Profile
Anchore is an enterprise container security and software supply chain management platform that combines SBOM generation, vulnerability scanning, and policy enforcement capabilities. The platform consists of open-source tools (Syft, Grype, and Grant) alongside a commercial enterprise offering that provides advanced management and compliance features. With significant adoption in both commercial enterprises and government agencies, particularly the US Department of Defense, Anchore has established itself as a mature solution for organizations requiring comprehensive visibility and control over containerized application security.
Focus
Anchore addresses the fundamental challenge of securing containerized applications at scale by providing deep visibility into software composition and automating security policy enforcement throughout the development lifecycle. The platform enables organizations to identify vulnerabilities, malware, misconfigurations, and compliance issues across container images and their dependencies. Its architecture serves the needs of enterprise security teams, DevSecOps practitioners, and compliance professionals who require automated, policy-driven approaches to container security that can integrate seamlessly with existing development workflows while maintaining strict security standards.
Background
Founded in 2016 by Saïd Ziouani and Daniel Nurmi, Anchore evolved from a single open-source engine to a suite of specialized security tools and an enterprise platform. The company maintains active development of both open-source components under Apache-2.0 licenses and the commercial Anchore Enterprise product. Notable adoption includes integration into the US Department of Defense's DevSecOps initiatives and deployment by major enterprises like Cisco and NVIDIA. The platform is backed by SignalFire's Series A investment and maintains a distributed development model with regular community engagement through public meetings and contribution processes.
Main features
Comprehensive SBOM generation and analysis
The platform performs deep inspection of container images and source code repositories to generate detailed software bills of materials, identifying all components including nested and transitive dependencies. The analysis engine supports multiple packaging ecosystems including operating system packages (RPM, DEB, APK), language-specific dependencies (npm, pip, Maven), and specialized artifacts. This capability enables organizations to maintain complete visibility into software composition and track changes over time, essential for both security analysis and compliance documentation.
Policy-driven security enforcement
The policy engine enables organizations to define and automatically enforce security requirements across their container ecosystem. Policies can evaluate vulnerability severities, package restrictions, configuration standards, and compliance frameworks like NIST SP 800-190 or CIS benchmarks. The system supports both blocking and warning actions, allowing organizations to implement graduated enforcement based on risk tolerance. Policy evaluation results can be integrated into CI/CD pipelines to prevent deployment of non-compliant images.
Continuous vulnerability monitoring
The platform maintains ongoing analysis of software inventories against emerging threats, automatically identifying when newly disclosed vulnerabilities affect previously scanned components. This capability leverages multiple vulnerability databases and sophisticated matching algorithms that consider distribution-specific patches and backports to minimize false positives. The continuous monitoring approach enables rapid response to zero-day vulnerabilities by providing immediate visibility into affected systems across the organization's container ecosystem.
