Container Vulnerability Scanning

Syft and Grype are open source tools maintained by Anchore. Syft creates an SBOM and Grype identifies vulnerabilities in that SBOM. Anchore Enterprise is a comprehensive system to find, manage, and fix vulnerabilities and other security issues, like malware and secrets. Anchore Enterprise uses Syft and Grype as building blocks and extends them significantly with features that help you track SBOMs and vulnerabilities over time, apply rules and policies for compliance, manage false positives, and automate remediation workflows.

Anchore Enterprise pulls vulnerability data from a variety of publicly available vulnerability data sources including: 

• Alpine Linux SecDB: https://secdb.alpinelinux.org/
• Amazon Linux ALAS: https://alas.aws.amazon.com/AL2/alas.rss
• RedHat RHSAs: https://www.redhat.com/security/data/oval/
• Debian Linux CVE Tracker: https://security-tracker.debian.org/tracker/data/json
• Github GHSAs: https://github.com/advisories
• National Vulnerability Database (NVD): https://nvd.nist.gov/vuln/data-feeds
• Oracle Linux OVAL: https://linux.oracle.com/security/oval/
• RedHat Linux Security Data: https://access.redhat.com/hydra/rest/securitydata/
• Suse Linux OVAL: https://ftp.suse.com/pub/projects/security/oval/
• Ubuntu Linux Security: https://people.canonical.com/~ubuntu-security/

Documentation on vulnerability feeds in Anchore Enterprise

Anchore Enterprise integrates with all major container-based environments, including Kubernetes, Docker, and leading cloud container services such as Amazon EKS/ECR, Azure AKS/ACR, and Google GKE/Artifact Registry. If your workflow builds, stores, or runs container images, Anchore can scan it.

Yes, Anchore Enterprise scans a container image to find all of the components across the entire file system, including the OS and open source packages, the metadata associated with every file, and can even look inside the contents of files for malware or exposed secrets. Anchore Enterprise even cracks open archive files (like jars) to find components nested multiple layers down.  Once all of the components have been cataloged, Anchore Enterprise identifies all of the relevant vulnerabilities.

To help with false negatives, Anchore Enterprise includes a “Hints” feature that allows developers to explicitly describe content in their applications to improve matches to enable vulnerability matching. This is particularly useful for teams which compile and install their own binaries. The Corrections feature allows security teams to correct misidentified metadata (for example where the version may be incorrect) to avoid false positives. Anchore also provides a feed of data which contains a list of ambiguous or incorrect vulnerability data which prevents false positives across all deployments. 

Container security scanning tools streamline software supply chain security and policy enforcement by scanning container images and their contents to identify vulnerabilities before they are deployed to production environments.