Home / Automate container vulnerability scanning

Container Scanning Tools

Container Vulnerability Scanning

Anchore Enterprise delivers:

    • Vulnerability scanning for container images
    • Less wasted time on false positives
    • Faster, easier remediation

“Anchore gives us a centralized point with logging and metrics for a complete picture of our container security. We know exactly how many teams are scanning and what sort of images are failing.”


Find and fix vulnerabilities in your containers

Anchore Enterprise is a comprehensive solution for organizations with DevSecOps or compliance programs for software delivered in containers. It scans container images, generates an SBOM, identifies vulnerabilities and other security problems, and enables you to prioritize and remediate issues.


Automate container vulnerability scanning

Automate vulnerability scanning and monitoring for containerized software. Perform scans in CI/CD pipelines, registries, and Kubernetes platforms. Identify malware, secrets, and other security risks.


Integrate with DevOps tools

100% API coverage and fully-documented APIs enable developers to work seamlessly in the tools they already use. Automate scanning in source code repos, CI/CD pipelines, or container registries through native integrations. Streamline remediation of issues with notifications through GitHub, JIRA, Slack, and more.

See all integrations.


Visibility of software dependencies using an SBOM

SBOM Integrations

Get an SBOM with a list of components for each container image and scan. Track changes over time to identify new or updated components. Based on your SBOM, get notified of new vulnerabilities.

Learn more about SBOM management with Anchore. .


Fewer false positives

Optimize development velocity with an unparalleled signal-to-noise ratio. Get fewer false positives with vulnerability results that are pinpointed to a specific distro. Use flexible policies to prioritize based on severity or availability of a fix. Provide “corrections” and “hints” that improve results going forward. Add vulnerabilities to allowlists to prevent ongoing alerts.

Illustration of Anchore Policy Engine reducing false positives by using multiple data sources for vulnerability data.

Faster, easier remediation

Fix vulnerabilities more quickly with Anchore Enterprise’s remediation recommendations. Specify when issues must be fixed with time-based allowlists. Reduce manual work with workflows connected to your issue tracker or Slack.

How Container Vulnerability Scanning works.

Request a Demo
tooltip
Inspect and secure workloads across the entire software supply chain

Easily integrate across your toolchain.

Container Vulnerability Scanning FAQs

Chevron icon How is Anchore Enterprise different than Syft and Grype?

Syft and Grype are open source tools maintained by Anchore. Syft creates an SBOM and Grype identifies vulnerabilities in that SBOM. Anchore Enterprise is a comprehensive system to find, manage, and fix vulnerabilities and other security issues, like malware and secrets. Anchore Enterprise uses Syft and Grype as building blocks and extends them significantly with features that help you track SBOMs and vulnerabilities over time, apply rules and policies for compliance, manage false positives, and automate remediation workflows.

 

Chevron icon What are the vulnerability databases used by Anchore Enterprise?
  • Anchore Enterprise pulls vulnerability data from a variety of publicly available vulnerability data sources including: 

Documentation on vulnerability feeds in Anchore Enterprise

Chevron icon How does a DoD software factory relate to DevSecOps?

They are closely related. DoD software factories are built on DevSecOps principles and processes. In fact,  they are referred to as DevSecOps software factories in the DoD Enterprise DevSecOps Fundamentals and the DoD Enterprise Strategy Guide .

Chevron icon Does Anchore Enterprise scan more than just software packages?

Yes, Anchore Enterprise scans a container image to find all of the components across the entire file system, including the OS and open source packages, the metadata associated with every file, and can even look inside the contents of files for malware or exposed secrets. Anchore Enterprise even cracks open archive files (like jars) to find components nested multiple layers down.  Once all of the components have been cataloged, Anchore Enterprise identifies all of the relevant vulnerabilities.

 

Chevron icon How does Anchore handle false positives or false negatives?

To help with false negatives, Anchore Enterprise includes a “Hints” feature that allows developers to explicitly describe content in their applications to improve matches to enable vulnerability matching. This is particularly useful for teams which compile and install their own binaries. The Corrections feature allows security teams to correct misidentified metadata (for example where the version may be incorrect) to avoid false positives. Anchore also provides a feed of data which contains a list of ambiguous or incorrect vulnerability data which prevents false positives across all deployments. 

 

Chevron icon What is a container scanner?

Container security scanning tools streamline software supply chain security and policy enforcement by scanning container images and their contents to identify vulnerabilities before they are deployed to production environments.

Learn more about solutions for the DoD and DevSecOps

Federal Compliance

Automate compliance checks using out-of-the-box and custom policies.

Open Source Security

Improve open source security by easily tracking direct and transitive open source dependencies to identify and fix vulnerabilities early.

DevSecOps

Automate DevSecOps for your cloud-native software supply chain with an API-first DevSecOps solution.

Container Security Solution

Identify and remediate container security risks and monitor post-deployment for new vulnerabilities.

FedRAMP Vulnerability Scanning

Meet the new FedRAMP Vulnerability Scanning Requirements for Containers and achieve compliance faster with Anchore.

Container Vulnerability Scanning

Reduce false positives and false negatives with best-in-class signal-to-noise ratio.

Kubernetes Images Scanning

Allow or prevent deployment of images based on flexible policies and continuously monitor the inventory of insecure images running in your clusters.

Container Registry Scanning

Identify and remediate new risks and vulnerabilities as they emerge.

CI/CD Security & Compliance

Embed security and compliance into your CI/CD pipeline to uncover vulnerabilities, secrets, and malware in your automated build processes.

Software Bill of Materials

Get comprehensive visibility of your software components and ensure vulnerability accuracy with the most complete SBOM available. Generate, store, analyze, and monitor SBOMs across the application lifecycle to identify software dependencies and improve supply chain security.

Container Compliance

Automate compliance checks using out-of-the-box and custom policies.

Speak with our security experts

Learn how Anchore’s SBOM-powered platform can help secure your software supply chain.