Anchore Pricing

Pro Tier

For small to medium size orgs and mature cloud-native users.

Features included:

  • SBOM Generation & Management
  • Up to 2,000 SBOMs/month
  • Vulnerability Scans & Policies
  • Rich APIs & Integrations
  • Standard Reporting
  • 9×5 Support SLA

Premium Tier

For larger orgs with high capacity needs securing software supply chain.

All features of Pro Tier and:

  • Up to 4,000 SBOMs/month
  • Comprehensive Policy Controls
  • Out-of-the-box Policy Packs
  • Unlimited Accounts

Basic

For teams just getting started with their
cloud-native journey

1 Analyzer per Subscription

Included in Basic:

  • Unlimited Nodes & Pipelines
  • Unlimited Repos & Scan
  • CIS, NIST & CISA Policy Packs
  • 8×5 Support SLA

Premium

For federal agencies or orgs selling/serving
the public sector

1 Analyzer per Subscription

Includes everything in Basic, plus:

  • DoD Policy Packs
  • Runtime Image Monitoring
  • DISA STIG Compliance Static Checks
  • Air-Gapped Feed Service
  • Windows & .NET Support
  • 24×7 Support SLA

Pro Tier
Premium Tier
Foundations
Software Bill of Materials
Generate, Monitor & Export SBOMs
Checkmark
Checkmark
Reporting
Customizable ad-hoc or scheduled reports
Checkmark
Checkmark
Integrations
CI/CD Support
Checkmark
Checkmark
Public and Private Registry
Checkmark
Checkmark
Notifications (Webhook, GitHub, Jira, Slack, and more)
Checkmark
Checkmark
ServiceNow CVR
Checkmark
Checkmark
API
RESTful API
Checkmark
Checkmark
Account & User Management
Accounts
2
Unlimited
RBAC
Checkmark
Checkmark
SSO
Checkmark
Checkmark
Secure
Vulnerability Scanning
Checkmark
Checkmark
Vulnerability Policy Rules
Checkmark
Checkmark
Malware & Secrets Detection
Checkmark
Checkmark
Unlimited and Continuous Scanning
Checkmark
Checkmark
Kubernetes Runtime (Image Monitoring & Admission Controller)
Optional add-on $
ECS Runtime (Image Monitoring)
Optional add-on $
Enforce
Policy Controls
File and Content Rules
Checkmark
License & Dockerfile Rules
Checkmark
Unlimited and Continuous Policy Evaluations
Checkmark
Out-of-the-Box Policy Packs
CIS & NIST
Checkmark
FedRAMP
Optional add-on $
DoD
Optional add-on $
Environment and Support
Environment Size
# of SBOMs per month
Up to 2000 SBOMs/month
Up to 4000 SBOMs/month
Additional SBOMs per month
Optional add-on $
Optional add-on $
Support
Basic

9×5 SLA, Setup & Configuration Guidance, Expert Office Hours

Checkmark
Checkmark
Essential plan

Basic plus: 24×7 Priority SLA, Expert On-demand, Healthchecks

Optional add-on $
Optional add-on $
Complete plan

Essential plus: QBRs, Workshop Support, Proactive Escalation Management, Designated Customer Success Manager

Optional add-on $
Optional add-on $
Software Bill of Materials
Linux Containers
Checkmark
Checkmark
Windows Containers
Checkmark
Ecosystems Supported
Support for NPM, Python, Node, Java, Ruby
Checkmark
Checkmark
Support for Nuget (.Net)
Checkmark
Security Capabilities
CVE Scanning
Checkmark
Checkmark
Credential Scanning
Checkmark
Checkmark
Malware Scanning
Checkmark
Checkmark
Dockerfile Checks
Checkmark
Checkmark
Allowlist & Denylist
Checkmark
Checkmark
Base vs Application Vulnerability Diff.
Checkmark
Checkmark
False Positive Management
Checkmark
Checkmark
Runtime Image Monitoring
Available as add-on
Available as add-on
Remediation
Remediation Recommendations
Checkmark
Checkmark
Automated Action Plans
Checkmark
Checkmark
Compliance & Audit
Dashboards and Reporting
Checkmark
Checkmark
Reporting API (GraphQL)
Checkmark
Checkmark
Graphical Policy Editor
Checkmark
Checkmark
Custom Policies
Checkmark
Checkmark
CIS Benchmarks Policy Pack
Checkmark
Checkmark
NIST 800-190 & NIST 800-53 Policy Packs
Checkmark
Checkmark
DoD Policy Packs
Available as add-on
Checkmark
DISA STIG Runtime Compliance
Available as add-on
Available as add-on
FedRAMP Policy Pack
Available as add-on
Available as add-on
Integrations
CI/CD Integration
Checkmark
Checkmark
Kubernetes Admission Controller
Checkmark
Checkmark
Third-Party Notifications (Slack, Jira, GitHub, MS Teams & More)
Checkmark
Checkmark
Vulnerability Data
Enhanced Custom Feed Service
Checkmark
Checkmark
Air-Gapped Feed Service
Checkmark
Access & Authentication
Role-Based Access Control
Checkmark
Checkmark
Single Sign-on (SSO)
Checkmark
Checkmark
Enterprise Authentication (LDAP/SAML)
Checkmark
Checkmark
Support
Standard SLA (9x5 Support)
Checkmark
Premium SLA (24x7 Support)
Checkmark
US-only based Support
Available as add-on
Available as add-on

Trusted by leading organizations and agencies.

Anchore Enterprise FAQs

Scanning Stages represent different stages in the development lifecycle during which you can use Anchore Enterprise to scan artifacts such as source code or container images. Your pricing will be determined by the number of scanning stages you want to implement. There are five different scanning stages and you can choose from and combine any number of the five, including:

  • Source – scanning of source code repos before images are built
  • Build – scanning of container images in CI/CD pipelines
  • Stage – scanning of images in container registries
  • Deploy – scanning of images via the Admission Controller before they are deployed to a container runtime environment
  • Run – inventory of container images deployed in your container runtime environment for reporting and alerting

Risk can enter at any stage of the software lifecycle. Scanning in the early phases will enable teams to identify issues before they become complex and resource intensive to remediate. Scanning during the later stages will catch any new vulnerabilities or other security issues that have been introduced throughout the process and ensure continued security monitoring after deployment. Scanning throughout multiple stages is recommended to ensure the integrity of the entire development process.

Subscription Tiers determine the capabilities and features that you can use in Anchore Enterprise.

Each Subscription Tier is designed for specific use cases, from individual teams up to large enterprise deployments. Depending on the Subscription Tier you select, you will be entitled to use Anchore Enterprise up to the capacity specified in the Environment Size.

For each additional Scanning Stage that you purchase, your Environment Size will increase by the specified amount. For example, if you purchase two Scanning Stages, your Environment Size will be twice as large. If you purchase three Scanning Stages, your Environment Size will be three times as large.

Each scan of a unique container image digest (hash) and/or each unique source code repo will generate a unique SBOM. Each unique SBOM that is added to Anchore Enterprise will count toward the SBOMs Added limit. Your SBOMs Added limit is based on your monthly average of SBOMs Added over the course of your subscription year.

The Working Set includes the SBOMs that are actively available for vulnerability analysis, policy compliance, export, and reporting. The number of SBOMs that you can maintain in your Working Set is based on your Subscription Tier level. Inactive SBOMs can be removed from your Working Set by either archiving or deleting them.

No actions in Anchore Enterprise will be blocked or stop working if you add more SBOMs than your limit allows. Every three months during your subscription, your Customer Success Team will work with you to run a tool that will report on your usage, including SBOMs Added per month and the size of your Working Set.

For Team or Business Subscription Tiers, there are no additional costs during the initial subscription year if you exceed those limits. At the time of your renewal, you will have the opportunity to work with your Account Manager to adjust your subscription to meet your needs.

For Ultimate and Ultimate Plus Tiers, if the monthly averages are consistently higher than your limits over a quarter or more, then you can purchase additional capacity.

The first month of your subscription is a “grace period” for your SBOMs Added. Your monthly average for SBOMs Added will be calculated starting after the first full calendar month.

Anchore Enterprise, itself, is delivered as a set of containers that can be deployed on nearly all Kubernetes or container platforms in on-premises, hosted, and public cloud environments. As a scalable application, Anchore Enterprise is offered in tiers, each providing for different sets of capabilities and environment sizes which are determined by your number of SBOMs. Your particular infrastructure configuration is dependent on your selected tier. If you need assistance, Anchore solution architects are available to help you determine the best architecture for your deployment based on your use case.

Anchore Enterprise (Federal Edition) FAQs

An Analyzer is a software process that runs in your computing environment and processes software artifacts one at a time. Depending on the deployment model, processing tasks can include accessing the artifact, generating a software bill of materials (SBOM), generating a vulnerability list, or performing policy evaluations. Two Analyzers allow you to process two software artifacts simultaneously.

AnchoreCTL is a client that runs inside your CI/CD platform to generate an SBOM as part of a CI/CD build. AnchoreCTL scans a container image locally to generate an SBOM and then sends it to Anchore Enterprise. An Analyzer then uses the SBOM to generate a vulnerability list, perform malware scanning, check for secrets, and perform prescribed policy evaluations. This distributed processing arrangement significantly reduces the time to pass/fail a build in your CI/CD pipeline.

The time can vary based on a number of factors including artifact size and complexity, as well as Analyzer CPU speed and memory. If an artifact has to be downloaded from a registry/repo, network latency can also be a factor. General benchmarks for container images that have to be downloaded from a registry range from a few seconds (for example, a small Alpine container) to a few minutes for very large containers. When you use the AnchoreCTL client to scan images in your CI/CD pipeline and generate an SBOM, the Analyzer time is reduced because it does not have to generate the SBOM.

The addition of an Analyzer allows you to process more artifacts concurrently. In cases where delivery time is a concern, increasing the number of available Analyzers will increase processing throughput. In addition, if you need an Anchore installation for multiple IL environments such as IL2 and IL5, for example, you will need to purchase at least one subscription per environment.

Typical teams start with installations of 2-8 Analyzers (2-8 subscriptions) for securing their applications. For federal programs and agencies securing a larger number of applications, more analyzers may be desired. For the typical one unclassified + one classified environment setup that many DoD programs have, a minimum of two subscriptions is required. Anchore solutions architects can help you determine the right installation size for your current and expected needs.

You may move an Analyzer from one installation to another provided that all subscriptions in an installation are of the same tier.

Anchore Enterprise, itself, is delivered as a set of containers and can be deployed on nearly all Kubernetes or container platforms, whether on-premises, hosted, or in the cloud. As a scale-out application, Anchore Enterprise can start small and grow to scan thousands of software artifacts. Anchore solutions architects can help you determine the best architecture based on your budget and use case.

You can use multiple subscriptions of the same tier in a single installation to increase the number of Analyzers, but a single installation may not contain subscriptions from different tiers.

Speak with our security experts

Learn how Anchore’s SBOM-powered platform can help secure your software supply chain.