, verify the configured ruleset action is reflected.
Under the Policy Rule column, verify the name of the ruleset is reflected.
Verify that the Policy Result in the upper right-hand side reflects the evaluation (i.e., PASSED or FAILED).
Policy Compliance evaluation results
1.8 - Best Practices for Using Anchore Enterprise in CI
Integrating Anchore Enterprise into CI systems
This quickstart will walk you through the typical steps required to integrate Anchore Enterprise policy checks and vulnerability scans into your CI jobs.
Before You Start
In order to start instrumenting your CI pipelines with AnchoreCTL, you need to ensure the following:
You have access to a fully operational Anchore Enterprise deployment, with a provisioned account/tenant for your use.
The Anchore Enterprise API should be accessible from your CI runner(s).
Your Anchore Enterprise deployment and your CI runner(s) can reach any relevant container registries from which to source images.
Get AnchoreCTL
Anchore Enterprise can be integrated into various CI systems in a vendor-agnostic manner using the AnchoreCTL tool. AnchoreCTL is a golang binary which can be used to interact with an Anchore Enterprise deployment. To ensure compatibility and simplify runner configuration, AnchoreCTL should always be version-aligned with your Anchore Enterprise deployment.
A recommended practice is to fetch AnchoreCTL directly from your Anchore Enterprise installation during the CI job. This guarantees the client version matches the server. Insert a command such as the following into your job before you want to conduct a scan and evaluation:
curl -X GET "https://my-anchore.example.com/v2/system/anchorectl?operating_system=linux&architecture=amd64" -H "accept: */*"| tar -zx anchorectl
AnchoreCTL can talk to an Anchore Enterprise deployment using username and password for authentication, or via API keys. The latter is recommended and otherwise commonly used if you are signing into Anchore Enterprise via SSO.
Configure an API key so your job can talk to the Anchore Enterprise API, see Using API keys for instructions.
Add Environment Variables
You’ll typically want to store AnchoreCTL configuration such as connection details in environment variables for your CI job. At a minimum, you will want to set or configure the following in your CI job specification:
ANCHORECTL_URL
ANCHORECTL_USERNAME
ANCHORECTL_PASSWORD
ANCHORECTL_UI_URL
The ANCHORECTL_UI_URL variable ensures that HTML outputs from anchorectl commands will contain deep links to the Anchore Enterprise UI for assets.
Alternatively, you could also construct an AnchoreCTL configuration file and use that. See Configuring AnchoreCTL for further details on possible parameters.
You can also run anchorectl –help | grep ANCHORECTL_ to see a list of common environment variables
Choose Your Method of Analysis
Before you start creating a workflow in CI, you will need to determine which method of analysis you wish to use. Anchore Enterprise supports two primary modes of operation for image analysis in CI pipelines: Distributed Analysis or Centralized Analysis.
Both modes work with any CI/CD system as long as the AnchoreCTL binary can be installed and run, and you can access the Enterprise APIs directly.
Distributed Analysis (Recommended)
In Distributed Analysis, SBOM generation happens locally on the runner and is then sent to Anchore Enterprise for evaluation.
It is the recommended approach because it offers maximum flexibility in resourcing. You can potentially reduce the time to generate an SBOM by customising your anchoreCTL configuration and providing more CPU and fast I/O to your pipeline runners.
Distributed analysis does not currently support malware scanning. If malware scanning is required, use Centralized Analysis.
To use distributed analysis, construct your CI job to use AnchoreCTL with the --from parameter, for example:
This will cause AnchoreCTL in your job to download the image from the given registry and generate the SBOM locally on the runner.
Centralized Analysis
In Centralized Analysis, the AnchoreCTL command is used to ask your Anchore Enterprise deployment to download and analyzes the image content. This is necessary if you require the malware scanning service to unpack and scan container layers.
If you are using Centralized Analysis for Malware support, you may need to enable this in your deployment configuration, see here
To use centralized analysis, omit the --from parameter, for example:
Centralized analysis will have a different performance profile for SBOM generation, since you may not have direct control over resourcing of your Anchore Enterprise shared service.
Construct Your Workflow
You’re now ready to start putting AnchoreCTL commands into your CI jobs. For a container-focused use-case, you will generally look to construct a job which does the following:
Builds a container image and pushes to a staging registry
Downloads AnchoreCTL from Anchore Enterprise
Generates an SBOM of the container image
Conducts a vulnerability analysis, returning results
Conducts a policy check, returning the evaluation result
The sequence of commands will look something like this (simplified):
# Build a docker image for your projectdocker build -t <DOCKER_USERNAME>/getting-started-todo-app .
# Push the image to a staging registry (you can also skip this step by using --from docker in the next command)docker push <DOCKER_USERNAME>/getting-started-todo-app
# Download AnchoreCTLcurl -X GET "https://my-anchore.example.com/v2/system/anchorectl?operating_system=linux&architecture=amd64" -H "accept: */*"| tar -zx anchorectl
# Generate the SBOM for the image (in this example, distributed) and wait for analysis to completeanchorectl image add <DOCKER_USERNAME>/getting-started-todo-app --from [docker, registry] --wait
# Get vulnerability results for the imageanchorectl image vulns <DOCKER_USERNAME>/getting-started-todo-app
# Get policy evaluation results for the imageanchorectl image check <DOCKER_USERNAME>/getting-started-todo-app
Based on the results returned by Anchore Enterprise, you can then decide what additional steps to take in your CI job.
Customize Artifacts
The various anchorectl commands have various options for outputs, selected using the -o parameter. You might opt to return results as text, machine-readable JSON, csv or more! This material can be useful if you intended to have additional steps in your job work based on results, rather than just pass or fail.
Furthermore, AnchoreCTL 5.26+ and higher now includes an HTML format for vulnerability and policy check reports, for example:
If you set ANCHORECTL_UI_URL or ui-url in your AnchoreCTL configuration and you’re not using one-time-scan, you’ll get a handy link in the HTML which will take you straight into the Anchore Enterprise UI for that SBOM artifact.
Optimize Performance
With a basic workflow constructed, you might want to try and optimise for SBOM-generation, vuln scan and policy check times.
If you are using Distributed Analysis, you will want to ensure that your CI runners have fast CPU and I/O, to optimise the cataloging and SBOM generation process used by AnchoreCTL.
If your container images contain a large number of files and packages, you may be able to significantly reduce SBOM generation time by enabling parallelism. AnchoreCTL (v5.18+) can run catalogers in parallel rather than sequentially.
You can configure the number of concurrent worker processes using the ANCHORECTL_SYFT_PARALLELISM environment variable (or set in anchorectl.yaml). For optimal performance, try aligning the number of workers with your runner’s available vCPUs.
# Example for an 8 vCPU runnerANCHORECTL_SYFT_PARALLELISM=8
Rather than just reviewing a raw list of vulnerabilities, which can be daunting and lack context, it is a best practice to use the Anchore Enforce policy engine to conduct compliance checks.
Policy-driven gating provides developers with precise, actionable feedback based on your own organizational policy or industry standards (e.g., NIST 800-53, CIS).
Use the following command to evaluate an image against your default policy and fail the CI job if it does not meet compliance requirements. You might add this to the end of your sequence of commands:
The --detail flag can be useful for developers, as it provides the specific gate, trigger, and remediation recommendations needed to resolve policy violations.
The -f flag tells the command to give a return code of 1 in the result of the policy check being marked as fail. This can allow you to fail or break a workflow on this step.
If you wish to store output as artifacts, you can use the -o parameter and save accordingly.
Switch to Stateless Scans (One-Time Scan)
By default, adding an image to Anchore Enterprise for analysis means that the SBOM will be stored persistently in the deployment, until archived or deleted. This could mean your deployment stores more SBOMs than necessary; you may not care whether an SBOM for a CI build is persisted or not.
Anchore Enterprise has a featured called One Time Scan which can be used to deliver fast feedback in your pipeline jobs, namely vulnerability and policy analysis results, but doing so without persisting the SBOM in your Anchore Enterprise deployment. Use the anchorectl image one-time-scan command to conduct analysis in this mode. As with the anchorectl image check command, you can also pass a flag to fail the pipeline job if the policy analysis fails. For example:
By default, this command will return a policy check. Using the -o json parameter, JSON results for policy check, vulnerability scan and the SBOM will be returned. These results can then be machine parsed by the CI job to determine actions.
You’ve now fully instrumented your pipeline to add hi-fidelity SBOM-based vulnerability and compliance checks to your CI jobs!
2 - Deploying Anchore Enterprise
Anchore Enterprise and its components are delivered as Docker container images which can be deployed as co-located, fully distributed, or anything in-between. Anchore Enterprise can run on a single host or be deployed in a scale out pattern for increased analysis throughput.
To get up and running, jump to the following guides of your choosing:
Anchore Enterprise Container Images
You need a Dockerhub PAT from Anchore Customer Success in order to download the Anchore Enterprise Container Images
This section details the general requirements for running Anchore Enterprise. For a conceptual understanding of Anchore Enterprise, please see the Overview topic prior to deploying the software.
Runtime
Anchore Enterprise requires a Docker compatible runtime (version 1.12 or higher) on either AMD or Intel-based amd64 architecture.
Deployment is supported on:
Docker Compose (only recommended for testing, for example demo or proof-of-concept < 1000 SBOMs)
Any Kubernetes Certified Service Provider (KSCP) as certified by the Cloud Native Computing Foundation (CNCF) via Helm.
Any Kubernetes Certified Distribution as certified by the Cloud Native Computing Foundation (CNCF) via Helm.
Amazon Elastic Container Service (ECS) via Helm.
Resourcing
Use-case and usage patterns will determine the resource requirements for Anchore Enterprise. When deploying via Helm (package manager for Kubernetes), requests and limits are set in the values.yaml file. When deploying via Docker Compose, add reservations and limits into your Docker Compose file. The following recommendations can get you started:
Requests specify the desired resource amounts for the container, while limits specify the maximum resource amounts the container is allowed. To achieve best QoS (quality-of-service) with Helm deployments, it’s recommended to set requests equal to limits for allocated memory units and to set requests only with no limits set for allocated CPU units.
It’s not recommended to set less than 1 CPU unit for any container. Less than this could result in unexpected behaviour and should only be used in testing scenarios.
For the api, catalog, policy, and postgresql service containers, a minimum of 2 CPU units is recommended.
For Production use with Helm deployments, it’s recommended to set memory units to a minimum of 16G for the analyzer and policy services and 8G for all other services - where requests equals limits for all services. Less than these values could result in OOM errors or containers restarting unexpectedly.
If you intend on using Kubernetes, the default values.yaml found in the Anchore Enterprise Helm Chart provides some resourcing recommendations to get you started.
The memory footprint for Production use is recommended to better support performance improvements with the image analysis system in recent versions of Anchore Enterprise in addition to high-volume workloads, where a substantial number of images are being analyzed.
When considering horizontal scaling, generally look to maintain a 4:1 analyzer service to core services (api, catalog, and policy) ratio. For example, an 4 analyzer deployment should generally have 1 api, 1 catalog, and 1 policy replica. An 8 analyzer deployment should generally have 2 api, 2 catalog, and 2 policy replicas.
Database
The only service dependency strictly required by Anchore Enterprise is a PostgreSQL database (17.x or higher) that all services connect to. The database is centralized simply for ease of management and operation. For an architectural overview, go to Anchore Enterprise Architecture.
Anchore Enterprise 6.0+ will require the pg_cron extension in addition to PostgreSQL 17. Planning for this now avoids additional migration steps later.
Anchore Enterprise is database-intensive. Depending on the scale of the deployment, hundreds to thousands of concurrent connections may be required. The PostgreSQL database used for Anchore Enterprise should be dedicated and not co-located with any other applications that use a PostgreSQL backend. Anchore Enterprise requires a readable and writable PostgreSQL endpoint — read replica endpoints are not supported at this time.
Anchore Enterprise uses this database to provide persistent storage for image, policy and analysis data. Database storage requirements are based on the number of SBOMs and how long these need to be stored in the active set (i.e. not archived to analysis archive/s3 or deleted). Each SBOM and its respective packages are indexed in the DB, so SBOM complexity also requires increased database storage. Runtime adds a further requirement here.
As an Anchore Enterprise deployment grows — whether through a larger volume of SBOMs, higher analysis throughput, or longer data retention — the database requires proportionally more storage, CPU, and memory. Plan to scale these resources in step with your deployment’s growth.
We suggest configuring a default artifact lifecycle policy and/or archival rules and monitoring database storage usage closely according to your use-case. Size your initial DB as roughly 50MB per image in your active set and use object storage for archive (see below).
For production deployments, we recommend monitoring database storage, CPU, and memory usage continuously (for example, using Prometheus and Grafana). Set alerts for approaching resource thresholds so you can scale proactively. Also keep in mind that certain backup strategies (for example, logical dumps or snapshot-based backups) may temporarily require a significant amount of additional free storage on the database volume.
Anchore Enterprise upgrade paths are forward-only — rollback is not supported. A database backup taken immediately before an upgrade is your only recovery path. Due to the wide variation in deployment methodologies and configurations inherent to on-premise software, Anchore cannot prescribe a specific backup strategy. You are responsible for establishing and testing a backup and recovery procedure that is appropriate for your environment.
Reduce Total Cost of Ownership with an External Object Store
Configuring an external object store can significantly reduce database size and total cost of ownership (TCO) by offloading analysis data to object storage (for example, Amazon S3).
When using an external object store alongside the database, both must be backed up at the exact same point in time to ensure data consistency. Use a coordinated backup service (for example, AWS Backup) that can snapshot both resources simultaneously.
PostgreSQL in Anchore Enterprise Deployments
A PostgreSQL database ships with the default deployment mechanisms for Anchore Enterprise. This is often referred to as the Anchore-managed database. This can be run in a container, as configured in the example Docker Compose file and default Helm values file.
The PostgreSQL database requirement can also be provided as an external service to Anchore Enterprise. PostgreSQL databases, such as Amazon RDS for PostgreSQL, can be used for highly-scalable cloud deployments.
An external PostgreSQL database is recommended for any production Helm deployment.
PostgreSQL Requirements for Anchore Enterprise 6.0
As of Anchore Enterprise 6.0, PostgreSQL 17 or higher with the pg_cron extension is required. Be aware of the following changes by deployment type:
Helm: The Anchore Enterprise 6.0 Helm chart will not include a bundled PostgreSQL chart. The pg_cron extension must be available in your PostgreSQL instance before beginning the Anchore Enterprise 6.x migration. Helm deployments may need to build a custom PostgreSQL 17 image with the pg_cron extension and push it to a container registry accessible by the Kubernetes cluster.
Docker Compose: Docker Compose deployments will continue to include PostgreSQL. The provided docker-compose YAML file references a Dockerfile that adds the pg_cron extension automatically.
AECI: AECI deployments will continue to include PostgreSQL.
The pg_cron extension can be added to an existing PostgreSQL instance at any time. However, this may require replacing the PostgreSQL container image with one that includes the extension, and running SQL statements directly against the database as the postgres superuser to create and configure the extension.
For both Helm and Docker Compose deployments, we suggest using a managed database such as Amazon RDS whenever possible. If a managed database is not available, we suggest using CloudNativePG (CNPG).
We recommend against using connection pooling for your database (such as pg_bouncer) as it has been known to cause issues with Anchore Enterprise, which does its own connection pooling using SQLAlchemy.
Network
An Anchore Enterprise deployment requires the following three categories of network access:
Service Access
Connectivity between Anchore Enterprise services, including access to an external database.
Registry Access
Network connectivity, including DNS resolution, to the registries from which Anchore Enterprise needs to download images.
Anchore Data Service (ADS) Access
Anchore Enterprise requires access to the datasets in order to perform analysis and vulnerability matching. See Anchore Enterprise Data Feeds for more information.
The Data Syncer service needs to communicate with the Anchore Data Service and it may be necessary to whitelist the Anchore Data Service endpoint if it’s blocked within your environment for proper dataset retrieval. See Data Synchronization for more information.
Security
Anchore Enterprise is deployed from source repositories or container images that can be run manually using Docker Compose, Kubernetes, or any other supported container platform.
By default, Anchore Enterprise does not require any special permissions. It can be run as an unprivileged container with no access to the underlying Docker host.
Anchore Enterprise can be configured to pull images through the Docker socket. However, this configuration is not recommended, as it grants the Anchore Enterprise container added privileges and may incur a performance impact on the underlying Docker host.
Storage
Anchore Enterprise can be configured to depend on other storage for various artifacts. For full details on storage configuration, see Storage Configuration.
Configuration volumes:
this volume is used to provide persistent storage to the container from which it will read its configuration files, and optionally - certificates. Requirement: Less than 1MB.
[Optional] Scratch space:
this temporary storage volume is recommended but not required. During the analysis of images, Anchore Enterprise downloads and extracts all of the layers required for an image. These layers are extracted and analyzed, after which, the layers and extracted data are deleted. If a temporary storage is not configured, then the container’s/worker node’s ephemeral storage will be used to store temporary files. However, performance is likely be improved by using a dedicated volume. Scratch volumes do not need storage redundancy. For further information see Scratch
[Optional] Layer cache:
another temporary storage volume may also be used for image-layer caching to speed up analysis. This caches image layers for re-use by analyzers when generating an SBOM / analyzing an image. For further information see Layer Caching
When configuring scratch and layer cache, the size of these volumes should generally be three times the uncompressed image size to be analyzed.
A temporary volume is required to work around a kernel driver bug for container hosts that use OverlayFS or OverlayFS2 storage, with a kernel older than 4.13.
[Optional] Object Storage and Analysis Archiving:
Anchore Enterprise stores image analysis data and policy documents as JSON objects. By default these are stored in PostgreSQL. For larger deployments, the active data set can be offloaded to Amazon S3 or an S3-compatible provider, and completed analyses can be moved to a separate archive to reduce database load. Requirement: approximately 10MB per image. For further information, see Object Storage Configuration and Analysis Archive Configuration.
The estimated storage requirements for object should be the total number of images x 10MB
Anchore Enterprise UI
The Anchore Enterprise UI module interfaces with Anchore API using the external API endpoint. The UI requires access to the Anchore database where it creates its own namespace for persistent configuration storage. Additionally, a Redis database deployed and managed by Anchore Enterprise through the supported deployment mechanisms is used to store session information.
Network
Ingress
The Anchore Enterprise UI module publishes a web UI service by default on port 3000, however, this port can be remapped.
Egress
The Anchore Enterprise UI module requires access to three network services at the minimum:
External API endpoint (typically port 8228)
Redis Database (typically port 6379)
PostgreSQL Database (typically port 5432)
Redis Service
Version 7.4.6 or higher
Optimize Your Deployment
Optimizing your Anchore Enterprise deployment on Kubernetes, involves various strategies to enhance performance, reliability, and scalability. Here are some key tips:
Ensure that your Analyzer, API, Catalog, and Policy service containers have adequate CPU and memory resources. Each service has reference recommendations which can be found in the Anchore Enterprise chart values.yaml.
Each pod can make between 30 and 100 connections to the database so ensure max_connections is set appropriately (at least 500).
Integrate with monitoring tools like Prometheus and Grafana to monitor key metrics like CPU, memory usage, analysis times, and feed sync status. You can also Set up alerts for critical thresholds. Follow our guide on Prometheus and Grafana setup Monitoring guides
For large deployments, it is good practice to Schedule regular vacuuming, indexing, and performance tuning to keep the database running efficiently.
Layer caching in Docker can significantly speed up the image build process by reusing layers that haven’t changed, reducing build times and improving efficiency. Follow our guide on Layer Caching setup
Keep in mind Anchore Enterprise supports tenancy by means of Accounts. We suggest at a minimum creating an
account besides the admin account to use for normal Anchore Enterprise tasks.
Next Steps
If you feel you have a solid grasp of the requirements for deploying Anchore Enterprise, we recommend following one of our installation guides.
2.2 - Deploy using Docker Compose
In this topic, you’ll learn how to use Docker Compose to get up and running with a stand-alone Anchore Enterprise deployment.
Docker Compose is only recommended for testing (e.g. demo or proof-of-concept) (< 1000 SBOMs), production is by support exception from Anchore CS. For all other usage patterns, customers should use either the Anchore Enterprise Cloud Image, or a Helm-based deployment on K8s which enables easier scaling, modular deployment and fine-grained configuration.
Before moving further with Anchore Enterprise, it is highly recommended to read the Overview sections to gain a deeper understanding of fundamentals, concepts, and proper usage.
The following instructions assume you are using a system running Docker v1.12 or higher, and a version of Docker Compose that supports at least v2 of the docker compose configuration format.
A stand-alone deployment requires at least 16GB of RAM (32GB+ recommended), and enough disk space available to support the largest container images or source repositories that you intend to analyze. It is recommended to consider three times the largest source repository or container image size. We suggest at least 40GB of disk space, the more the better.
To access Anchore Enterprise, you need a valid license.yaml file that has been issued to you by Anchore. If you do not have a license yet, visit the Anchore Contact page to request one.
You need root or sudo access to the system where you will be running docker and deploying Anchore Enterprise, all commands in this document are run as root.
Getting Started
Follow the steps below to get up and running!
Step 1: Check access to images
You’ll need authenticated access to the anchore/enterprise and anchore/enterprise-ui repositories on DockerHub. Anchore Customer Success will provide a Dockerhub PAT (Personal Access Token) for access to images. Login with your Docker PAT to push and pull images from Docker Hub:
Edit the compose file and uncomment the ANCHORE_ADMIN_PASSWORD env var in both the catalog and queue services to a strong password of your choice.
- ANCHORE_ADMIN_PASSWORD=yourstrongpassword
The admin password value must be the same across all services defined in the compose file.
Then start your environment from your working directory:
docker compose up -d
Step 3: Install AnchoreCTL
Next, we’ll install the lightweight Anchore Enterprise client tool, quickly test using the version operation, and set up a few environment variables to allow it to interact with your deployment using the admin password you defined in the previous step.
In this guide, AnchoreCTL is installed to /usr/local/bin/ and uses environment variables throughout. For more details on using and configuring AnchoreCTL, see Using AnchoreCTL.
Run the curl command below to download anchorectl and install it into your /usr/local/bin directory, which should be in your $PATH:
curl -sSfL https://anchorectl-releases.anchore.io/anchorectl/install.sh | sh -s -- -b /usr/local/bin v5.27.1
Run the following command to validate that you are now using your newly downloaded version of anchorectl:
After that, the next steps are to simply pass the basic configuration options for anchorectl into the environment variables so that these values can be used to automate:
After a few minutes (depending on system speed) Anchore Enterprise and Anchore UI services should be up and running, ready to use. You can verify the containers are running with docker compose, as shown in the following example.
docker compose ps
#Output Name Command State Ports
-------------------------------------------------------------------------------------------------------
anchorequickstart_analyzer_1 /docker-entrypoint.sh anch ... Up (healthy) 8228/tcp
anchorequickstart_anchore-db_1 docker-entrypoint.sh postgres Up 5432/tcp
anchorequickstart_api_1 /docker-entrypoint.sh anch ... Up (healthy) 0.0.0.0:8228->8228/tcp
anchorequickstart_catalog_1 /docker-entrypoint.sh anch ... Up (healthy) 8228/tcp
anchorequickstart_data-syncer_1 /docker-entrypoint.sh anch ... Up (healthy) 0.0.0.0:8778->8228/tcp
anchorequickstart_notifications_1 /docker-entrypoint.sh anch ... Up (healthy) 0.0.0.0:8668->8228/tcp
anchorequickstart_policy-engine_1 /docker-entrypoint.sh anch ... Up (healthy) 8228/tcp
anchorequickstart_queue_1 /docker-entrypoint.sh anch ... Up (healthy) 8228/tcp
anchorequickstart_reports_1 /docker-entrypoint.sh anch ... Up (healthy) 0.0.0.0:8558->8228/tcp
anchorequickstart_reports_worker_1 /docker-entrypoint.sh anch ... Up (healthy) 0.0.0.0:55427->8228/tcp
anchorequickstart_ui-redis_1 docker-entrypoint.sh redis ... Up 6379/tcp
anchorequickstart_ui_1 /docker-entrypoint.sh node ... Up 0.0.0.0:3000->3000/tcp
You can then run a command to get the status of the Anchore Enterprise services:
anchorectl system status
#Output ✔ Status system
┌─────────────────┬────────────────────┬─────────────────────────────┬──────┬────────────────┬────────────┬──────────────┐
│ SERVICE │ HOST ID │ URL │ UP │ STATUS MESSAGE │ DB VERSION │ CODE VERSION │
├─────────────────┼────────────────────┼─────────────────────────────┼──────┼────────────────┼────────────┼──────────────┤
│ analyzer │ anchore-quickstart │ http://analyzer:8228 │ true │ available │ 5270 │ 5.27.0 │
│ policy_engine │ anchore-quickstart │ http://policy-engine:8228 │ true │ available │ 5270 │ 5.27.0 │
│ apiext │ anchore-quickstart │ http://api:8228 │ true │ available │ 5270 │ 5.27.0 │
│ reports │ anchore-quickstart │ http://reports:8228 │ true │ available │ 5270 │ 5.27.0 │
│ reports_worker │ anchore-quickstart │ http://reports-worker:8228 │ true │ available │ 5270 │ 5.27.0 │
│ data_syncer │ anchore-quickstart │ http://data-syncer:8228 │ true │ available | 5270 │ 5.27.0 │
│ simplequeue │ anchore-quickstart │ http://queue:8228 │ true │ available │ 5270 │ 5.27.0 │
│ notifications │ anchore-quickstart │ http://notifications:8228 │ true │ available │ 5270 │ 5.27.0 │
│ catalog │ anchore-quickstart │ http://catalog:8228 │ true │ available │ 5270 │ 5.27.0 │
└─────────────────┴────────────────────┴─────────────────────────────┴──────┴────────────────┴────────────┴──────────────┘
Note: The first time you run Anchore Enterprise, vulnerability data will sync to the system in a few minutes.
For the best experience, wait until the core vulnerability data feeds have completed before proceeding. You can check the status of your feed sync using AnchoreCTL:
As soon as you see RecordCount values set for all vulnerability groups, the system is fully populated and ready to present vulnerability results. Note that data syncs are incremental, so the next time you start up Anchore Enterprise it will be ready immediately. The AnchoreCTL includes a useful utility that will block until the feeds have completed a successful sync:
anchorectl system wait
#Output ✔ API available system
✔ Services available [10 up] system
✔ Vulnerabilities feed ready system
Step 5: Start Using Anchore Enterprise
To get started, you can add a few images to Anchore Enterprise using AnchoreCTL. Once complete, you can also run an additional AnchoreCTL command to monitor the analysis state of the added images, waiting until the images move into an ‘analyzed’ state.
Uncomment the following section at the bottom of the docker-compose.yaml file:
# # Uncomment this section to add a prometheus instance to gather metrics. This is mostly for quickstart to demonstrate prometheus metrics exported# prometheus:# image: docker.io/prom/prometheus:latest# depends_on:# - api# volumes:# - ./anchore-prometheus.yml:/etc/prometheus/prometheus.yml:z# logging:# driver: "json-file"# options:# max-size: 100m# ports:# - "9090:9090"#
For each service entry in the docker-compose.yaml, change the following to enable metrics in the API for each service
ANCHORE_ENABLE_METRICS=false
to
ANCHORE_ENABLE_METRICS=true
Download the example prometheus configuration into the same directory as the docker-compose.yaml file, with name anchore-prometheus.yml:
curl https://docs.anchore.com/current/docs/deployment/anchore-prometheus.yml > anchore-prometheus.yml
docker compose up -d
Result: You should see a new container started and can access prometheus via your browser on http://localhost:9090.
Optional: Enable Swagger UI
Uncomment the following section at the bottom of the docker-compose.yaml file:
# # Uncomment this section to run a swagger UI service, for inspecting and interacting with the system API via a browser (http://localhost:8080 by default, change if needed in both sections below)# swagger-ui-nginx:# image: docker.io/nginx:latest# depends_on:# - api# - swagger-ui# ports:# - "8080:8080"# volumes:# - ./anchore-swaggerui-nginx.conf:/etc/nginx/nginx.conf:z# logging:# driver: "json-file"# options:# max-size: 100m# swagger-ui:# image: docker.io/swaggerapi/swagger-ui# environment:# - URL=http://localhost:8080/v2/openapi.json# logging:# driver: "json-file"# options:# max-size: 100m
Download the nginx configuration into the same directory as the docker-compose.yaml file, with name anchore-swaggerui-nginx.conf:
curl https://docs.anchore.com/current/docs/deployment/anchore-swaggerui-nginx.conf > anchore-swaggerui-nginx.conf
docker compose up -d
Result: You should see a new container started, and have access Swagger UI via your browser on http://localhost:8080.
2.3 - Deploy on Kubernetes using Helm
The supported method for deploying Anchore Enterprise on Kubernetes is with Helm. The Anchore Enterprise Helm Chart includes configuration options for a full Enterprise deployment.
Always consult the chart README and release notes prior to deployment or upgrade as this contains the most current information on deployment configuration.
The chart is split into global and service specific configurations for the core features, as well as global and services specific configurations for the optional Enterprise services.
The anchoreConfig section of the values file contains the application configuration for Anchore Enterprise. This includes the database connection information, credentials, and other application settings.
Anchore Enterprise services run as a kubernetes deployment when installed with the Helm chart. Each service has its own section in the values file for making customizations and configuring the kubernetes deployment spec.
If you are moving from the Anchore Engine Helm chart deployment to the updated Anchore Enterprise Helm chart, see here for further guidance.
Prerequisites
See the README in the chart repository for prerequisites before starting the deployment.
Install the Chart
This guide covers deploying Anchore Enterprise on a Kubernetes cluster with the default configuration. Refer to the Configuration section of the chart README for additional guidance on production deployments.
Create the namespace: The steps to follow will require the namespace to have been created already.
Create a Kubernetes Secret for DockerHub Credentials: Generate a Kubernetes secret containing the Anchore-provided DockerHub credentials. These credentials are required for authenticated access to the private Anchore Enterprise repositories on DockerHub in order to pull/download the Docker images used by the deployment. Contact Anchore Support to obtain access.
Add Chart Repository & Deploy Anchore Enterprise: Create a custom values file, named anchore_values.yaml, to override any chart parameters. Refer to the Parameters section for available options.
Default passwords are specified in the chart and must be changed before deploying. The password for the admin user is set via the anchoreConfig.default_admin_password parameter in your custom anchore_values.yaml file. This value is only used during initial creation of the admin user; the password can be changed post-installation via the UI.
The helm install command will initiate the installation of Anchore Enterprise into the specified namespace using the chart parameters defined in your custom anchore_values.yaml file. Upon completion, the pod status can be checked per the below and should reflect READY 1/1 and STATUS Running for each pod.
There should be 12 Anchore Enterprise pods in total, which includes PostgreSQL and Redis.
This command installs Anchore Enterprise with a chart-managed PostgreSQL database, which may not be suitable for production use. See the External Database section of the chart README for details on using an external database.
Post-Installation Steps: Anchore Enterprise will take some time to initialize. After the bootstrap phase, it will begin a vulnerability feed sync. Image analysis will show zero vulnerabilities and the UI will show errors until the sync is complete, which can take an hour or more based on the enabled feeds. The sync process will take place in the background, and while it’s in progress, anchorectl can be installed and the below commands can be used to check system status.
Export the required parameters to invoke anchorectl:
Gather the status of Anchore Enterprise services. anchorectl defaults to the user ${ANCHORECTL_USERNAME} and to the password ${ANCHORECTL_PASSWORD} automatically if set:
anchorectl system status
Example output:
✔ Status system
┌─────────────────┬────────────────────┬─────────────────────────────┬──────┬────────────────┬────────────┬──────────────┐
│ SERVICE │ HOST ID │ URL │ UP │ STATUS MESSAGE │ DB VERSION │ CODE VERSION │
├─────────────────┼────────────────────┼─────────────────────────────┼──────┼────────────────┼────────────┼──────────────┤
│ analyzer │ anchore-quickstart │ http://analyzer:8228 │ true │ available │ 5270 │ 5.27.0 │
│ policy_engine │ anchore-quickstart │ http://policy-engine:8228 │ true │ available │ 5270 │ 5.27.0 │
│ apiext │ anchore-quickstart │ http://api:8228 │ true │ available │ 5270 │ 5.27.0 │
│ reports │ anchore-quickstart │ http://reports:8228 │ true │ available │ 5270 │ 5.27.0 │
│ reports_worker │ anchore-quickstart │ http://reports-worker:8228 │ true │ available │ 5270 │ 5.27.0 │
│ data_syncer │ anchore-quickstart │ http://data-syncer:8228 │ true │ available │ 5270 │ 5.27.0 │
│ simplequeue │ anchore-quickstart │ http://queue:8228 │ true │ available │ 5270 │ 5.27.0 │
│ notifications │ anchore-quickstart │ http://notifications:8228 │ true │ available │ 5270 │ 5.27.0 │
│ catalog │ anchore-quickstart │ http://catalog:8228 │ true │ available │ 5270 │ 5.27.0 │
└─────────────────┴────────────────────┴─────────────────────────────┴──────┴────────────────┴────────────┴──────────────┘
The port forwarding shown above is intended only for POC purposes or an initial Anchore Enterprise installation and is not recommended for Production use. In a Production environment, an ingress controller or load balancer is recommended for exposing the Anchore Enterprise API and UI services. See the cloud-provider–specific Helm deployment guides (AKS, EKS, GKE, OpenShift) for ingress examples.
List all Helm releases using helm list -n ${NAMESPACE}.
Next Steps
Now that you have Anchore Enterprise running, you can begin to learning more about Anchore Enterprise architecture, Anchore concepts, and Anchore usage.
To learn more about Anchore Enterprise, go to Overview
To learn more about Anchore Enterprise Concepts, go to Concepts
2.3.1 - Deploying Anchore Enterprise on Azure Kubernetes Service (AKS)
This document will walk you through the deployment of Anchore Enterprise in an Azure Kubernetes Service (AKS) cluster and expose it on the public Internet.
Prerequisites
A running AKS cluster with worker nodes launched. See AKS Documentation for more information on this setup.
Once you have an AKS cluster up and running with worker nodes launched, you can verify via the following command.
$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
aks-nodepool1-28659018-0 Ready agent 4m13s v1.30.3
aks-nodepool1-28659018-1 Ready agent 4m15s v1.30.3
aks-nodepool1-28659018-2 Ready agent 4m6s v1.30.3
Anchore Enterprise Helm Chart
Anchore maintains a Helm chart to simplify the software deployment process. An Anchore Enterprise deployment of the chart will include the following:
Anchore Enterprise software
PostgreSQL (13 or higher)
Redis (7 or higher)
To make the necessary configurations to the Helm chart, create a custom anchore_values.yaml file and reference it during deployment. There are many options for configuration with Anchore Enterprise; this document is intended to cover the minimum required changes to successfully deploy Anchore Enterprise in AKS.
For this installation, an NGINX ingress controller will be used. You can read more about Kubernetes Ingress in AKS here.
Azure Flexible Postgres
For production deployments we generally favor cloud-provider managed databases over using the built-in chart. This ensures the database is isolated from workloads allowing it to use CPU & Memory without contention. We suggest selecting a storage option that allows for automatic size increase.
If you choose to use Azure Flexible Postgres ensure that you make the following changes for compatibility with Anchore Enterprise:
pgbouncer.enabled: false - It is very important that this setting be turned off!
idle_in_transaction_session_timeout: 0
max_connections should be at least 500. The default is based on the amount of instance memory. 16GB or larger instances will have high enough max_connections setting by default.
ingress:enabled:trueapiPaths:- /v2/- /version/uiPath:/apiHosts:- anchore.mydomain.comuiHosts:- anchore.mydomain.comannotations:# See https://learn.microsoft.com/en-us/azure/application-gateway/ingress-controller-annotations for more annotationskubernetes.io/ingress.class:azure/application-gateway
Configuring ingress is optional. It is used throughout this guide to expose the Anchore Enterprise deployment outside of your Kubernetes cluster.
If your load balancer or reverse proxy terminates TLS on behalf of Anchore Enterprise, you should set enable_ssl and enable_proxy to True in the Enterprise UI configuration. Without these settings, the UI may not correctly detect the HTTPS connection, which could result in unexpected behavior with session cookies and authentication. For more details, see Enterprise UI Configuration.
Anchore Enterprise API Service
# Pod configuration for the anchore api service.api:# kubernetes service configuration for anchore external APIservice:type:NodePortport:8228annotations:{}
Changed the service type to NodePort.
Anchore Enterprise UI
ui:# kubernetes service configuration for anchore UIservice:type:NodePortport:80annotations:{}sessionAffinity:ClientIP
Changed the service type to NodePort.
Deploy Anchore Enterprise
Enterprise services require an Anchore Enterprise license, as well as credentials with permission to access the private DockerHub repository containing the enterprise software.
Create a Kubernetes secret containing your license file:
We can see that NGINX ingress controller has been installed as well from the previous step. You can view the services by running the following command:
The above output shows that the IP address of the NGINX ingress controller is 40.114.26.147. Going to this address in the browser will take you to the Anchore Enterprise login page.
Anchore Enterprise System
Check the status of the system with AnchoreCTL to verify all of the Anchore Enterprise services are up:
ANCHORECTL_URL=http://40.114.26.147/v2/ ANCHORECTL_USERNAME=admin ANCHORECTL_PASSWORD=foobar anchorectl system status
Anchore Enterprise Feeds
It can take 5 minutes or more to fetch all of the vulnerability feeds from the Anchore Data Service. Check on the status of feeds with AnchoreCTL:
ANCHORECTL_URL=http://40.114.26.147/v2/ ANCHORECTL_USERNAME=admin ANCHORECTL_PASSWORD=foobar anchorectl feed list
It is not uncommon for the above command to return [] while the initial feed sync occurs.
Once the vulnerability feed sync is complete, Anchore Enterprise can begin to return vulnerability results on analyzed images. Please continue to the Vulnerability Management section of our documentation for more information.
2.3.2 - Deploying Anchore Enterprise on Amazon EKS
This section provides information on how to deploy Anchore Enterprise onto Amazon EKS. Here is recommended architecture on AWS EKS:
Prerequisites
You’ll need a running Amazon EKS cluster with worker nodes. See EKS Documentation for more information on this setup.
Once you have an EKS cluster up and running with worker nodes launched, you can verify it using the following command:
$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
ip-192-168-2-164.ec2.internal Ready <none> 10m v1.30.3-eks-a737599
ip-192-168-35-43.ec2.internal Ready <none> 10m v1.30.3-eks-a737599
ip-192-168-55-228.ec2.internal Ready <none> 10m v1.30.3-eks-a737599
In order to deploy the Anchore Enterprise services, you’ll then need the Helm client installed on local host. Anchore maintains a Helm chart to simplify the software deployment process.
To make the necessary configurations to the Helm chart, create a custom anchore_values.yaml file and reference it during deployment. There are many options for configuration with Anchore. The following is intended to cover the recommended changes for successfully deploying Anchore Enterprise on Amazon EKS.
Configuration
The following configurations should be used when deploying on EKS.
RDS
Anchore recommends utilizing Amazon RDS for a managed database service, rather than the Anchore chart-managed postgres. For information on how to configure for an external RDS database, see Amazon RDS. It is suggested to allow the storage to automatically increase as needed.
S3 Object Storage
Anchore Enterprise supports the use of S3 object storage for archival of SBOMs, configuration details can be found here. Consider using the iamauto: True option to utilise IAM roles for access to S3.
PVCs
Anchore Enterprise by default uses ephemeral storage for pods but we recommend configuring Analyzer scratch space, at a minimum. Further details can be found here.
Anchore generally recommends providing EBS-backed storage for analyzer scratch of the gp3 type. Note that you will need to follow the AWS guide on storing K8s volumes with Amazon EBS. Once the CSI driver is configured for your cluster, you will then need to configure your helm chart with values similar to this:
analyzer:scratchVolume:details:ephemeral:volumeClaimTemplate:metadata:{}spec:accessModes:- ReadWriteOnceresources:requests:# must be 3xANCHORE_MAX_COMPRESSED_IMAGE_SIZE_MB + analyser_cache_size# Setting this to 100G would mean the largest image you can scan is 30G (not counting analysis cache if you choose to configure that)storage:100Gi# this would refer to whatever your storage class was namedstorageClassName:"gp3"
We also suggest using a vanity domain (anchore.mydomain.com in the example below) over TLS with Route53 & ACM however this goes beyond the scope of this document.
If your load balancer or reverse proxy terminates TLS on behalf of Anchore Enterprise, you should set enable_ssl and enable_proxy to True in the Enterprise UI configuration. Without these settings, the UI may not correctly detect the HTTPS connection, which could result in unexpected behavior with session cookies and authentication. For more details, see Enterprise UI Configuration.
Here is a sample manifest for use with the AWS LBC or EKS Auto Mode ALB ingress:
ingress:enabled:trueapiPaths:- /v2/- /version/uiPath:/ingressClassName:albannotations:# See https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/guide/ingress/annotations.md for further customization of annotationsalb.ingress.kubernetes.io/scheme:internet-facing# If you do not plan to bring your own hostname (i.e. use the AWS supplied CNAME for the load balancer) then you can leave apiHosts & uiHosts as empty lists:#apiHosts: []#uiHosts: []# If you plan to bring your own hostname then you'll likely want to populate them as follows:apiHosts:- anchore.mydomain.comuiHosts:- anchore.mydomain.com
There are alternative ways to access services within your EKS cluster besides LBC ingress.
You must also configure/change the following from ClusterIP to NodePort:
Anchore Enterprise API Service
# Pod configuration for the Anchore Enterprise API service.api:# kubernetes service configuration for anchore external APIservice:type:NodePortport:8228annotations:{}
Anchore Enterprise UI Service
ui:# kubernetes service configuration for anchore UIservice:type:NodePortport:80annotations:{}sessionAffinity:ClientIP
Amazon ALB Parameters
Users of ALB may want to align the timeout between gunicorn & ALB. The AWS ALB Connection idle timeout defaults to 60 seconds. The Anchore Enterprise Helm charts have a timeout setting that defaults to 5 seconds which should be aligned with the ALB timeout setting.
Sporatic HTTP 502 errors may be emitted by the ALB if the timeouts are not in alignment. Please see this reference:
Changed timeout_keep_alive from 5 to 65 to align with the ALB’s default timeout of 60.
anchoreConfig:server:timeout_keep_alive:65
Install Anchore Enterprise
Deploy Anchore Enterprise by following the instructions here.
Verify Ingress
Run the following command for details on the deployed ingress resource using the ELB:
$ kubectl describe ingress
Name: anchore-enterprise
Namespace: default
Address: xxxxxxx-default-anchoreen-xxxx-xxxxxxxxx.us-east-1.elb.amazonaws.com
Default backend: default-http-backend:80 (<none>)Rules:
Host Path Backends
---- ---- --------
*
/v2/* anchore-enterprise-api:8228 (192.168.42.122:8228) /* anchore-enterprise-ui:80 (192.168.14.212:3000)Annotations:
alb.ingress.kubernetes.io/scheme: internet-facing
kubernetes.io/ingress.class: alb
Events:
Type Reason Age From Message
---- ------ ---- ---- -------
Normal CREATE 14m alb-ingress-controller LoadBalancer 904f0f3b-default-anchoreen-d4c9 created, ARN: arn:aws:elasticloadbalancing:us-east-1:077257324153:loadbalancer/app/904f0f3b-default-anchoreen-d4c9/4b0e9de48f13daac
Normal CREATE 14m alb-ingress-controller rule 1 created with conditions [{ Field: "path-pattern", Values: ["/v2/*"]}] Normal CREATE 14m alb-ingress-controller rule 2 created with conditions [{ Field: "path-pattern", Values: ["/*"]}]
The output above shows that an ELB has been created. Next, try navigating to the specified URL in a browser:
Verify Anchore Enterprise Service Status
Check the status of the system with AnchoreCTL to verify all of the Anchore services are up:
ANCHORECTL_URL=http://xxxxxx-default-anchoreen-xxxx-xxxxxxxxxx.us-east-1.elb.amazonaws.com ANCHORECTL_USERNAME=admin ANCHORECTL_PASSWORD=foobar anchorectl system status
2.3.3 - Deploying Anchore Enterprise on Google Kubernetes Engine (GKE)
Get an understanding of deploying Anchore Enterprise on a Google Kubernetes Engine (GKE) cluster and exposing it on the public Internet.
When using Google Cloud, consider utilizing Cloud SQL for PostgreSQL as a managed database service.
Prerequisites
A running GKE cluster with worker nodes launched. See GKE Documentation for more information on this setup.
Once you have a GKE cluster up and running with worker nodes launched, you can verify it by using the following command.
$ kubectl get nodes
NAME STATUS ROLES AGE VERSION
gke-standard-cluster-1-default-pool-c04de8f1-hpk4 Ready <none> 78s v1.30.3-gke.1639000
gke-standard-cluster-1-default-pool-c04de8f1-m03k Ready <none> 79s v1.30.3-gke.1639000
gke-standard-cluster-1-default-pool-c04de8f1-mz3q Ready <none> 78s v1.30.3-gke.1639000
Anchore Enterprise Helm Chart
Anchore maintains a Helm chart to simplify the software deployment process. An Anchore Enterprise deployment of the chart will include the following:
Anchore Enterprise software
PostgreSQL (13 or higher)
Redis (7 or higher)
To make the necessary configurations to the Helm chart, create a custom anchore_values.yaml file and reference it during deployment. There are many options for configuration with Anchore Enterprise. The following is intended to cover the minimum required changes to successfully deploy Anchore Enterprise on Google Kubernetes Engine.
For this deployment, a GKE ingress controller will be used. You can read more about Kubernetes Ingress with a GKE Ingress Controller here.
Configurations
Make the following changes below to your anchore_values.yaml
Ingress
ingress:enabled:trueapiPaths:- /v2/*uiPath:/*
Configuring ingress is optional. It is used throughout this guide to expose the Anchore Enterprise deployment on the public internet.
If your load balancer or reverse proxy terminates TLS on behalf of Anchore Enterprise, you should set enable_ssl and enable_proxy to True in the Enterprise UI configuration. Without these settings, the UI may not correctly detect the HTTPS connection, which could result in unexpected behavior with session cookies and authentication. For more details, see Enterprise UI Configuration.
Anchore Enterprise API Service
api:replicaCount:1# kubernetes service configuration for anchore external APIservice:type:NodePortport:8228annotations:{}
Changed the service type to NodePort.
Anchore Enterprise UI
ui:# kubernetes service configuration for anchore UIservice:type:NodePortport:80annotations:{}sessionAffinity:ClientIP
Changed the service type to NodePort.
Anchore Enterprise Deployment
Create Secrets
Enterprise services require an Anchore Enterprise license, as well as credentials with permission to access the private DockerHub repository containing the enterprise software.
Create a Kubernetes secret containing your license file:
ANCHORECTL_URL=http://34.96.64.148 ANCHORECTL_USERNAME=admin ANCHORECTL_PASSWORD=foobar anchorectl system status
Anchore Enterprise Feeds
It can take some time to fetch all of the vulnerability feeds from the upstream data sources. Check on the status of feeds with AnchoreCTL:
ANCHORECTL_URL=http://34.96.64.148 ANCHORECTL_USERNAME=admin ANCHORECTL_PASSWORD=foobar anchorectl feed list
It is not uncommon for the above command to return [] while the initial feed sync occurs.
Once the vulnerability feed sync is complete, Anchore Enterprise can begin to return vulnerability results on analyzed images. Please continue to the Vulnerability Management section of our documentation for more information.
2.3.4 - Deploying Anchore Enterprise on OpenShift
This document will walk through the deployment of Anchore Enterprise on an
OpenShift 4.x cluster and expose it on the public internet.
Anchore maintains a
Helm chart
to simplify the software deployment process. An Anchore Enterprise installation
of the chart will include the following:
Anchore Enterprise software
PostgreSQL (13 or higher)
Redis (7 or higher)
To make the necessary configurations to the Helm chart, create a custom
anchore_values.yaml file and reference it during deployment. There are many
options for configuration with Anchore Enterprise; this document is intended to
cover the minimum required changes to successfully deploy Anchore Enterprise on
OpenShift.
OpenShift Configurations
Create a New Project
Create a new project called anchore-enterprise:
oc new-project anchore-enterprise
Create Secrets
Two secrets are required for an Anchore Enterprise deployment.
Verify these secrets are in the correct namespace (anchore-enterprise):
oc describe secret <secret-name>
Link ImagePullSecret
Link the above Docker registry secret to the default service account:
oc secrets link default anchore-enterprise-pullcreds --for=pull --namespace=anchore-enterprise
Verify this by running the following:
oc describe sa
Validate your OpenShift SCC. Based on the security
constraints of your environment, you may need to change SCC:
oc adm policy add-scc-to-user anyuid -z default.
Anchore Enterprise Configurations
Create a custom anchore_values.yaml file for your Anchore Enterprise
deployment:
# NOTE: This is not a production ready values file for an openshift deployment.securityContext:fsGroup:nullrunAsGroup:nullrunAsUser:nullpostgresql:primary:containerSecurityContext:enabled:falsepodSecurityContext:enabled:falseui-redis:master:podSecurityContext:enabled:falsecontainerSecurityContext:enabled:false
Install Software
Run the following commands to install the software:
Create two route objects in the OpenShift console to expose the UI and API
services on the public internet:
Route configuration is optional. It is used throughout
this guide to expose the Anchore Enterprise deployment on the public
internet.
If your route or reverse proxy terminates TLS on
behalf of Anchore Enterprise, you should set enable_ssl and enable_proxy to
True in the Enterprise UI configuration. Without these settings, the UI may
not correctly detect the HTTPS connection, which could result in unexpected
behavior with session cookies and authentication. For more details, see
Enterprise UI
Configuration.
API Route
UI Route
Routes
Verify by navigating to the anchore-enterprise-ui route hostname. You should see
the Anchore Enterprise login page.
Anchore Enterprise System
First you will need to retrieve the admin password. This is stored as a secret
during the helm install process:
You can customize your Helm anchore_values.yaml file to use an existing/custom
secret rather than have Helm generate one for you with a generated password.
ANCHORECTL_URL=http://<anchore-api-anchore.apps.rm2.thpm.p1.openshiftapps.com>\
ANCHORECTL_USERNAME=admin \
ANCHORECTL_PASSWORD=foobar \
anchorectl system status
Anchore Vulnerability Data
Anchore has a datasyncer service that pulls the vulnerability and other data
sources such as the ClamAV malware database into your Anchore Enterprise
deployment. You can check on the status of these feeds using AnchoreCTL:
ANCHORECTL_URL=http://<anchore-ui-anchore.apps.rm2.thpm.p1.openshiftapps.com> \
ANCHORECTL_USERNAME=admin \
ANCHORECTL_PASSWORD=foobar \
anchorectl feed list
Please continue to the Vulnerability
Management section of our
documentation for more information about Vulnerability Management within Anchore
Enterprise.
2.4 - Anchore Enterprise Cloud Image
Overview
The Anchore Enterprise Cloud Image (AECI) is a fully functional machine image with an Anchore Enterprise deployment that
is pre-configured with the goal of simplifying deployment complexity for our end users.
Anchore Enterprise Cloud Image is currently available for users of Amazon Web Services only.
All /v2 API endpoints referenced throughout our documentation are accessed via /api/v2 when using AECI.
AECI contains a proprietary tool known as Cloud Image Manager. It allows users to manage their deployment by providing an easy way to install, configure and upgrade. For more information about the Cloud Image
Manager, see the Cloud Image Manager.
To get started with deploying Anchore Enterprise Cloud Image, please see AECI - AWS.
Supported Limits
The Cloud Image has the following limits, independent of instance type:
10,000 Image SBOMs
Max Image Size is 10 GB
300 Report Executions
100 System Users
Non-supported Features
The Cloud Image does not currently support the following Anchore Enterprise features:
Air-gapped Deployment
Runtime Inventory
Application Groups and Source Code Analysis
Windows Image Analysis
Legacy Image Archive
To discuss further, contact Anchore Customer Success.
The baseline supported instance type on Amazon Web Services is the r7a.xlarge. This gives the best mix of
performance to cost for running Anchore Enterprise in alignment with the supported system limits.
Cloud Image Manager will not enforce the use of this instance type but will check for the minimum resources needed to run the software. If you would like to use a different instance type, please contact Anchore Customer Success for further guidance.
For more information on Amazon EC2 Instance types Please review the following links
Memory Requirement - AECI requires a minimum of 32 GB of memory to operate.
Disk Requirement - AECI requires a minimum of 128 GB of disk space for root volume and 1 TB for data volume to operate.
Note: The data volume by default will not delete on termination of your AMI.
CPU Requirement - AECI requires a minimum of 4 vCPU to operate.
License
The Anchore Enterprise Cloud Image requires a valid license entitlement to operate. The license is provided by Anchore during the purchase process. The license file is required to be uploaded via the Cloud Image Manager during the initial setup. Please have it available before starting the installation process.
EC2 Key Pair Type
Anchore Enterprise Cloud Image is running with FIPS enabled. When creating your Key Pair, you must use an RSA key. The ED25519 key will be rejected as a non-FIPS-compliant algorithm.
A quick Demo on getting started with Anchore Enterprise Cloud Image
Once the instance is launched, please review the Cloud Image Manager documentation for the next steps on
Accessing the Cloud Image Manager. The Cloud Image Manager will walk you through the preflight checks, configuration,
and management of your Anchore Enterprise Cloud Image deployment.
Operations
With AECI up and running, there is some limited feeding and watering required. You’ll want to consider the following activities:
Backups
It is important that you have a backup and restore strategy in place to protect your data. Cloud Image Manager will prompt you to create a snapshot prior to upgrading your Anchore Enterprise Cloud Image or
expanding your disks. It is also reasonable for you to consider using AWS Backup and/or creating snapshots of your EBS volume on a regular basis:
During the course of using the product, you may wish to expand the size of your disks. It is strongly recommended
that you create a snapshot of your EBS volume prior to expanding your disks.
Once you have expanded your disk, you will need to resize the filesystem to take advantage of the additional space.
Cloud Image Manager provides a utility to resize the filesystem. Please refer to the Cloud Image Manager
Configuration Disk Expansion for more information.
Upgrade
Occasionally, Anchore will release updates to the Anchore Enterprise Cloud Image and the subsequent version of Anchore Enterprise shipped with it. The Cloud Image Manager will provide
you with upgrades that are available and allow you to determine when you want to upgrade. It is strongly
recommended that you create a snapshot of your EBS volume prior to upgrading your Anchore Enterprise Cloud Image.
During operation of Anchore Enterprise Cloud Image, you may require support from Anchore Customer Success. The
Cloud Image Manager provides you with a seamless way to generate a support bundle and upload it to Anchore.
The Cloud Image Manager is a proprietary tool that allows users to seamlessly manage their Anchore Enterprise
Cloud Image deployments. It walks users through the process of installing, configuring, and upgrading their
Anchore Enterprise Cloud Image deployment.
Best Practices
The Cloud Image Manager uses Textual (a TUI framework for Python) to provide
a terminal-based interface. For your best user experience, please use the following terminal emulators
when connecting to the Cloud Image Manager.
Note: We recommend against using the default macOS Terminal application as it may not render the TUI correctly. For more
information on why, please see Textual FAQ.
Access the Cloud Image Manager
After your instance is launched, you can access the Cloud Image Manager by connecting to the instance via SSH.
Using your private key file used for authentication (likely generated when setting up the instance) and the
public IP address of the instance, connect using the following example command:
Permissions on key file - If you get a WARNING: UNPROTECTED PRIVATE KEY FILE error, fix it by setting the
correct permissions on your key file. Run the following command to set the correct permissions:
chmod 400 ~/my-keypair.pem
Connection Issues - If you experience a Connection Timeout or Host Unreachable error, verify that the instance
is running and that the security group allows SSH traffic on port 22.
You should now be connected to the Cloud Image Manager.
Preflight Checks
The Cloud Image Manager will perform a series of preflight checks to ensure that the system is ready for installation.
These checks include ensuring that the machine image has met memory, disk space, and CPU requirements. If the system
does not meet the requirements, the preflight checks will fail and the installation will not proceed.
Initial Install
The Cloud Image Manager will walk you through the initial installation process. At the end of this process, the
Cloud Image Manager will provide you with the URL to access the Anchore Enterprise UI as well as your administrator
credentials.
Upgrade
The Cloud Image Manager will determine if there are any upgrades available for your Anchore Enterprise Cloud Image
deployment. If an upgrade is available, the Cloud Image Manager will walk you through the upgrade process. If
downtime is required, the Cloud Image Manager will notify you prior to proceeding. This will allow you to plan
for the upgrade when it is convenient for you. It is highly recommend that you take a snapshot of your EBS
volume prior to upgrade.
Configuration
The Cloud Image Manager configuration screen allows the following options:
Adding and updating the Anchore Enterprise License.
Providing any Server Certificates required for TLS access to Anchore Enterprise services.
Providing a custom Root Certificate if one is required for your environment.
Configuring any optional proxy settings required for your environment.
Disk Expansion
Reconfigure Proxy Settings
Changing Proxy settings after completing the installation process currently requires manual intervention for the settings to be fully applied.
If you must change the Proxy settings, please contact customer support for assistance.
Expand Disks
The Cloud Image Manager provides a utility to expand the root and data volumes once your virtual hard disk has been
increased in size. This step is necessary to take advantage of the additional space. The Cloud Image Manager will
shut down Anchore Enterprise during this operation. It is highly recommend that you take a snapshot of your EBS
volume prior to any operation that may modify your disk volumes.
System Status
The Cloud Image Manager provides a system status screen that shows the current service and container status
of the Anchore Enterprise services.
It also provides the list of currently deployed versions of Anchore Enterprise, Anchore Enterprise UI as well as
the other infrastructure components that are automatically deployed within the Anchore Enterprise Cloud Image.
Support
The Cloud Image Manager provides a support screen that allows you to:
Generate a support bundle. This will result with the location of the support bundle.
Upload a generated support bundle. This will be automatically uploaded to Anchore. You must create a support
ticket and provide the Support Bundle ID and Filename to the support team.
As part of the Cloud Image deployment, you have access to Grafana data that is collected for your deployment.
This data can be used to monitor the health of your deployment. The Cloud Image Manager provides a link and
credentials to access the Grafana dashboard.
2.5 - Anchore Enterprise in an Air-Gapped Environment
Anchore Enterprise can run in an isolated environment with no outside internet connectivity. It does require a network connection to its own components and should be able to reach registries (Docker v2 API compatible) where the images to be analyzed are hosted.
Make sure that the Anchore Enterprise images are either proxied into a local registry or available as local images on the system running Anchore Enterprise. These images should be referenced in your docker-compose.yaml or Helm values.yaml to enable installation within a private network.
To ensure that the Anchore Enterprise installation has up-to-date vulnerability data from the vulnerability sources, you will need to periodically download and import feed data into your Anchore Enterprise deployment. Details on how to do this can be found in the Air-Gapped Configuration.
For more detail regarding the Anchore Data Service, please see Anchore Data Service.
2.5.1 - Anchore Enterprise in an Air-Gapped Environment
This document is intended to be a complete reference guide to deploying Anchore Enterprise in an air-gapped environment. Use the print button to take this guide into your air-gapped environment.
Prerequisites
The “low side” represents the Internet-facing side. The “high side” represents the air-gapped side.
Access to a private container registry such as Harbor or otherwise is assumed. For example purposes, the private container registry domain could reflect: core.harbor.domain. However, this would be relative to the domain name for the given private container registry installation.
Deployment from a private container registry would be the recommended installation path over deployment from local images.
Please note that detailed deployment requirements can be otherwise found in Requirements
Kubernetes
Kubernetes (>=1.23)
Install command-line tools Helm (>=3.8) and Docker static binary (low side and high side)
Install command-line tool kubectl (high side)
Helm is the package manager for Kubernetes used to manage Kubernetes applications using Helm charts.
Kubectl communicates with the Kubernetes API server to send commands and manage resources within a Kubernetes cluster.
Helm and Docker (client/static binary) can be installed as standalone binaries. The Docker static binary is only needed to pull/download/save/load Docker images.
Kubectl can be installed as a standalone binary.
For an air-gapped deployment:
Helm and Docker should be installed on an Internet-facing system (can be a normal workstation on the low side) as well as the air-gapped system (can be the management system/control node on the high side).
Kubectl should be installed on the air-gapped system (can be the management system/control node on the high side) to interact with the Kubernetes cluster.
The Docker static binary is only needed to pull/download/save Docker images (on the low side).
Docker Engine/CE is needed for the Anchore Enterprise deployment (on the high side).
For an air-gapped deployment:
The Docker static binary should be installed on an Internet-facing system (can be a normal workstation on the low side) and Docker Engine/CE should be installed on the air-gapped system.
All Helm, Docker, and/or curl commands should be run from a system on the low side in which Helm, Docker, and/or curl was installed.
The Anchore-provided DockerHub credentials and PAT (Personal Access Token) will be required for pulling/downloading Docker images.
The Anchore Enterprise and Enterprise UI version should correspond to the latest/current version of Anchore Enterprise when pulling/downloading Docker images.
The pulled/downloaded Docker images will require approx. 2 - 4 GB’s of available local disk space.
Kubernetes
Pull the latest Anchore Enterprise Helm chart and dependencies
Transfer (via USB or other medium/method) the below files to the air-gapped system (on the high side):
The Anchore Enterprise Helm chart .tgz file
The Anchore-provided Anchore Enterprise license file
Untar the Anchore Enterprise Helm chart .tgz file on the air-gapped system
The tarball will be extracted to a directory named: enterprise
The directory will include the Anchore Enterprise Helm chart and the dependent PostgreSQL and Redis Helm charts.
Copy the Anchore Enterprise license file into the “enterprise” directory and if need be rename the file to: license.yaml
Docker
Transfer (via USB or other medium/method) the below files to the air-gapped system (on the high side):
The Docker Compose file
The Anchore-provided Anchore Enterprise license file
Place the Docker Compose and Anchore Enterprise license files into a designated working directory on the air-gapped system
If need be, rename the Anchore Enterprise license file to: license.yaml
Deploy Anchore Enterprise (on high side)
The Kubernetes or Docker deployment of Anchore Enterprise should take place on the air-gapped system.
Kubernetes
From the air-gapped system (on the high side), change into the “enterprise” directory that was extracted from the Anchore Enterprise Helm chart .tgz file and make a backup copy of the existing values.yaml file (as custom settings will be defined).
cd enterprise
cp values.yaml values-original.yaml
Modify the settings in the values.yaml file so that the default password for the admin user is set. Save the file once modified.
The password for the admin user MUST be initially set via the “default_admin_password” parameter. The admin password can be changed post-installation via the UI.
- default_admin_password stanza under "Anchore Configuration Parameters" section
## @param anchoreConfig.default_admin_password The password for the Anchore Enterprise admin user## This value is only used during creation of the admin user, cannot be used to change the password## default_admin_password: <strong password_of_your_choosing>
Modify the settings in the values.yaml file so that the Anchore Enterprise, Anchore Enterprise UI, PostgreSQL, Redis, and bookworm Docker images are appropriately referenced relative to an installation from the private container registry. Save the file once modified.
The Anchore Enterprise and Enterprise UI images should correspond to the latest/current version of Anchore Enterprise based on the previously pulled images.
The “image” value for Anchore Enterprise and Enterprise UI should be modified to reflect the private container registry domain.
The “tag” value for PostgreSQL and Redis should correspond to the version based on the previously pulled image.
The “registry” value for PostgreSQL and Redis should be modified to reflect the private container registry domain.
The “kubectlImage” value should be modified to reflect the private container registry domain.
The “migrationPodImage” value should be modified to reflect the private container registry domain.
Example:
- Anchore Enterprise stanza under "Common Resource Parameters" section
## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI## Only one of digest or tag should be used if using image.tag / image.digest, if both are specified it will default to using tag## Ensure tag value is quoted so it's interpreted as a string##image: <private container registry domain>/anchore/enterprise:v5.27.0
# registry: docker.io# repository: anchore/enterprise# tag: "v5.27.0"# digest: sha256:abcdef123456- Anchore Enterprise UI stanza under "Anchore UI Parameters" section
ui:
## @param ui.image Image used for the Anchore UI container## Ensure tag value is quoted so it's interpreted as a string## image: <private container registry domain>/anchore/enterprise-ui:v5.27.0
# registry: docker.io# repository: anchore/enterprise-ui# tag: v5.27.0# digest: sha256:abcdef123456
- postgresql stanza under "Anchore Database Parameters" section
## @param postgresql.image.repository Specifies the image repository to use for this chart.## @param postgresql.image.registry Specifies the image registry to use for this chart.## @param postgresql.image.tag Specifies the image to use for this chart.## @param postgresql.image.pullSecrets Specifies the image pull secrets to use for this chart.## image:
repository: bitnamilegacy/postgresql
registry: <private container registry domain>
tag: 16.6.0-debian-12-r2
pullSecrets:
- anchore-enterprise-pullcreds
- ui-redis stanza under "Anchore UI Redis Parameters" section
## @param ui-redis.image.registry Specifies the image registry to use for this chart.## @param ui-redis.image.repository Specifies the image repository to use for this chart.## @param ui-redis.image.tag Specifies the image to use for this chart.## @param ui-redis.image.pullSecrets Specifies the image pull secrets to use for this chart.## image:
registry: <private container registry domain>
repository: redis
tag: 7.4.6
pullSecrets:
- anchore-enterprise-pullcreds
- kubectlImage stanzas under "Common Resource Parameters", "Anchore Upgrade Job Parameters", and
"Anchore Object Store and Analysis Archive Migration" sections
## @param kubectlImage The image to use for the job's init container that uses kubectl to scale down deployments for the migration / upgrade## This is only used in the osaaMigration and upgrade jobs.##kubectlImage: <private container registry domain>/bitnamilegacy/kubectl:1.30
# registry: docker.io# repository: bitnamilegacy/kubectl# tag: "1.30"# digest: sha256:abcdef123456## @param upgradeJob.kubectlImage The image to use for the upgrade job's init container that uses kubectl to scale down deployments before an upgrade## This is only used in the preupgrade job. NOTE: This is deprecated. Please use `common.kubectlImage` instead.## kubectlImage: <private container registry domain>/bitnamilegacy/kubectl:1.30
## @param osaaMigrationJob.kubectlImage The image to use for the job's init container that uses kubectl to scale down deployments for the migration## This is only used in the osaaMigrationJob job. NOTE: This is deprecated. Please use `common.kubectlImage` instead.## kubectlImage: <private container registry domain>/bitnamilegacy/kubectl:1.30
- migrationPodImage stanza under "Common Resource Parameters" section
## @param migrationPodImage The image reference to the migration pod##migrationPodImage: <private container registry domain>/postgres:13-bookworm
Modify the settings in the values.yaml file so that the environment variable “ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED” is set to false. This environment variable needs to be defined under the dataSyncer.extraEnv stanza. Save the file once modified.
This setting governs downloading of feeds data by the Anchore data syncer service. As the deployment will be air-gapped, feeds data will be downloaded/uploaded manually via the anchorectl binary.
- dataSyncer stanza under "Anchore Data Syncer k8s Deployment Parameters" section
## @param dataSyncer.extraEnv Set extra environment variables for Anchore DataSyncer pods## extraEnv:
- name: ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED
value: "false"
Perform the Helm deployment of Anchore Enterprise
Follow the below steps from the Helm deployment guide:
Step 2: The license file should exist in the same directory as the extracted Anchore Enterprise Helm chart and the dependent PostgreSQL and Redis Helm charts - which would be the “enterprise” directory. If need be, the license file should also be renamed: license.yaml
Step 3: This step can be skipped as a Kubernetes secret for DockerHub credentials will not be needed in an air-gapped deployment to pull/download Docker images.
Step 4: A custom values file will not need to be created as the existing one (values.yaml) with custom-defined settings will be used.
There is also no need to add the charts repository as the chart/dependencies would have been previously pulled and transferred to the air-gapped system (on the high side).
RELEASE can be the same value as NAMESPACE and the variables can be exported as listed below.
exportNAMESPACE=anchore
exportRELEASE=anchore
The Helm command to deploy Anchore Enterprise would be as follows:
helm install ${RELEASE} -n ${NAMESPACE} /path/to/extracted/enterprise/directory
The “helm install” will initiate the installation of Anchore Enterprise. Upon completion, the pod status can be checked per the below and should reflect READY 1/1 and STATUS Running for each pod.
There should be 12 Anchore Enterprise pods in total which includes PostgreSQL and Redis.
The “helm install” will also install Anchore Enterprise with a chart-managed PostgreSQL database which is NOT recommended for Production use. The chart-managed PostgreSQL database is more suited for POC (proof-of-concept) evaluation use.
For air-gapped deployments, leveraging a managed database service such as Amazon RDS or Google Cloud SQL may not be feasible. However, a standalone PostgreSQL 16.x or higher database instance/cluster may also be used in lieu of a managed database service. Also, if utilizing a standalone database instance/cluster it is VITAL to maintain proper backups in the event data recovery is necessary.
Docker
From the air-gapped system (on the high side), change into the designated working directory where the Docker Compose and Anchore Enterprise license files were placed.
cd <designated working directory>
Modify the settings in the docker-compose.yaml file so that the default password for the admin user is set. Save the file once modified.
The password for the admin user MUST be initially set via the “ANCHORE_ADMIN_PASSWORD” environment variable. This environment variable is listed by default under the “catalog” and “queue” services. The admin password can be changed post-installation via the UI.
- default "ANCHORE_ADMIN_PASSWORD" environment variable
environment:
- ANCHORE_ADMIN_PASSWORD=<strong password of your choosing>
Modify the settings in the docker-compose.yaml file so that the Anchore Enterprise, Anchore Enterprise UI, PostgreSQL, and Redis Docker images are appropriately referenced relative to an installation from the private container registry for each Anchore Enterprise service. Save the file once modified.
The Anchore Enterprise and Enterprise UI images should correspond to the latest/current version of Anchore Enterprise based on the previously pulled images.
The “image” value should be modified to reflect the private container registry domain.
The “repository:tag” should match exactly what’s listed within the private container registry.
There should be 12 Anchore Enterprise services in total which includes PostgreSQL and Redis.
Modify the settings in the docker-compose.yaml file so that the environment variable “ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED” is set to false. This environment variable is listed by default under the “data-syncer” service. Save the file once modified.
This setting governs downloading of feeds data by the Anchore data syncer service. As the deployment will be air-gapped, feeds data will be downloaded/uploaded manually via the anchorectl binary.
Perform the Docker deployment of Anchore Enterprise
From within the designated working directory where the Docker Compose and Anchore Enterprise license files were placed, execute the below command.
docker compose up -d
Upon completion, the container status can be checked per the below and should reflect STATUS (healthy) for each container.
docker ps
- Example Output
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f1cbeeb57d17 anchore/enterprise-ui:v5.27.0 "/docker-entrypoint.…"4 minutes ago Up 3 minutes (healthy) 0.0.0.0:3000->3000/tcp anchore-airgap-ui-1
9a31c0b9179e anchore/enterprise:v5.27.0 "/docker-entrypoint.…"4 minutes ago Up 3 minutes (healthy) 8228/tcp anchore-airgap-policy-engine-1
4dbe734493ec anchore/enterprise:v5.27.0 "/docker-entrypoint.…"4 minutes ago Up 3 minutes (healthy) 0.0.0.0:8228->8228/tcp anchore-airgap-api-1
e9b28374d305 anchore/enterprise:v5.27.0 "/docker-entrypoint.…"4 minutes ago Up 3 minutes (healthy) 8228/tcp anchore-airgap-reports_worker-1
a59c7e637b29 anchore/enterprise:v5.27.0 "/docker-entrypoint.…"4 minutes ago Up 3 minutes (healthy) 0.0.0.0:8558->8228/tcp anchore-airgap-reports-1
800e9d3e59d6 anchore/enterprise:v5.27.0 "/docker-entrypoint.…"4 minutes ago Up 3 minutes (healthy) 8228/tcp anchore-airgap-analyzer-1
cc990f7b6025 anchore/enterprise:v5.27.0 "/docker-entrypoint.…"4 minutes ago Up 3 minutes (healthy) 0.0.0.0:8668->8228/tcp anchore-airgap-notifications-1
05b93536f286 anchore/enterprise:v5.27.0 "/docker-entrypoint.…"4 minutes ago Up 3 minutes (healthy) 0.0.0.0:8778->8228/tcp anchore-airgap-data-syncer-1
569ebfec977b anchore/enterprise:v5.27.0 "/docker-entrypoint.…"4 minutes ago Up 3 minutes (healthy) 8228/tcp anchore-airgap-catalog-1
128c2874c243 anchore/enterprise:v5.27.0 "/docker-entrypoint.…"4 minutes ago Up 3 minutes (healthy) 8228/tcp anchore-airgap-queue-1
efeadcbf1dbc postgres:16 "docker-entrypoint.s…"4 minutes ago Up 4 minutes (healthy) 0.0.0.0:5432->5432/tcp anchore-airgap-anchore-db-1
2d23836db688 redis:7.4.6 "docker-entrypoint.s…"4 minutes ago Up 4 minutes (healthy) 6379/tcp anchore-airgap-ui-redis-1
There should be 12 Anchore Enterprise containers in total which includes PostgreSQL and Redis.
Docker is more suited for POC (proof-of-concept) evaluation use or environments with low workload requirements. Kubernetes with a Helm-based deployment is recommended for Production use or environments with high workload requirements.
2.5.2 - Anchore Enterprise in an Air-Gapped Environment
This document is intended to be a complete reference guide to deploying Anchore Enterprise in an air-gapped environment. Use the print button to take this guide into your air-gapped environment.
Prerequisites
The “low side” represents the Internet-facing side. The “high side” represents the air-gapped side.
Please note that detailed deployment requirements can be otherwise found in Requirements
Kubernetes
Command-line tools Helm (>=3.8) and Docker static binary (low side and high side)
Command-line tool kubectl (high side)
Helm is the package manager for Kubernetes used to manage Kubernetes applications using Helm charts.
Kubectl communicates with the Kubernetes API server to send commands and manage resources within a Kubernetes cluster.
Helm and Docker (client/static binary) can be installed as standalone binaries. The Docker static binary is only needed to pull/download/save/load Docker images.
Kubectl can be installed as a standalone binary.
For an air-gapped deployment:
Helm and Docker should be installed on an Internet-facing system (can be a normal workstation on the low side) as well as the air-gapped system (can be the management system/control node on the high side).
Kubectl should be installed on the air-gapped system (can be the management system/control node on the high side) to interact with the Kubernetes cluster.
The Docker static binary is only needed to pull/download/save Docker images (on the low side).
Docker Engine/CE is needed for the Anchore Enterprise deployment (on the high side).
For an air-gapped deployment:
The Docker static binary should be installed on an Internet-facing system (can be a normal workstation on the low side) and Docker Engine/CE should be installed on the air-gapped system.
All Helm, Docker, and/or curl commands should be run from a system on the low side in which Helm, Docker, and/or curl was installed.
The Anchore-provided DockerHub credentials and PAT (Personal Access Token) will be required for pulling/downloading Docker images.
The Anchore Enterprise and Enterprise UI version should correspond to the latest/current version of Anchore Enterprise when pulling/downloading Docker images.
The pulled/downloaded Docker images will require approx. 2 - 4 GB’s of available local disk space.
Kubernetes
Pull the latest Anchore Enterprise Helm chart and dependencies
All Docker commands should be run on the air-gapped system in which Docker was installed.
Kubernetes
Transfer (via USB or other medium/method) the below files to the air-gapped system (on the high side):
The Anchore Enterprise Helm chart .tgz file
The Docker images tar file
The Anchore-provided Anchore Enterprise license file
Untar the Anchore Enterprise Helm chart .tgz file on the air-gapped system
The tarball will be extracted to a directory named: enterprise
The directory will include the Anchore Enterprise Helm chart and the dependent PostgreSQL and Redis Helm charts.
Copy the Anchore Enterprise license file into the “enterprise” directory and if need be rename the file to: license.yaml
Load and verify the Docker images locally on the air-gapped system
docker load -i <filename>.tar
docker images
Import the Docker images into the container runtime/Kubernetes cluster directly (from the air-gapped system) as the images may not be visible to the cluster although they are available locally
For instance, if containerd or CRI-O is the container runtime - the ctr command can be used directly from the management system/worker node.
ctr images import <filename>.tar
ctr images ls
If using Rancher (RKE), KIND, K9s, Minikube, etc. the procedure may vary so be sure to research accordingly.
Docker
Transfer (via USB or other medium/method) the below files to the air-gapped system (on the high side):
The Docker Compose file
The Docker images tar file
The Anchore-provided Anchore Enterprise license file
Place the Docker Compose and Anchore Enterprise license files into a designated working directory on the air-gapped system
If need be, rename the Anchore Enterprise license file to: license.yaml
Load and verify the Docker images locally on the air-gapped system
docker load -i <filename>.tar
docker images
Deploy Anchore Enterprise (on high side)
The Kubernetes or Docker deployment of Anchore Enterprise should take place on the air-gapped system.
Kubernetes
From the air-gapped system (on the high side), change into the “enterprise” directory that was extracted from the Anchore Enterprise Helm chart .tgz file and make a backup copy of the existing values.yaml file (as custom settings will be defined).
cd enterprise
cp values.yaml values-original.yaml
Modify the settings in the values.yaml file so that the default password for the admin user is set. Save the file once modified.
The password for the admin user MUST be initially set via the “default_admin_password” parameter. The admin password can be changed post-installation via the UI.
- default_admin_password stanza under "Anchore Configuration Parameters" section
## @param anchoreConfig.default_admin_password The password for the Anchore Enterprise admin user## This value is only used during creation of the admin user, cannot be used to change the password## default_admin_password: <strong password_of_your_choosing>
Modify the settings in the values.yaml file so that the Anchore Enterprise, Anchore Enterprise UI, PostgreSQL, Redis, and bookworm Docker images are appropriately referenced relative to an installation from local images. Save the file once modified.
The Anchore Enterprise and Enterprise UI images should correspond to the latest/current version of Anchore Enterprise based on the previously pulled images.
The “image” value for Anchore Enterprise and Enterprise UI should be modified to remove the “docker.io” registry as local images will be used.
The “tag” value for PostgreSQL and Redis should correspond to the version based on the previously pulled image.
The “registry” key for PostgreSQL and Redis should be commented out as local images will be used.
The “migrationPodImage” value should be modified to remove the “docker.io” registry as a local image will be used.
Example:
- Anchore Enterprise stanza under "Common Resource Parameters" section
## @param image Image used for all Anchore Enterprise deployments, excluding Anchore UI## Only one of digest or tag should be used if using image.tag / image.digest, if both are specified it will default to using tag## Ensure tag value is quoted so it's interpreted as a string##image: anchore/enterprise:v5.27.0
# registry: docker.io# repository: anchore/enterprise# tag: "v5.27.0"# digest: sha256:abcdef123456- Anchore Enterprise UI stanza under "Anchore UI Parameters" section
ui:
## @param ui.image Image used for the Anchore UI container## Ensure tag value is quoted so it's interpreted as a string## image: anchore/enterprise-ui:v5.27.0
# registry: docker.io# repository: anchore/enterprise-ui# tag: "v5.27.0"# digest: sha256:abcdef123456
- postgresql stanza under "Anchore Database Parameters" section
## @param postgresql.image.repository Specifies the image repository to use for this chart.## @param postgresql.image.registry Specifies the image registry to use for this chart.## @param postgresql.image.tag Specifies the image to use for this chart.## @param postgresql.image.pullSecrets Specifies the image pull secrets to use for this chart.## image:
repository: bitnamilegacy/postgresql
#registry: docker.io tag: 16.6.0-debian-12-r2
pullSecrets:
- anchore-enterprise-pullcreds
- ui-redis stanza under "Anchore UI Redis Parameters" section
## @param ui-redis.image.registry Specifies the image registry to use for this chart.## @param ui-redis.image.repository Specifies the image repository to use for this chart.## @param ui-redis.image.tag Specifies the image to use for this chart.## @param ui-redis.image.pullSecrets Specifies the image pull secrets to use for this chart.## image:
#registry: docker.io repository: redis
tag: 7.4.6
pullSecrets:
- anchore-enterprise-pullcreds
- migrationPodImage stanza under "Common Resource Parameters" section
## @param migrationPodImage The image reference to the migration pod##migrationPodImage: postgres:13-bookworm
Modify the settings in the values.yaml file so that the environment variable “ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED” is set to false. This environment variable needs to be defined under the dataSyncer.extraEnv stanza. Save the file once modified.
This setting governs downloading of feeds data by the Anchore data syncer service. As the deployment will be air-gapped, feeds data will be downloaded/uploaded manually via the anchorectl binary.
- dataSyncer stanza under "Anchore Data Syncer k8s Deployment Parameters" section
## @param dataSyncer.extraEnv Set extra environment variables for Anchore DataSyncer pods## extraEnv:
- name: ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED
value: "false"
Perform the Helm deployment of Anchore Enterprise
Follow the below steps from the Helm deployment guide:
Step 2: The license file should exist in the same directory as the extracted Anchore Enterprise Helm chart and the dependent PostgreSQL and Redis Helm charts - which would be the “enterprise” directory. If need be, the license file should also be renamed: license.yaml
Step 3: This step can be skipped as a Kubernetes secret for DockerHub credentials will not be needed in an air-gapped deployment to pull/download Docker images.
Step 4: A custom values file will not need to be created as the existing one (values.yaml) with custom-defined settings will be used.
There is also no need to add the charts repository as the chart/dependencies would have been previously pulled and transferred to the air-gapped system (on the high side).
RELEASE can be the same value as NAMESPACE and the variables can be exported as listed below.
exportNAMESPACE=anchore
exportRELEASE=anchore
The Helm command to deploy Anchore Enterprise would be as follows:
helm install ${RELEASE} -n ${NAMESPACE} /path/to/extracted/enterprise/directory
The “helm install” will initiate the installation of Anchore Enterprise. Upon completion, the pod status can be checked per the below and should reflect READY 1/1 and STATUS Running for each pod.
There should be 12 Anchore Enterprise pods in total which includes PostgreSQL and Redis.
The “helm install” will also install Anchore Enterprise with a chart-managed PostgreSQL database which is NOT recommended for Production use. The chart-managed PostgreSQL database is more suited for POC (proof-of-concept) evaluation use.
For air-gapped deployments, leveraging a managed database service such as Amazon RDS or Google Cloud SQL may not be feasible. However, a standalone PostgreSQL 16.x or higher database instance/cluster may also be used in lieu of a managed database service. Also, if utilizing a standalone database instance/cluster it is VITAL to maintain proper backups in the event data recovery is necessary.
Docker
From the air-gapped system (on the high side), change into the designated working directory where the Docker Compose and Anchore Enterprise license files were placed.
cd <designated working directory>
Modify the settings in the docker-compose.yaml file so that the default password for the admin user is set. Save the file once modified.
The password for the admin user MUST be initially set via the “ANCHORE_ADMIN_PASSWORD” environment variable. This environment variable is listed by default under the “catalog” and “queue” services. The admin password can be changed post-installation via the UI.
- default "ANCHORE_ADMIN_PASSWORD" environment variable
environment:
- ANCHORE_ADMIN_PASSWORD=<strong password of your choosing>
Modify the settings in the docker-compose.yaml file so that the Anchore Enterprise, Anchore Enterprise UI, PostgreSQL, and Redis Docker images are appropriately referenced relative to an installation from local images for each Anchore Enterprise service. Save the file once modified.
The Anchore Enterprise and Enterprise UI images should correspond to the latest/current version of Anchore Enterprise based on the previously pulled images.
The “image” value should be modified to remove the “docker.io” registry as local images will be used.
The “repository:tag” should match exactly what’s listed on the local system when running the “docker images” command.
There should be 12 Anchore Enterprise services in total which includes PostgreSQL and Redis.
Modify the settings in the docker-compose.yaml file so that the environment variable “ANCHORE_DATA_SYNC_AUTO_SYNC_ENABLED” is set to false. This environment variable is listed by default under the “data-syncer” service. Save the file once modified.
This setting governs downloading of feeds data by the Anchore data syncer service. As the deployment will be air-gapped, feeds data will be downloaded/uploaded manually via the anchorectl binary.
Perform the Docker deployment of Anchore Enterprise
From within the designated working directory where the Docker Compose and Anchore Enterprise license files were placed, execute the below command.
docker compose up -d
Upon completion, the container status can be checked per the below and should reflect STATUS (healthy) for each container.
docker ps
- Example Output
CONTAINER ID IMAGE COMMAND CREATED STATUS PORTS NAMES
f1cbeeb57d17 anchore/enterprise-ui:v5.27.0 "/docker-entrypoint.…"4 minutes ago Up 3 minutes (healthy) 0.0.0.0:3000->3000/tcp anchore-airgap-ui-1
9a31c0b9179e anchore/enterprise:v5.27.0 "/docker-entrypoint.…"4 minutes ago Up 3 minutes (healthy) 8228/tcp anchore-airgap-policy-engine-1
4dbe734493ec anchore/enterprise:v5.27.0 "/docker-entrypoint.…"4 minutes ago Up 3 minutes (healthy) 0.0.0.0:8228->8228/tcp anchore-airgap-api-1
e9b28374d305 anchore/enterprise:v5.27.0 "/docker-entrypoint.…"4 minutes ago Up 3 minutes (healthy) 8228/tcp anchore-airgap-reports_worker-1
a59c7e637b29 anchore/enterprise:v5.27.0 "/docker-entrypoint.…"4 minutes ago Up 3 minutes (healthy) 0.0.0.0:8558->8228/tcp anchore-airgap-reports-1
800e9d3e59d6 anchore/enterprise:v5.27.0 "/docker-entrypoint.…"4 minutes ago Up 3 minutes (healthy) 8228/tcp anchore-airgap-analyzer-1
cc990f7b6025 anchore/enterprise:v5.27.0 "/docker-entrypoint.…"4 minutes ago Up 3 minutes (healthy) 0.0.0.0:8668->8228/tcp anchore-airgap-notifications-1
05b93536f286 anchore/enterprise:v5.27.0 "/docker-entrypoint.…"4 minutes ago Up 3 minutes (healthy) 0.0.0.0:8778->8228/tcp anchore-airgap-data-syncer-1
569ebfec977b anchore/enterprise:v5.27.0 "/docker-entrypoint.…"4 minutes ago Up 3 minutes (healthy) 8228/tcp anchore-airgap-catalog-1
128c2874c243 anchore/enterprise:v5.27.0 "/docker-entrypoint.…"4 minutes ago Up 3 minutes (healthy) 8228/tcp anchore-airgap-queue-1
efeadcbf1dbc postgres:16 "docker-entrypoint.s…"4 minutes ago Up 4 minutes (healthy) 0.0.0.0:5432->5432/tcp anchore-airgap-anchore-db-1
2d23836db688 redis:7.4.6 "docker-entrypoint.s…"4 minutes ago Up 4 minutes (healthy) 6379/tcp anchore-airgap-ui-redis-1
There should be 12 Anchore Enterprise containers in total which includes PostgreSQL and Redis.
Docker is more suited for POC (proof-of-concept) evaluation use or environments with low workload requirements. Kubernetes with a Helm-based deployment is recommended for Production use or environments with high workload requirements.
2.6 - Deploying AnchoreCTL
In this section you will learn how to deploy and configure AnchoreCTL, the Anchore Enterprise Command Line Interface.
AnchoreCTL is published as a simple binary available for download either from your Anchore Enterprise deployment or Anchore’s release site.
Using AnchoreCTL, you can manage and inspect all aspects of your Anchore Enterprise deployments, either as a manual
human-readable configuration/instrumentation/control tool or as a CLI that is designed to be used in scripted environments
such as CI/CD and other automation environments.
Installation
AnchoreCTL’s major and minor release version coincides with the release version of Anchore Enterprise, however patch versions may differ. For example,
Enterprise v5.27.0
AnchoreCTL v5.27.1
AnchoreCTL should be version-aligned with Anchore Enterprise for major/minor releases. Please refer to the Enterprise Release Notes for the supported version of AnchoreCTL.
MacOS / Linux
Download a local (from your Anchore Enterprise deployment) or remote (from Anchore servers) version without installation:
Linux Intel/AMD64
[Local]
curl -X GET "https://my-anchore.example.com/v2/system/anchorectl?operating_system=linux&architecture=amd64" -H "accept: */*"| tar -zx anchorectl
Anchore Enterprise is a software supply chain security platform that uses software bills of materials (SBOMs) to provide continuous visibility, vulnerability detection, policy enforcement, and compliance management for container images, source code repositories, and filesystem artifacts. It is designed for organizations that need to secure software at scale across development, CI/CD, and production environments.
How Anchore Enterprise Secures the Software Supply Chain
Anchore Enterprise takes a data-driven approach to software supply chain security. At the core of every operation is a high-fidelity SBOM that captures detailed metadata about software components, dependencies, licenses, file permissions, and more. This SBOM becomes the foundation for all downstream security analysis — see SBOMs for what an SBOM is in the context of Anchore Enterprise and the full set of uses a stored SBOM supports.
Generate and Store SBOMs
Anchore Enterprise automatically generates SBOMs when analyzing container images or source code. SBOMs can be generated server-side (centralized analysis) or locally on a CI runner using AnchoreCTL (distributed analysis). Anchore Enterprise stores all SBOMs in a centralized repository, enabling continuous monitoring for new vulnerabilities even after deployment. SBOMs can be exported in industry-standard formats including SPDX and CycloneDX.
Identify Vulnerabilities and Security Risks
Using the SBOM, Anchore Enterprise matches software components against multiple vulnerability data sources including the National Vulnerability Database (NVD), GitHub Security Advisories (GHSA), and vendor-specific feeds for distributions like RHEL, Debian, Ubuntu, Alpine, and more. A precision matching algorithm selects the most accurate data source for each component, reducing false positives and false negatives. Anchore Enterprise also enriches vulnerability data with EPSS (Exploit Prediction Scoring System) scores and CISA KEV (Known Exploited Vulnerabilities) status to help prioritize remediation.
Beyond vulnerabilities, Anchore Enterprise detects malware using ClamAV signatures, identifies embedded secrets and credentials, and flags misconfigurations.
Enforce Compliance with Policy-as-Code
Anchore Enterprise includes a policy engine that evaluates SBOMs and their associated scan results against customizable rules. Policies use a gate-and-trigger model where gates define categories of checks (vulnerabilities, licenses, file permissions, secrets, metadata) and triggers define specific conditions within each gate. Policy evaluations return pass, warn, or fail results that can be used to gate CI/CD pipelines, block non-compliant deployments via Kubernetes admission control, or generate compliance reports.
Anchore Enterprise ships with pre-built policy packs mapped to industry standards including NIST 800-53, FedRAMP, CIS Benchmarks, and DoD requirements.
Monitor Runtime Environments
Anchore Enterprise integrates with Kubernetes and Amazon ECS to maintain a real-time inventory of container images running in production. The Kubernetes Inventory Agent and ECS Inventory Agent report running workloads back to Anchore Enterprise, enabling continuous policy evaluation and vulnerability monitoring of live deployments. Combined with the Kubernetes Admission Controller, organizations can prevent non-compliant images from being deployed.
Key Components
Component
Description
Anchore Enterprise API
RESTful API (v2) providing all platform capabilities for automation and integration
Anchore Enterprise UI
Web-based interface for managing images, policies, reports, and system configuration
AnchoreCTL
Go-based CLI tool for interacting with Anchore Enterprise, with built-in SBOM generation via Syft
Anchore Data Service
Hosted service providing vulnerability databases, malware signatures, EPSS data, and STIG profiles
Learn More
SBOMs for the foundational concept Anchore Enterprise is built around
Anchore Enterprise provides a comprehensive set of capabilities for securing the software supply chain, from SBOM generation and management through vulnerability remediation and compliance enforcement. It builds and integrates Anchore’s proven open source tooling; Syft, Grype and more.
SBOM Generation
Anchore Enterprise generates SBOMs using Syft, Anchore’s open-source SBOM tool. Both AnchoreCTL (the command-line client) and the server-side Analyzer embed Syft, so SBOMs produced locally on a CI runner, on a developer workstation, or centrally by the Anchore Enterprise deployment are consistent in structure and fidelity.
Two analysis modes are supported:
Distributed analysis — AnchoreCTL generates the SBOM locally on a CI runner or workstation and uploads the result to Anchore Enterprise. Image content never leaves the build environment.
Centralized analysis — The Analyzer service pulls images from registries, unpacks them, and generates SBOMs server-side. Required for malware scanning.
Anchore Enterprise generates SBOMs that include a rich superset of data beyond what standard SBOM formats capture. This additional metadata enables detection of secrets, file permissions issues, misconfigurations, and malware — in addition to standard package identification.
Anchore Enterprise SBOMs identify:
Open source and proprietary packages with ecosystem metadata (OS, language, binary)
Nested dependencies in archive files (JAR, WAR, EAR, and more)
Package details including name, version, creator, and license information
Filesystem metadata including file name, size, permissions, creation time, modification time, and hashes
Malware and cryptominers (via ClamAV signatures)
Embedded secrets, keys, and credentials
Supported Ecosystems
Anchore Enterprise supports the following packaging ecosystems for SBOM content identification:
Operating System Packages:
RPM, DEB, APK, Linux kernel archives (vmlinuz), Linux kernel modules (ko)
Language Packages:
C/C++ (conan), Dart (pubs), Dotnet (deps.json), Elixir (mix), Erlang (rebar3), Go (go.mod, Go binaries), Haskell (cabal, stack), Java (jar, ear, war, par, sar, nar, native-image), JavaScript (npm, yarn), Jenkins Plugins (jpi, hpi), Nix (outputs in /nix/store), Objective-C (cocoapods), PHP (composer), Python (wheel, egg, poetry, requirements.txt), Ruby (gem), Rust (cargo.lock), Swift (cocoapods, swift-package-manager)
Generated SBOMs — whether produced by Anchore Enterprise or imported from external tooling — are stored in a centralized repository. Anchore Enterprise continuously re-evaluates stored SBOMs as new vulnerability data or policy rules arrive, so existing artifacts do not need to be re-scanned to pick up newly disclosed issues. This storage-first model turns SBOMs from a point-in-time artifact into an ongoing source of insight.
Insights delivered from stored SBOMs include:
Vulnerability matching — SBOMs are matched against vulnerability feeds from the Anchore Data Service on every sync cycle, with EPSS and CISA KEV enrichment applied.
Policy evaluation — Policies are re-evaluated automatically when the SBOM, the policy, or the underlying data feeds change.
Drift detection — Changes between successive SBOMs for the same artifact are surfaced (see below).
Anchore Enterprise detects changes in SBOMs between builds — components added, removed, or changed. Policy rules can alert or block deployments when unexpected changes occur, helping identify developer errors, unauthorized modifications, or supply chain attacks. See SBOM Drift for more information.
SBOM Export and Compliance
SBOMs can be exported via the UI or API in SPDX and CycloneDX formats, as well as Anchore’s native Syft JSON format. Anchore Enterprise can export aggregated SBOMs for entire applications to meet customer and federal compliance requirements including Executive Order 14028 and NTIA minimum element guidelines.
Vulnerability and Security Scanning
Anchore Enterprise scans for vulnerabilities and security risks at every stage of the software development process: source code repositories, CI/CD pipelines, container registries, and runtime environments.
Precision Vulnerability Matching
Anchore Enterprise applies a precision matching algorithm that selects the most accurate vulnerability data source for each component. When the SBOM identifies a specific Linux distribution (such as RHEL or Ubuntu), Anchore Enterprise automatically uses that vendor’s security advisory feed rather than generic NVD data. This approach significantly reduces both false positives and false negatives.
Multiple Vulnerability Data Sources
Vulnerability data is sourced from 20+ providers, including the National Vulnerability Database (NVD), GitHub Security Advisories (GHSA), and vendor-specific feeds for all major Linux distributions. Anchore also maintains a curated dataset of known false-positive matches for automatic suppression. See Anchore Data Service for the complete list of sources.
EPSS and KEV Enrichment
Vulnerability findings are enriched with EPSS (Exploit Prediction Scoring System) scores that provide a probability estimate of exploitation, and CISA KEV (Known Exploited Vulnerabilities) flags that identify vulnerabilities with confirmed active exploitation in the wild. These data points help security teams prioritize remediation based on real-world risk.
Zero-Day Vulnerability Response
When a zero-day vulnerability is disclosed, Anchore Enterprise can instantly identify impacted components by querying stored SBOMs. There is no need to re-scan images or repositories — the existing SBOM data is matched against the updated vulnerability records.
Malware Detection
Anchore Enterprise scans container image layers for malware, cryptominers, and other malicious content using ClamAV signatures that are kept current through the Anchore Data Service.
Vulnerability Management and Remediation
Anchore Enterprise provides tools beyond detection to help teams manage and remediate security findings efficiently.
Manage False Positives
Anchore Enterprise reduces false positives through precision matching, Anchore-curated match exclusions, and user-defined corrections. Corrections allow teams to override CPE-based matching for specific packages, improving accuracy over time. Allowlists and time-limited allowlists provide exceptions for known acceptable risks.
VEX Annotations
Anchore Enterprise supports VEX (Vulnerability Exploitability eXchange) annotations that allow teams to document the exploitability status of specific vulnerabilities. Annotations can be set to Not Affected, Affected, Fixed, or Under Investigation, and can include action statements describing planned remediation. VEX documents can be exported in CycloneDX and OpenVEX formats.
Reporting and Notifications
Anchore Enterprise includes a reporting service with scheduled report generation, filterable by vulnerability severity, annotation status, and account scope. Reports can be exported as CSV or JSON. Notifications can be routed through webhooks, Slack, Jira, and email to alert teams when vulnerability states change, policy evaluations update, or analysis completes.
Policy Enforcement and Compliance
Anchore Enterprise includes a policy engine that enables automated compliance checking against customizable rules, industry standards, and regulatory requirements.
Gate-and-Trigger Policy Model
Policies use a gate-and-trigger model. Gates define categories of checks (vulnerabilities, licenses, secrets, file permissions, metadata), and triggers define specific conditions within each gate. Each trigger evaluation produces a stop, warn, or go action. Multiple rule sets can be combined into a single policy and mapped to specific registries, repositories, or tags.
DoD Iron Bank — Validates images against U.S. Air Force security standards at Platform One and Iron Bank.
CIS — Validates against container image best practices and a subset of NIST 800-53 and NIST 800-190 controls. Customizable for alignment with CIS Benchmarks.
NIST — Validates content against NIST 800-53 and NIST 800-190 controls.
DISA STIG Compliance
Anchore Enterprise can scan container images against DISA Security Technical Implementation Guides (STIGs). Scan results are output in OASIS Heimdall Data Format (OHDF) and can be converted to XCCDF and CKL formats for import into STIG Viewer using MITRE SAF CLI tools.
CI/CD Pipeline Integration
Policies can be enforced directly in CI/CD pipelines using AnchoreCTL. The anchorectl image check command evaluates images against the active policy and returns a pass/fail result that can gate pipeline progression. Distributed analysis mode allows SBOM generation to happen locally on CI runners for faster feedback.
Kubernetes Admission Control
The Kubernetes Admission Controller evaluates container images against Anchore Enterprise policies before allowing deployment. Images that fail policy evaluation can be blocked, providing a runtime enforcement point for production environments.
Runtime Monitoring
Anchore Enterprise integrates with container orchestration platforms to provide continuous visibility into running workloads.
Kubernetes Runtime Inventory
The Kubernetes Inventory Agent (anchore-k8s-inventory) runs inside your cluster and continuously reports running container images back to Anchore Enterprise. This enables real-time vulnerability monitoring and policy compliance checking of production workloads.
ECS Runtime Inventory
The ECS Inventory Agent (anchore-ecs-inventory) provides the same runtime inventory capability for Amazon ECS environments.
Open Source Dependency and License Management
Anchore Enterprise identifies open source dependencies incorporated at any stage of the software lifecycle, including both direct and transitive dependencies. License information is extracted for all identified packages, and license policies can be configured to enforce compliance with organizational open source requirements.
Anchore Enterprise is a distributed application deployed as a set of container images that communicate through RESTful APIs and a shared PostgreSQL database. The platform can be deployed on Kubernetes (via Helm), Docker Compose, or as a pre-configured cloud image. Each service runs independently and can be scaled horizontally to meet throughput requirements.
Services
API Service
The API service is the primary external-facing gateway for Anchore Enterprise. All client interactions — from AnchoreCTL, the web UI, and third-party integrations — route through this service. It exposes a RESTful API (v2) that provides access to image management, policy evaluation, vulnerability queries, user and account administration, SBOM operations, reporting, and system configuration.
Catalog
The catalog is the central state manager. It coordinates image lifecycle operations, tracks analysis state, manages subscriptions and event notifications, and provides data access to all other services from the backend PostgreSQL database. The catalog also handles artifact lifecycle policies (automatic archiving and deletion), garbage collection, and Kubernetes runtime inventory tracking.
Analyzer
The analyzer generates SBOMs from container images and source repositories. It unpacks image layers, catalogs all software packages and dependencies, detects malware using ClamAV signatures, searches for embedded secrets, and extracts filesystem metadata. Each analyzer instance processes one artifact at a time; scaling analyzer replicas increases parallel analysis throughput.
In distributed analysis mode, SBOM generation happens locally on the AnchoreCTL client and the resulting SBOM is uploaded to Anchore Enterprise for evaluation — bypassing the need for the analyzer to pull images directly.
Policy Engine
The policy engine loads SBOMs and evaluates them against the configured policy rules. It uses a gate-and-trigger model where each gate (vulnerabilities, licenses, secrets, file permissions, metadata) contains triggers with configurable parameters. The policy engine also handles vulnerability matching, applying the precision matching algorithm against the appropriate data feeds, and incorporates EPSS scores and KEV status into results. Policy evaluation results are stored and returned as pass, warn, or fail outcomes.
Data Syncer
The data syncer periodically downloads and normalizes datasets from the hosted Anchore Data Service. These datasets include vulnerability databases from 20+ sources, CISA KEV annotations, EPSS exploit prediction scores, ClamAV malware signatures, and STIG compliance profiles. By default, the data syncer checks for updates hourly. In air-gapped deployments, data synchronization is performed manually using AnchoreCTL.
Reports and Reports Worker
The reports service provides a GraphQL-based API for querying vulnerability, policy, and inventory data across the deployment. Users can create, schedule, and export reports in CSV or JSON format. The reports worker handles asynchronous report generation and scheduled report execution in t
