If you’re just joining us, this is part 2 of a series on practical implementation of software supply chain security to meet the most recent SBOM compliance requirements. In Part 1, we covered the fundamentals of automated SBOM generation—from deployment options to registry integration to vulnerability analysis across any container infrastructure. With your SBOMs now flowing into Anchore Enterprise, the real compliance value begins to emerge.
Part 2 focuses on the operational aspects that turn SBOM data into actionable compliance outcomes:
- automated policy evaluation,
- custom rule creation for your specific regulatory requirements, and
- comprehensive reporting that satisfies auditors while providing actionable insights for development teams.
Whether you’re pursuing PCI DSS 4.0 compliance, preparing for the EU Cyber Resilience Act, or building frameworks for future regulatory requirements, these capabilities transform compliance from overhead into competitive advantage.
Learn about the role that SBOMs for the security of your organization in this white paper.
Checking your container SBOMs (for compliance)
With high fidelity SBOMs now present in Anchore Enterprise, the system will automatically perform policy evaluations against them. This is important in order to establish a baseline for container image compliance with checks against various policies.
NOTE: When a container image is added, policy compliance checks are automatically applied against the SBOM in accordance with the default policy.
In the Anchore Enterprise UI, navigate to an image. The first page visible will be the policy and compliance evaluation summary. From here you can inspect the policy evaluation results and the recommended action by the policy, for example the rule which was triggered and the resultant action (such as STOP or WARN):
You may wish to export a compliance report to deliver feedback to application teams or other stakeholders, asking them to please fix or remediate these items. You can get this report from the UI at the click of a button:
NOTE: A compliance report can be downloaded in either json or csv format.
With application teams busy taking remedial action, they can build a new image and Anchore Enterprise can generate an SBOM from this and conduct another policy evaluation.
NOTE: It’s possible to watch a given tag which will ensure whenever a new version is pushed, it will be automatically scanned by Anchore Enterprise.
You can also use the CLI and API (via AnchoreCTL) for checking your container SBOM (for compliance). This is particularly useful when working with Anchore Enterprise and SBOMS in the development pipeline. To conduct a policy check on a newly built image, run the following command to compare with the default policy:
$ anchorectl image check aws_account_id.dkr.ecr.region.amazonaws.com/repository:tag –detail
You can also fail based on the results of this evaluation with the following -f flag:
$ anchorectl image check -f aws_account_id.dkr.ecr.region.amazonaws.com/repository:tag
NOTE: The pass/fail evaluation result is useful for integration into CI/CD pipelines as it sets the exit code to “1” on a fail to halt the pipeline.
You can also export the compliance report using the CLI:
$ anchorectl image check aws_account_id.dkr.ecr.region.amazonaws.com/repository:tag -o json > <file_name.json>
NOTE: The AnchoreCTL utility supports exporting the results in various formats (i.e., json, text, csv, json-raw, and id) with the -o flag. Text is the default format.
Both UI and CLI (AnchoreCTL) compliance management are described in further detail here.
Customising Policy (for compliance posture)
Using Anchore Enterprise’s policy engine, you can build a set of custom rules which map to your own organizational policy. Alternatively, if you are pursuing FedRAMP compliance, you can use optional policy packs which are available as addons for the product.
NOTE: Multiple policies are supported by Anchore Enterprise. However, only one policy can be set as active/default at any time.
In order to build or customize your own policy, you can navigate to the desired policy and begin editing the rulesets.
From the Policies (UI) page, you can view any policies listed under Policy Manager and select a given policy for editing.
When editing a policy, you can then view all rulesets associated with it and select a ruleset for editing.
When editing a ruleset, the recommended actions (STOP/WARN/GO) can be modified when a ruleset is triggered on policy evaluation.
The ruleset parameters can also be modified to change the existing values.
You can also use CLI tooling to gather certain aspects related to a policy.
To list all policies both active and inactive:
$ anchorectl policy list
To list the rulesets associated with a policy (including names and actions):
$ anchorectl policy get <The policy name or ID>
Downloading Account-Wide Compliance Reports
Sometimes you need to demonstrate your compliance with policy at the account-level or across multiple accounts. Anchore Enterprise allows you to do just that with its Reporting feature. Anchore Enterprise Reports as it’s known aggregates data across all accounts to:
- Maintain a summary of all current and historical images/tags, and
- Maintain vulnerability reports and policy evaluations for these respective images and tags.
From the Reports (UI) page, you can generate a “New Report” based on pre-defined system templates and filters.
The first dropdown allows you to select one of the included templates for generating a report.
In turn, the second dropdown allows you to select one or more report filters.
After selecting your template and report filter(s), you can also toggle between generating a report for the account you’re logged into or for all accounts.
From the “Templates” tab, you can view all the current system templates or even any custom templates as you have the capability to create your own (templates).
Once you’re ready to generate a report, it can either be downloaded in csv or json (native/raw) format or saved for later reference and run later either ad-hoc or on a schedule.
NOTE: Reporting is described in further detail here.
Wrap-Up
The journey from SBOM generation to automated compliance demonstrates how regulatory requirements can drive meaningful security improvements rather than just administrative overhead. Organizations that embrace this automated approach aren’t just meeting current compliance deadlines—they’re building resilient supply chain security practices that scale with their business growth.
Throughout this two-part series, we’ve seen how Anchore Enterprise transforms complex regulatory requirements into manageable, automated workflows. From initial SBOM generation across diverse container registries to sophisticated policy enforcement and comprehensive reporting, the platform provides continuous visibility into security risks while streamlining compliance processes.
The strategic advantage becomes clear when comparing manual approaches to automated SBOM management. Manual processes create bottlenecks that slow development cycles and generate compliance debt that compounds over time. Automated approaches integrate compliance checking into existing workflows, providing real-time feedback that helps development teams build more secure applications from the start.
As regulatory requirements continue expanding globally, organizations with robust SBOM management capabilities will find themselves better positioned to adapt quickly to new requirements. The foundation built for PCI DSS 4.0 and EU Cyber Resilience Act compliance provides the framework needed for whatever regulatory changes emerge next.
The choice facing organizations today isn’t whether to implement SBOM management—it’s whether to build sustainable, automated practices that turn compliance into competitive advantage or to continue with manual approaches that become more unsustainable with each new regulatory requirement. The 2025 compliance deadlines mark the beginning of this new reality, not the end.
Explore SBOM use-cases for almost any department of the enterprise and learn how to unlock enterprise value to make the most of your software supply chain.
