Anchore Enterprise 5.25 introduces a completely rewritten scanning engine and comprehensive upgrades to imported SBOM management. This release is designed to streamline your software supply chain security by delivering consistent analysis across developer and production workflows, advanced EPSS and CISA KEV vulnerability filtering, and automated artifact lifecycle policies. As organizations scale their supply chain security, this update helps DevSecOps teams maintain absolute accuracy while significantly reducing vulnerability noise.

Organizations today are ingesting thousands of SBOMs from 3rd-party vendors, open source projects, and internal builds. The challenge is no longer just generating or collecting these documents; it is managing, filtering, and prioritizing the vulnerabilities within them without drowning in noise or paying for unnecessary storage bloat. Platform engineers require absolute consistency between what a developer sees in their local CLI and what the enterprise backend reports in production.

Anchore Enterprise 5.25 addresses these challenges directly through two major platform upgrades.

The Unified Scanning Engine: Native Syft and Grype Alignment

Organizations often face friction when developer CLI tools and enterprise backend systems utilize different underlying analysis pathways. This can occasionally lead to inconsistent SBOM generation or varying vulnerability results across different workflows, eroding developer trust.

Anchore Enterprise’s image analysis and vulnerability scanning engine has been completely rewritten to align natively with Syft and Grype (Anchore’s flagship open source tools).

  • Unified Accuracy: SBOMs generated via AnchoreCTL and Anchore Enterprise’s backend are now perfectly consistent, utilizing the same underlying library. You get the exact same results regardless of the workflow. (Note: Because of this alignment, you may observe slight differences in SBOM content and vulnerability results when comparing images analyzed prior to v5.25 against the same image analyzed with v5.25).
  • Performance & Cost Efficiency: The rewritten engine yields significant performance improvements during analysis and reduces object storage size due to smaller data artifacts, directly controlling infrastructure costs at scale.

Elevating Imported SBOMs to First-Class Citizens

Traditionally, imported SBOMs have been treated as somewhat opaque flat files compared to natively scanned container images. Anchore Enterprise 5.25 fundamentally changes this, bringing the deep context, discoverability, and lifecycle management previously reserved for container images directly to imported SBOMs.

These upgrades reflect the reality that modern supply chain security extends far beyond containers.

  • Deep Context via SBOM “Type” Attribute: A new required field classifies exactly what an imported SBOM represents (e.g., Application, Container, Device, File System, Firmware, Library, Virtual Machine Disk). This transforms flat files into context-rich assets, providing immediate clarity on what type of codebase element is being analyzed.
  • Enhanced Discoverability: New filters on the imported SBOMs page allow teams to search by Name, Version, and Type. As organizations scale to thousands of stored SBOMs, security teams can instantly pinpoint the exact assets they need to review.
  • High-Signal Vulnerability Filters: New filters on the imported SBOMs vulnerability page include Minimum CVSS, Minimum EPSS Score, On CISA KEV List, Vulnerability Name/ID, and Severity. Cures vulnerability fatigue. By filtering for highly exploitable vulnerabilities (via EPSS and CISA KEV), security teams can focus their remediation efforts on what actually poses a risk, rather than drowning in low-severity CVEs.
  • Automated Artifact Lifecycle Policies: Support for Imported SBOMs has been added to the Artifact Lifecycle Policy engine. Platform engineers can automate the cleanup of “old” or stale imported SBOMs based on user-defined criteria, maintaining strict control over object storage bloat.

How It Works: Managing Imported SBOM Lifecycles

To prevent storage bloat, you can now configure lifecycle policies for imported SBOMs directly alongside your container image policies.

For example, you can automatically purge imported SBOMs of an “Unknown” type that are older than 90 days. This can be configured via the API or directly in the UI under Policies → Artifact Lifecycle.

anchorectl system lifecycle policy add \
  --name "auto-delete-unknown-sboms" \
  --description "Purge imported SBOMs typed as Unknown older than 90 days" \
  --artifact-type imported_sbom \
  --days_since_analyzed 90 \
  --action delete

Use Cases by Role

  • Developers: Benefit from “Unified Accuracy.” By using AnchoreCTL locally, developers see the exact same SBOM and vulnerability results that the security team will see in the enterprise backend, eliminating the “it passed on my machine” friction.
  • Security Architects: Can apply modern, exploit-driven prioritization metrics (CISA KEV and EPSS) to third-party software and firmware, dramatically reducing triage time.
  • Platform Engineers: Gain programmatic control over storage costs with automated Artifact Lifecycle Policies for thousands of imported SBOMs.

Ready to Upgrade?

Anchore Enterprise 5.25 delivers the unified consistency developers want and the comprehensive, scalable supply chain security that enterprise platform and security teams demand.

Existing Customers:

  • Upgrade to Anchore Enterprise 5.25 today. Reach out to your Account Manager for upgrade support.
  • Check the Anchore Enterprise Documentation for specifics on configuring Artifact Lifecycle Policies.

New to Anchore?

Request a guided demo to see the new Syft/Grype unified engine and imported SBOM management in action.