Home / Open Source Dependency Scanner

Secure open source software dependencies

Easily track direct and transitive open source dependencies to identify and fix vulnerabilities early.

Request a Demo
Anchore Software Supply Chain Security Graphic
Capabilities
SBOM management Vulnerability scanning Policy enforcement License compliance Streamline remediation

“We effectively had no tooling before Anchore. Everything was manual. We reduced the amount
of time on vulnerability detection tasks by 75%.”

Read Case Study

Secure Open Source Dependencies Across the Software Supply Chain

Anchore helps DevOps teams secure open source dependencies from source code to production. Analyze dependencies from ecosystems like npm, Maven, Java, and Python, identify known security vulnerabilities using trusted vulnerability databases, and detect emerging risks in real time. With flexible integrations including GitHub, Docker, and Azure, teams can protect against known vulnerabilities without slowing development.

SBOM management

Generate, manage, and store SBOMs for the software you use and build. Leverage SBOMs to identify and track open source dependencies at scale. Ensure that open source components and their dependencies are compliant with all cybersecurity license requirements.

Discover SBOM management >

Vulnerability scanning

Analyze and scan source code repositories, CI/CD pipelines, container registries, and container runtime environments for open source software vulnerabilities. Detect zero-day vulnerabilities and instantly identify which components and applications are impacted by simply re-analyzing your stored SBOMs — there’s no need to re-scan applications or cyber components.

Explore container scanning >

Policy Engine graphic

Policy enforcement

Use out-of-the-box policies or create your own to ensure compliance with internal rules and industry cybersecurity standards. Trigger notifications and remediation workflows based on rules set through a policy engine. Block compromised open source software like Log4j from being deployed into production.

License compliance

Identify open source licenses for both direct and transitive open source licenses. Define policy rules to notify of disallowed licenses. Customize policy gates to fail builds or prevent deployment into production.

compliance results of policy gates for open source licenses

Streamline remediation

Prioritize vulnerabilities based on severity, fix availability, or other customizable criteria. Deliver remediation recommendations that make it easy for developers to fix. Reduce noise with allowlists to stop alerts while they are being remediated.

How open source security works in Anchore.

Request a Demo
Remediation Recommendations License Analysis Vulnerability Analysis Vulnerability Feeds Analyze Vulnerability Matching Policy Engine Reports & Notifications Scanner OSS & Source Code CI/CD Registries Kubernetes WORKLOAD SBOM Generation
tooltip
Inspect and secure workloads across the entire software supply chain

Integrations for streamlined dependency scanning

Open Source Software Scanning FAQs

Chevron icon What is open source dependency scanning?

Open source dependency scanning is the process of analyzing the third-party libraries and components your software relies on to identify known security vulnerabilities, licensing issues, and outdated packages. It compares your dependencies against vulnerability databases (like CVEs) to flag risks early in development. This helps teams fix issues before release and maintain a secure, compliant software supply chain.

Chevron icon How does Anchore identify open source vulnerabilities?

Anchore Enterprise identifies open source vulnerabilities by first generating or ingesting an SBOM that catalogs the software packages and dependencies in an application or container image. It then compares those components against vulnerability data stored in a database and delivered through the Anchore Data Service, using package names, versions, ecosystem metadata, distro information, and identifiers like CPEs to determine whether a component is affected by a known vulnerability.

Anchore aggregates and normalizes data from sources like the NVD, GitHub Security Advisories, vendor advisories, and Microsoft MSRC, while also enriching the data to improve match accuracy and reduce false positives. Because the process is SBOM-based, Anchore Enterprise can continuously reassess existing software for newly disclosed vulnerabilities without rescanning the original artifact.

Chevron icon Which ecosystems are supported?

Anchore Enterprise supports the following packaging ecosystems when identifying SBOM content. The Operating System category captures Linux packaging ecosystems. The Binary detector will inspect content to identify binaries that were installed outside of packaging ecosystems.

 

  • Operating System
  • RPM
  • DEB
  • APK
  • NPM
  • Ruby Gems
  • Python
  • Java
  • NuGet
  • Golang
  • Binaries
  • Apache httpd
  • BusyBox
  • Consul
  • Golang
  • HAProxy
  • Helm
  • Java
  • Memcached
  • Nodejs
  • PHP
  • Perl
  • PostgreSQL
  • Python
  • Redis
  • Rust
  • Traefik

Learn more about open source software security

Blog | Aug 28, 2024

How is Open Source Software Security Managed in the Software Supply Chain?

Read the Blog
Webinar | Oct 01, 2025

The Regulation and Liability of Open Source Software

Watch on demand
Blog | Oct 08, 2024

Navigating Open Source Software Compliance in Regulated Industries

Read the Blog

Speak with our security experts

Learn how Anchore’s SBOM-powered platform can help secure your software supply chain.
Contact Us