Anchore

Anchore delivers an Software Bill of Materials (SBOM)-powered software composition analysis platform providing end-to-end container security and software supply chain management for cloud-native environments. Unlike traditional vulnerability scanners that perform point-in-time scans, Anchore generates and stores comprehensive SBOMs for every container image, enabling continuous monitoring for new vulnerabilities without rescanning or requiring access to original artifacts, while providing historical forensics to determine if deployed software was ever susceptible to newly discovered vulnerabilities.

The platform features deep container image analysis examining all layers to identify vulnerabilities in operating system packages, application dependencies, and custom code, with support for secret detection, malware scanning, and license compliance checking. Anchore integrates seamlessly into Continuous Integration/Continuous Delivery (CI/CD) pipelines including Jenkins, GitLab, GitHub Actions, and CircleCI for shift-left security, while supporting Kubernetes admission webhooks for deployment-time policy enforcement preventing non-compliant containers from reaching production clusters, with the powerful policy engine allowing custom security policies based on flexible criteria.

Founded in 2015 and headquartered in Santa Barbara, Anchore serves flagship customers including NVIDIA, Cisco, United States Navy, and Department of Defense who rely on its SBOM-centric approach for meeting Federal Risk and Authorization Management Program (FedRAMP), National Institute of Standards and Technology (NIST) Secure Software Development Framework (SSDF), and executive order requirements on software supply chain security. The platform generates SBOMs in multiple industry-standard formats including Software Package Data Exchange (SPDX) and CycloneDX, with the open-source Syft and Grype tools maintained by Anchore providing community-driven SBOM generation and vulnerability scanning capabilities.