Author: Alex Rybak

Eliminating the “Security Tax” with Anchore Enterprise v6

Posted on by Alex Rybak

We are thrilled to announce Anchore Enterprise v6 to help you finally eliminate the “security tax” through a unified SBOM-powered compliance solution.

If you take stock of today’s application security environment, cyber threats are growing at an alarming rate: over 15k new vulnerabilities were reported in Q1 2026 alone. Add to that an even larger spike expected due to a two-fold AI effect: (1) a higher-than-ever percentage of code authored by AI code generators, and (2) AI-assisted vulnerability discovery driving a shift in the disclosure rate and frequency. Combine this with the increasing pressure from global cybersecurity regulations. What you end up with is a perfect storm of security risk and unmet expectations. To weather this storm, organizations must address the hidden “security tax” caused by juggling a multitude of disconnected tools.

Our focus for the v6 release is to provide a proactive, automated approach to securing both your applications and your software supply chain. The result? Your teams can satisfy external audits and meet industry regulations without the traditional friction. This is critically important as the CRA vulnerability and incident reporting obligations begin on September 11, 2026.

This latest version of Anchore Enterprise introduces a Unified Asset Model to combine all of your application assets into a single view for unified analysis. We have also extended our industry-leading container image analysis to virtual machines and remote filesystems, ensuring greater codebase coverage across your entire platform. To help you move faster, teams can now leverage Anchore’s multi-factor risk scoring algorithm alongside VEX annotations to eliminate false positives and focus on the most impactful security issues first. 

Reduce the “Security Tax” by Turning Your SBOMs into Actionable Compliance

Most organizations incur a “security tax” by juggling a multitude of security tools, each offering its own discovery and risk assessment. Some tools operate on codebases before the build, others scan the object code after the build, while larger security platforms handle the deployment monitoring post go-live.  Without a unified policy, this creates a fragmented view of risk and conflicting remediation priorities. What one tools considered acceptable before the build, another tool flags as a potential issue during pipeline checks. These conflicts are difficult to resolve and take away from a team’s productivity.

Having seen such scenarios with many of our customers, we here at Anchore set out to solve this by generating comprehensive and accurate SBOMs through analysis of container images, filesystems, and virtual machines, while also ingesting external SBOMs. We aimed for a single, deduplicated view of your packages, vulnerabilities, and compliance issues. Anchore delivers a clear path to compliance with major frameworks by leveraging the comprehensive set of policy rules aligned with key regulatory controls:

  • EU Cyber Resilience Act (CRA): Future-proof your products by automating the mandatory SBOM management and vulnerability reporting required for the European market.
  • Secure Software Development Framework (SSDF): Align with U.S. government software assurance requirements for secure development and SBOM disclosures.
  • FedRAMP & NIST 800-53: Automate the continuous monitoring and evidence collection required for federal environments and defense contracts.
  • PCI DSS: Ensure containerized payment environments meet strict vulnerability management and configuration standards.
  • SOC2 & ISO 27001: Standardize your supply chain controls to satisfy auditors with verifiable, point-in-time reports.

Key Features we are introducing in Anchore Enterprise v6

Unified Asset Model for Global Compliance

Establish a normalized view across the entire SDLC with one-click generation of unified SBOMs. This directly addresses EU CRA Annex I requirements, ensuring you maintain precise documentation of software components and their dependencies across your entire footprint.

Scan Coverage for Virtual Machines and More

Achieve true “shift-left” security by detecting vulnerabilities and compliance gaps earlier. With native filesystem scanning for virtual machines, source repositories, and build artifacts, Anchore ensures complete SBOM visibility for both containerized and traditional non-containerized deployments.

Precision Triage with Anchore Score & VEX

Streamline vulnerability management by prioritizing real-world risk over static severity. By combining Anchore Score (our multi-factor risk index) with VEX (Vulnerability Exploitability eXchange) annotations, teams can instantly identify the small fraction of exploitable vulnerabilities that require immediate action while purging false positives. This enables teams to meet strict reporting timelines mandated by CRA and SEC rules.

Centralized Third-Party SBOM Management

Empower your organization to import vendor-provided SBOMs in CycloneDX and SPDX formats. Extend full lifecycle visibility into the security of software you didn’t build, ensuring compliance with emerging transparency regulations and supply chain integrity standards.

Continuous Monitoring & Automated Reporting

Leverage the unified view of your compliance status with automated notifications of vulnerability changes. Anchore v6 supports “POA&M-as-code,” allowing organizations to manage allowlists and remediation plans directly within their existing security workflows.

Shift-Left and Shield-Right

We have seen it over and over. In today’s fast-paced DevOps environments, security cannot be a bottleneck. That is why we designed Anchore Enterprise v6 to integrate seamlessly into existing CI/CD workflows, so developers can find and fix issues earlier (shifting left) while providing security teams the oversight they need for production environments (shielding right).

  • Enterprise Scalability: Built to handle the rigorous demands of the world’s largest software ecosystems without compromising performance
  • Proactive Compliance: Stay ahead of regulatory requirements, such as the US Cyber Executive Order and the EU CRA, with automated SBOM generation
  • Operational Efficiency: Eliminate “vulnerability fatigue” by using data-driven prioritization to focus on the small percentage of risks that actually impact your environment

Get Started Today

For more details and demos, join us on June 4 for our launch webinar or contact our team for a personalized demo.

Register now to see the new Anchore Enterprise v6 features in action. Tune in at June 4 at 10am PT | 1pm ET.

Sign Up Now.

Take Control of Your Software Supply Chain: Introducing Anchore SBOM

Posted on by Alex Rybak

Today, we’re launching Anchore SBOM. Anchore Enterprise now allows you to manage internal and external SBOMs in a single location to track your software supply chain issues and meet your compliance requirements.

What is Anchore SBOM?

Anchore SBOM is a set of new capabilities in Anchore Enterprise that allow customers to gain comprehensive visibility into the software components present in both their internally developed and third-party supplied software to identify and mitigate security and compliance risks. It provides a centralized platform for viewing, managing, and analyzing Software Bill of Materials (SBOMs), including the capability to “Bring Your Own SBOMs” (BYOS) by importing SBOMs created outside of Anchore Enterprise and organizing them into groups, reflecting a logical organization structures for easier management, control, analysis, and reporting for enhanced collaboration across business and engineering functions. Importing external SBOMs enables users to go beyond standard container analysis by incorporating SBOMs generated outside of Anchore, whether from other SCA tools or vendor sources, which, in turn, ensures comprehensive visibility across all components of their applications.

Why are SBOMs Important?

In an era of escalating software supply chain attacks—and mounting pressure from regulators, customers, and security teams—visibility into what goes into your applications is no longer optional. Modern software is complex and often built by distributed teams on a foundation of open-source and third-party components. Staying secure and compliant requires continuous, end-to-end insight into your software stack. That means knowing exactly what’s in your applications at every stage of the DevOps lifecycle—from code to cloud. This is where SBOMs come in. SBOMs are machine-readable inventories that capture the full composition of your applications by listing every package and dependency they include.

Key Features and Benefits

  • Bring Your Own SBOM (BYOS): Import SBOMs in SPDX (versions 2.1-2.3), CycloneDX (versions 1.0-1.6), and Syft native formats – analyze components and manage prioritized vulnerabilities. 
  • Validate SBOMs: Assess uploaded SBOM quality to ensure they meet schema standards and contain necessary data for vulnerability scanning.
  • Manage SBOMs Centrally: Store and group SBOMs to reflect logical organization structures for easier management, control, analysis, and reporting for enhanced collaboration across business and engineering functions. 
  • Identify Vulnerabilities: Identify and report vulnerabilities within uploaded SBOMs for fast and efficient remediation.
  • Prioritize and Triage with Anchore Score: A prioritized vulnerability rating based on CVSS Score and Severity, EPSS, and CISA KEV data reduces noise and drastically improves triage time.

Why Does This Matter?

Demand for software supply chain transparency is surging, driven by emerging regulations (such as NIS2, U.S. Cybersecurity Executive Orders, and the EU’s Cyber Resilience Act), industry standards (like PCI DSS), and sector-specific requirements from agencies such as the FDA and SEC. As a result, SBOMs have become essential for enterprises and government agencies seeking critical visibility into their software ecosystems.

Anchore SBOM enables you to consolidate SBOMs continuously generated throughout your development lifecycle—scanning every commit in Git, every build artifact in the CI/CD pipeline, and every deployment to Kubernetes—alongside external SBOMs produced by other tools or provided by your software vendors. This unified view offers comprehensive visibility into your software supply chain. It enables you to meet regulatory requirements and satisfy your customers’ asks with a complete, up-to-date inventory of all your assets and their current security issues.

Learn more about Anchore SBOM  or contact us directly for a demo.

With the newly announced Anchore SBOM feature, teams can start safely consuming OSS while mitigating security and compliance risks. Register for our technical launch webinar.