Anchore Enterprise 5.23 adds CycloneDX VEX and VDR support, completing our vulnerability communication capabilities for software publishers who need to share accurate vulnerability context with customers. With OpenVEX support shipped in 5.22 and CycloneDX added now, teams can choose the format that fits their supply chain ecosystem while maintaining consistent vulnerability annotations across both standards.
This release includes:
- CycloneDX VEX export for vulnerability annotations
- CycloneDX VDR (Vulnerability Disclosure Report) for standardized vulnerability inventory
- Expanded policy gates for one-time scans (see below for full list)
- STIG profiles delivered via Anchore Data Service
The Publisher’s Dilemma: When Your Customers Find “Vulnerabilities” You’ve Already Fixed
Software publishers face a recurring challenge: customers scan your delivered software with their own tools and send back lists of vulnerabilities that your team already knows about, has mitigated, or that simply don’t apply to the deployed context. Security teams waste hours explaining the same fixes, architectural decisions, and false positives to each customer—time that could be spent on actual security improvements.
VEX (Vulnerability Exploitability eXchange) standards solve this by allowing publishers to document vulnerability status alongside scan data—whether a CVE was patched in your internal branch, affects a component you don’t use, or is scheduled for remediation in your next release. With two competing VEX formats—OpenVEX and CycloneDX VEX—publishers need to support both to reach their entire ecosystem. Anchore Enterprise 5.23 completes this picture.
How CycloneDX VEX Works in Anchore Enterprise
The vulnerability annotation workflow remains identical to the OpenVEX implementation introduced in 5.22. Teams can add annotations through either the UI or API, documenting whether vulnerabilities are:
- Not applicable to the specific deployment context
- Mitigated through compensating controls
- Under investigation for remediation
- Scheduled for fixes in upcoming releases
The difference is in the export. When you download the vulnerability report, you can now select CycloneDX VEX format instead of (or in addition to) OpenVEX. The annotation data translates cleanly to either standard, maintaining context and machine-readability.
Adding Annotations
Via UI: Navigate to the Vulnerability tab for any scanned image, select vulnerabilities requiring annotation, and choose Annotate to add status and context.
Via API: Use the /vulnerabilities/annotations endpoint to programmatically apply annotations during automated workflows.
Exporting CycloneDX VEX
After annotations are applied:
- Navigate to the Vulnerability Report for your image
- Click the Export button above the vulnerability table
- In the export dialog, select CycloneDX VEX (JSON or XML format)
- Download the machine-readable document for distribution
The exported CycloneDX VEX document includes all vulnerability findings with their associated annotations, PURL identifiers for precise package matching, and metadata about the scanned image. Customers can import this document into CycloneDX-compatible tools to automatically update their vulnerability databases with your authoritative assessments.
VDR: Standardized Vulnerability Disclosure
The Vulnerability Disclosure Report (VDR) provides a complete inventory of identified vulnerabilities in CycloneDX format, regardless of annotation status. Unlike previous raw exports, VDR adheres to the CycloneDX standard for vulnerability disclosure, making it easier for security teams and compliance auditors to process the data.
VDR serves different use cases than VEX:
- VEX communicates vulnerability status (not applicable, mitigated, under investigation)
- VDR provides comprehensive vulnerability inventory (all findings with available metadata)
Organizations can export both formats from the same Export dialog: VDR for complete vulnerability disclosure to auditors or security operations teams, and VEX for communicating remediation status to customers or downstream consumers.
To generate a VDR, click the Export button above the vulnerability table and select CycloneDX VDR (JSON or XML format). The resulting CycloneDX document includes vulnerability identifiers, severity ratings, affected packages with PURLs, and any available fix information.
Enforce Gates Policy Support for One-Time Scans
Anchore One-Time Scans now support eight additional policy gates beyond vulnerability checks, enabling comprehensive compliance evaluation directly in CI/CD pipelines without persistent SBOM storage. The newly supported gates include:
This expansion allows teams to enforce compliance requirements—NIST SSDF, CIS Benchmarks, FedRAMP controls—at build time through the API. Evaluate Dockerfile security practices, verify license compliance, check for exposed credentials, and validate package integrity before artifacts reach registries.
STIG profiles delivered via Anchore Data Service
STIG profiles are now delivered through Anchore Data Service, replacing the previous feed service architecture. DoD customers receive DISA STIG updates with the same enterprise-grade reliability as other vulnerability data, supporting both static container image evaluations and runtime Kubernetes assessments required for continuous ATO processes.
The combination means organizations can implement policy-as-code for both commercial compliance frameworks and DoD-specific requirements through a single, streamlined scanning workflow.
Get Started with 5.23
Existing Anchore Enterprise Customers:
- Contact your account manager to upgrade to Anchore Enterprise 5.23
- Review implementation documentation for CycloneDX VEX/VDR configuration
- Reach out to your Customer Success Engineer for guidance on annotation workflows
