In the modern theater of digital warfare, the Department of War (DoW) is transitioning to a Zero Trust Architecture (ZTA). At the heart of this transition lies a fundamental principle: “Never Trust, Always Verify.”
For software applications, this means verifying every single component, library, and dependency before it ever touches a mission-critical network. Anchore Enterprise serves as a cornerstone for this verification, providing the deep visibility and continuous monitoring required to satisfy DoW Zero Trust mandates.
Setting the Stage: Zero Trust References
To understand how Anchore fits into the mission, it is important to first understand the context of Zero Trust within the DoW. Here is a breakdown of the critical documents and frameworks:
- The Foundation (NIST 800-207): Defines the “Logic.” These are the underlying definitions that the Strategy and Reference Architecture are built upon.
- The Vision (DoW ZT Strategy): Defines the “Why” and “When.” This sets the timeline and establishes the 7 Pillars of Zero Trust.
- The Blueprint (DoW ZT Ref Arch): Defines the “How.” This outlines the technical capabilities organizations must build and defines the 5 Tenets of Zero Trust.
- The Measuring Stick (CISA Maturity Model): The “Progress Tracker” used to measure how far along the path you are.
The 7 Pillars of Zero Trust: What We Protect
Anchore Enterprise plays a critical role in securing the pillars that support the DoW’s Zero Trust strategy. While traditional security focuses heavily on the perimeter, Anchore secures the workload itself.
User and Device Integrity
The first line of defense is ensuring that only authorized users and secure devices access the network. Anchore integrates with LDAP and Single Sign-On services (like Okta and Entra ID) to enforce strict identity management. For devices, we go a step further by generating Software Bills of Materials (SBOMs) to evaluate the security posture of the systems themselves. Using CI/CD techniques, virtual machines can have their SBOMs validated using policy-as-code to ensure they meet DoW requirements before they ever reach production.
Applications, Workloads, and Data
Securing the software layer (i.e., containers, virtual machines, and source code) is Anchore’s specialty. We generate SBOMs for containers, filesystems, and source code, applying strict policy checks to ensure compliance. By utilizing a Kubernetes Admission Controller, Anchore can stop non-compliant container deployments in their tracks. Furthermore, we leverage strict Role-Based Access Control (RBAC) to ensure least privilege for data, verifying that containers are built correctly with the right encryption and access parameters every time.
Network, Automation, and Visibility
To prevent lateral movement, Anchore ensures containers are configured with least privilege, exposing only necessary services. We automate this protection via policy packs that check for exposed secrets, malware, and misconfigurations at scale. Finally, we provide deep visibility into container registries and production workloads, logging data to your SIEM to allow for querying across the entire landscape.
Quick Reference: The 7 Pillars
| Pillar | Focus | Anchore Capability |
| User | Continuous authentication | SSO Integration (LDAP, Okta, Entra ID) |
| Device | Device health & compliance | SBOM generation for system posture validation |
| Applications | Securing code & containers | SBOMs, Policy checks, K8s Admission Control |
| Data | Encryption & Labeling | RBAC, Least Privilege enforcement, Integrity checks |
| Network | Segmentation | Least privilege configuration checks |
| Automation | Scalable response | Automated Policy Packs (Secrets, Malware, CVEs) |
| Visibility | Analytics & Logging | Runtime Inventory & SIEM integration |
The Five Tenets of Zero Trust: How We Protect
The DoW defines five foundational tenets that influence every aspect of Zero Trust. Anchore Enterprise turns these abstract tenets into operational realities.
Operating in a Hostile Environment
We must assume that the environment is hostile and that all users, devices, and applications are untrusted, regardless of their location. Anchore adopts this mindset by assuming that any software component…even those from “trusted” vendors…could be a vector for attack. We treat source code, containers, and VM images as untrusted until they are explicitly verified against security policies.
Presume Breach and Verify Constantly
Operating with the assumption that an adversary is already present requires constant vigilance. Anchore performs continuous re-scanning not just in registries, but also in Kubernetes using runtime inventory. If a new vulnerability is announced today, Anchore identifies exactly where that threat exists in your currently running environment immediately. We deny access by default, preventing the “trust” of a container image simply because it exists in a registry.
Scrutiny and Unified Analytics
Trust is not given; it is earned through scrutiny. Anchore analyzes multiple attributes to derive high confidence levels for access. This includes secrets, software licenses, and file-level integrity. We centralize this data to provide unified analytics, delivering a searchable, auditable history of every application or virtual machine that has ever touched the mission network.
Quick Reference: The 5 Tenets
| Tenet | Principle | Anchore Approach |
| Hostile Environment | Treat everything as untrusted | Verify all components (code, containers, VMs) explicitly. |
| Presume Breach | Adversary is already present | Continuous re-scanning & runtime inventory. |
| Never Trust/Verify | Deny access by default | Policy-as-code gates in CI/CD pipelines. |
| Scrutinize Explicitly | Contextual access analysis | Deep analysis of secrets, licenses, and file integrity. |
| Unified Analytics | Log every transaction | Centralized, searchable SBOM & vulnerability history. |
Conclusion: Continuous Verification
Zero Trust is not a “one-and-done” checkbox; it is a state of continuous verification. By aligning with the DoW pillars and tenets, Anchore Enterprise allows the Department of War to move faster, innovate with confidence, and protect the mission.
By checking against the National Vulnerability Database (NVD) and specialized feeds like the GitHub Advisory Database, Anchore ensures that the DoW is defended against both common threats and sophisticated supply chain attacks. Furthermore, by incorporating data from the Known Exploited Vulnerability (KEV) catalog and Exploit Protection Scoring System (EPSS), Anchore helps prioritize risk across the organization effectively.
As the DoW continues to mature its Zero Trust strategy, Anchore Enterprise is here to mature and protect your security posture alongside it.
Ready to get started?
- Generate: Leverage Syft to begin generating SBOMs for container images and file systems using our Getting Started guide.
- Assess: Use Grype to assess your SBOMs for vulnerabilities and check them against your specific risk tolerance.
- Enforce: Deploy Anchore Enterprise to bring it all together. Anchore Enterprise visualizes data, conducts STIG checks, and enforces policy-as-code across your SBOMs, container images, and source code.
Understand, Implement & Leverage SBOMs for Stronger Security & Risk Management
