Platform | SBOM

Anchore SBOM

Manage internal and external SBOMs in an Application Version context to track software supply chain issues and meet compliance requirements as a software supplier.
SBOM 101 Ebook

SBOM 101: Understand, Implement & Leverage SBOMs for Stronger Security & Risk Management

Download the eBook
WHITE PAPER | Unlock Enterprise Value with SBOMs: Use-Cases for the Entire Organization

How to Unlock Enterprise Value with SBOMs

Download The Whitepaper

Achieve Software Supply Chain Transparency

Up to 90% of any given software application today is made up of open source components. Anchore SBOM brings comprehensive visibility into the software components present in both internally developed and third-party supplied software. Upload SBOMs in industry standard formats and categorize your products and services so you can identify and mitigate security and compliance risks. Use Anchore SBOM to build trust inside and outside of your organization and comply with the compliance requirements in the US and Europe.

Ingest, Manage & Analyze

Import, Normalize/Deduplicate & Analyze

Upload your own internally generated SBOMs or those provided by your suppliers in a formal standard format, and avoid SBOM sprawl by creating a single, canonical location to manage SBOM documents. Organize SBOMs in Application & Version contexts and apply annotations to add custom data, further enriching imported SBOMs with searchable key/value pairs.

Vulnerability Scanning and Prioritization with Anchore Score

Analyze every SBOM for vulnerabilities and receive an Anchore Score to prioritize remediation efforts. The Anchore Score looks at a range of variables, including CVSS, EPSS, and KEV data, to help you understand the risk and focus on the right vulnerabilities to remediate first.

FAQs

Anchore SBOM supports uploading SBOMs in the following versions:

    CycloneDX

    • JSON: Versions 1.2 – 1.6
    • XML: Versions 1.0 – 1.6
    SPDX

    • JSON: Versions 2.2 – 2.3
    • Tag-Value: Versions 2.1 – 2.3
    Anchore supports exploring unified SBOMs in the following formats:

    • CycloneDX v1.6
    • SPDX v2.3

Anchore Enterprise generates SBOMs for containers as part of CI/CD, registry, or runtime scanning. This allows it to generate additional data about Dockerfile content, image content, and other metadata. This extra information can be used for additional scans for malware or secrets, or compliance checks as part of the Anchore Enforce module. SBOMs uploaded to the system for non-Anchore tools are scanned for vulnerability information only. SBOMs uploaded to the system for non-Anchore tools are scanned for package, license, and vulnerability information.

Anchore allows you to upload SBOMs generated by non-Anchore tools representing both codebases under your control (internal SBOMs) as well as third-party SBOMs provided to your organization by partners, contractors, and upstream suppliers. These SBOMs represent assets not available for Anchore scanning and allow unification of security information between artifacts scanned by Anchore and those represented by uploaded SBOMs.

SBOMs are imported as Assets for a given Application Version. Compliance issues, packages, and vulnerabilities are normalized and deduplicated across all assets for a given Application Version.

The Anchore Score is a computed composite security index that provides a numeric value for each vulnerability in the system. It is derived from a combination of the CVSS score, vulnerability severity, EPSS percentile, and KEV status, but can also factor in additional data. Currently, the CVSS score & vulnerability severity, EPSS percentile, and KEV status are equally weighted. The Anchore Score represents the relative importance of a given vulnerability within a particular set of vulnerabilities defined by an Application Version context. This ordering helps users focus on the most critical issues for expedient security analysis and remediation planning.

Anchore SBOM is included in all Anchore Enterprise subscriptions.

Explore our solutions

Federal Compliance

Automate compliance checks using out-of-the-box and custom policies.
Learn more

Open Source Security

Improve open source security by easily tracking direct and transitive open source dependencies to identify and fix vulnerabilities early.
Learn more

DevSecOps

Automate DevSecOps for your cloud-native software supply chain with an API-first DevSecOps solution.
Learn more

Container Security Solution

Identify and remediate container security risks and monitor post-deployment for new vulnerabilities.
Learn more

FedRAMP Vulnerability Scanning

Meet the new FedRAMP Vulnerability Scanning Requirements for Containers and achieve compliance faster with Anchore.
Learn more

Container Vulnerability Scanning

Reduce false positives and false negatives with best-in-class signal-to-noise ratio.
Learn more

Kubernetes Images Scanning

Allow or prevent deployment of images based on flexible policies and continuously monitor the inventory of insecure images running in your clusters.
Learn more

CI/CD Security & Compliance

Embed security and compliance into your CI/CD pipeline to uncover vulnerabilities, secrets, and malware in your automated build processes.
Learn more

SBOM Management

Get comprehensive visibility of your software components and ensure vulnerability accuracy with the most complete SBOM available. Generate, store, analyze, and monitor SBOMs across the application lifecycle to identify software dependencies and improve supply chain security.
Learn more

Container Compliance

Automate compliance checks using out-of-the-box and custom policies.
Learn more
Learn more
Learn more

Speak with our security experts

Learn how Anchore’s SBOM-powered platform can help secure your software supply chain.
Contact Us