Anchore

Anchore is a container security company built around the principle that SBOMs should be the foundation of software security. The company maintains two widely-used open-source tools – Syft for SBOM generation and Grype for vulnerability scanning – with over 50 million combined downloads across the ecosystem. Anchore Enterprise extends these with continuous monitoring, compliance automation, and policy enforcement.

Where many SCA tools focus on developer workflows and fix PRs, Anchore targets organizations that need to prove compliance. Its pre-built policy packs for FedRAMP, NIST, and DISA standards, combined with air-gapped deployment support, make it a go-to choice for government agencies and regulated industries.

What is Anchore?

Anchore takes an SBOM-first approach to container security. Rather than scanning an image once and moving on, it generates a detailed SBOM, stores it centrally, and continuously matches it against updated vulnerability feeds. When a new CVE drops, Anchore knows immediately which images in your inventory are affected, without rescanning a single container.

The platform spans two tiers: free open-source CLI tools for individual developers and CI pipelines, and a commercial enterprise platform for organizations that need dashboards, compliance, and governance.

Open-source tools

Syft: SBOM generation

Syft is a CLI tool and Go library that generates Software Bills of Materials from container images, filesystems, and archives. It supports dozens of packaging ecosystems including Alpine, Debian, RPM, npm, pip, Maven, Go, Cargo, Composer, NuGet, and more.

Output formats include CycloneDX, SPDX, Syft JSON, and GitHub’s dependency snapshot format. Syft can also convert between SBOM formats, making it useful as a general-purpose SBOM utility.

# Generate SBOM from container image
syft alpine:latest -o cyclonedx-json > sbom.json

# Generate SBOM from directory
syft dir:/path/to/project -o spdx-json

# Generate SBOM from archive
syft docker-archive:image.tar

# Convert SBOM format
syft convert sbom.cdx.json -o spdx-json

Grype: vulnerability scanning

Grype scans container images, filesystems, and SBOM files against multiple vulnerability databases including NVD, GitHub Security Advisories, and distribution-specific feeds. It includes EPSS and KEV-based risk scoring with a composite score from 0 to 10.

# Scan container image
grype alpine:latest

# Scan an SBOM
grype sbom:./sbom.json

# Fail on high or critical
grype alpine:latest --fail-on high

# Output SARIF for GitHub Security
grype alpine:latest -o sarif > results.sarif

Grant: license compliance

Grant is a newer addition to the Anchore open-source suite that handles license checking. It reads SBOMs and evaluates package licenses against configurable policies, flagging non-compliant or risky licenses.

Enterprise platform

Anchore Enterprise extends the open-source tools with capabilities that organizations need at scale.

Continuous vulnerability monitoring

This is the feature that distinguishes Anchore Enterprise from running Grype in CI. The platform stores every SBOM generated from your pipeline and continuously matches stored SBOMs against updated vulnerability feeds. When a new advisory is published, Anchore identifies affected images instantly and sends alerts, without requiring a rescan of the original artifact.

This solves the “scan gap” problem where vulnerabilities disclosed after your last pipeline run go undetected until the next build.

Policy-based admission control

Define policies that determine which images are allowed to deploy. Policies can check for:

• Maximum vulnerability severity thresholds
• Required SBOM presence and completeness
• Approved or denied base images
• License compliance requirements
• Secret detection results
• Package blacklists or whitelists

Policies integrate with Kubernetes admission controllers and CI/CD gates to enforce compliance before deployment.

Compliance automation

Anchore Enterprise ships with pre-built policy packs for major regulatory frameworks:

The Federal Edition supports FIPS compliance and deploys in environments from IL2 through IL6 air-gapped classified networks.

Secret and malware detection

Beyond vulnerability scanning, Anchore Enterprise scans container image layers for embedded secrets (API keys, credentials, private keys) and known malware signatures, catching risks that dependency-level scanning misses.

CI/CD integration

GitHub Actions

name: Anchore Container Security
on: [push, pull_request]

jobs:
  anchore-scan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Build image
        run: docker build -t myapp:${{ github.sha }} .

      - name: Generate SBOM with Syft
        uses: anchore/sbom-action@v0
        with:
          image: myapp:${{ github.sha }}
          format: cyclonedx-json
          output-file: sbom.cdx.json

      - name: Scan with Grype
        uses: anchore/scan-action@v7
        id: scan
        with:
          image: myapp:${{ github.sha }}
          fail-build: true
          severity-cutoff: high

      - name: Upload SARIF
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: ${{ steps.scan.outputs.sarif }}

When to use Anchore

Anchore is the right fit when compliance is a hard requirement, not a nice-to-have.

Strengths:

• SBOM-first approach enables continuous monitoring without rescanning
• Pre-built compliance policy packs for FedRAMP, NIST, DISA
• Air-gapped deployment for classified environments (IL2-IL6)
• Strong open-source tools (Syft, Grype) with 50M+ downloads
• Policy-based admission control integrates with Kubernetes

Limitations:

• Enterprise pricing requires sales engagement
• Open-source tools are CLI-only without dashboards
• Focused on containers; less coverage for non-containerized workloads
• Learning curve for policy authoring and enterprise configuration

How it compares:

Frequently Asked Questions