
Supply Chain Security
Anchore
Software composition analysis with continuous vuln monitoring and SBOM management for containers.
Anchore Overview
What it does
Anchore delivers an Software Bill of Materials (SBOM)-powered software composition analysis platform providing end-to-end container security and software supply chain management for cloud-native environments. Unlike traditional vulnerability scanners that perform point-in-time scans, Anchore generates and stores comprehensive SBOMs for every container image, enabling continuous monitoring for new vulnerabilities without rescanning or requiring access to original artifacts, while providing historical forensics to determine if deployed software was ever susceptible to newly discovered vulnerabilities.
How it works
The platform features deep container image analysis examining all layers to identify vulnerabilities in operating system packages, application dependencies, and custom code, with support for secret detection, malware scanning, and license compliance checking. Anchore integrates seamlessly into Continuous Integration/Continuous Delivery (CI/CD) pipelines including Jenkins, GitLab, GitHub Actions, and CircleCI for shift-left security, while supporting Kubernetes admission webhooks for deployment-time policy enforcement preventing non-compliant containers from reaching production clusters, with the powerful policy engine allowing custom security policies based on flexible criteria.
Credentials and traction
Anchore Federal is named as an approved container-scanning tool in the U.S. Department of Defense Container Hardening Process Guide and has been the software supply chain security tool used across the U.S. Air Force Platform One Iron Bank since its 2020 inception. Its DevSecOps work spans the DoD, U.S. Air Force, U.S. Space Force, U.S. Navy, DISA, and GSA. Commercial customers include NVIDIA, Cisco, and eBay, with Cisco Umbrella crediting Anchore for reaching FedRAMP compliance in weeks.
Key Capabilities
mapped to solution categoriesScans images stored in registries (ECR, GCR, Artifact Registry, Docker Hub), for vulnerable OS packages and application dependencies at push time or on schedule, without requiring a running container.
Identifies OSS licenses in the dependency tree and flags conflicts with the project's target license or policy (GPL contamination, copyleft obligations, export-controlled components). Separate from vulnerability detection.
Identifies packages with known-malicious behavior (typosquatting, dependency confusion, backdoored releases), distinct from packages with CVEs in legitimate code.
Defines open source policies (banned licenses, blocked packages, version floors, severity gates) as version-controlled rules applied automatically at scan time across repositories.
Blocks or flags PRs in CI/CD pipelines based on policy-defined thresholds, configurable by severity, CVSS score, exploitability, fix availability, or CVE age. Prevents vulnerable code from merging without requiring zero-tolerance policies.
Exports the dependency inventory as a machine-readable Software Bill of Materials in SPDX or CycloneDX format, consumable by downstream vulnerability scanners, compliance tools, and procurement workflows.
Identifies hardcoded credentials, API keys, tokens, and private keys in source files. Operates on the repository and commit history, not at runtime.
Traverses the full dependency graph to surface CVEs in indirect dependencies, packages required by your direct dependencies. Direct-only scanning misses the majority of vulnerable code paths in modern polyglot projects.
Prioritizes dependency vulnerabilities using exploitation signals such as EPSS probability and the CISA Known Exploited Vulnerabilities catalog, ranking findings by real-world exploitation likelihood rather than CVSS severity alone.
Integrations
compatible toolsImplementation & support
Info last updated on May 28, 2026
Vendors
Is this your product?
Claim your profile to connect with the teams looking for your solutions.