Anchore Pricing

Scanning Stages represent different stages in the development lifecycle during which you can use Anchore Enterprise to scan artifacts such as source code or container images. Your pricing will be determined by the number of scanning stages you want to implement. There are five different scanning stages and you can choose from and combine any number of the five, including:

• Source – scanning of source code repos before images are built
• Build – scanning of container images in CI/CD pipelines
• Stage – scanning of images in container registries
• Deploy – scanning of images via the Admission Controller before they are deployed to a container runtime environment
• Run – inventory of container images deployed in your container runtime environment for reporting and alerting

Risk can enter at any stage of the software lifecycle. Scanning in the early phases will enable teams to identify issues before they become complex and resource intensive to remediate. Scanning during the later stages will catch any new vulnerabilities or other security issues that have been introduced throughout the process and ensure continued security monitoring after deployment. Scanning throughout multiple stages is recommended to ensure the integrity of the entire development process.

Subscription Tiers determine the capabilities and features that you can use in Anchore Enterprise.

Each Subscription Tier is designed for specific use cases, from individual teams up to large enterprise deployments. Depending on the Subscription Tier you select, you will be entitled to use Anchore Enterprise up to the capacity specified in the Environment Size.

For each additional Scanning Stage that you purchase, your Environment Size will increase by the specified amount. For example, if you purchase two Scanning Stages, your Environment Size will be twice as large. If you purchase three Scanning Stages, your Environment Size will be three times as large.

Each scan of a unique container image digest (hash) and/or each unique source code repo will generate a unique SBOM. Each unique SBOM that is added to Anchore Enterprise will count toward the SBOMs Added limit. Your SBOMs Added limit is based on your monthly average of SBOMs Added over the course of your subscription year.

The Working Set includes the SBOMs that are actively available for vulnerability analysis, policy compliance, export, and reporting. The number of SBOMs that you can maintain in your Working Set is based on your Subscription Tier level. Inactive SBOMs can be removed from your Working Set by either archiving or deleting them.

No actions in Anchore Enterprise will be blocked or stop working if you add more SBOMs than your limit allows. Every three months during your subscription, your Customer Success Team will work with you to run a tool that will report on your usage, including SBOMs Added per month and the size of your Working Set.

For Team or Business Subscription Tiers, there are no additional costs during the initial subscription year if you exceed those limits. At the time of your renewal, you will have the opportunity to work with your Account Manager to adjust your subscription to meet your needs.

For Ultimate and Ultimate Plus Tiers, if the monthly averages are consistently higher than your limits over a quarter or more, then you can purchase additional capacity.

The first month of your subscription is a “grace period” for your SBOMs Added. Your monthly average for SBOMs Added will be calculated starting after the first full calendar month.

Anchore Enterprise, itself, is delivered as a set of containers that can be deployed on nearly all Kubernetes or container platforms in on-premises, hosted, and public cloud environments. As a scalable application, Anchore Enterprise is offered in tiers, each providing for different sets of capabilities and environment sizes which are determined by your number of SBOMs. Your particular infrastructure configuration is dependent on your selected tier. If you need assistance, Anchore solution architects are available to help you determine the best architecture for your deployment based on your use case.

An Analyzer is a software process that runs in your computing environment and processes software artifacts one at a time. Depending on the deployment model, processing tasks can include accessing the artifact, generating a software bill of materials (SBOM), generating a vulnerability list, or performing policy evaluations. Two Analyzers allow you to process two software artifacts simultaneously.

AnchoreCTL is a client that runs inside your CI/CD platform to generate an SBOM as part of a CI/CD build. AnchoreCTL scans a container image locally to generate an SBOM and then sends it to Anchore Enterprise. An Analyzer then uses the SBOM to generate a vulnerability list, perform malware scanning, check for secrets, and perform prescribed policy evaluations. This distributed processing arrangement significantly reduces the time to pass/fail a build in your CI/CD pipeline.

The time can vary based on a number of factors including artifact size and complexity, as well as Analyzer CPU speed and memory. If an artifact has to be downloaded from a registry/repo, network latency can also be a factor. General benchmarks for container images that have to be downloaded from a registry range from a few seconds (for example, a small Alpine container) to a few minutes for very large containers. When you use the AnchoreCTL client to scan images in your CI/CD pipeline and generate an SBOM, the Analyzer time is reduced because it does not have to generate the SBOM.

The addition of an Analyzer allows you to process more artifacts concurrently. In cases where delivery time is a concern, increasing the number of available Analyzers will increase processing throughput. In addition, if you need an Anchore installation for multiple IL environments such as IL2 and IL5, for example, you will need to purchase at least one subscription per environment.

Typical teams start with installations of 2-8 Analyzers (2-8 subscriptions) for securing their applications. For federal programs and agencies securing a larger number of applications, more analyzers may be desired. For the typical one unclassified + one classified environment setup that many DoD programs have, a minimum of two subscriptions is required. Anchore solutions architects can help you determine the right installation size for your current and expected needs.

You may move an Analyzer from one installation to another provided that all subscriptions in an installation are of the same tier.

Anchore Enterprise, itself, is delivered as a set of containers and can be deployed on nearly all Kubernetes or container platforms, whether on-premises, hosted, or in the cloud. As a scale-out application, Anchore Enterprise can start small and grow to scan thousands of software artifacts. Anchore solutions architects can help you determine the best architecture based on your budget and use case.

You can use multiple subscriptions of the same tier in a single installation to increase the number of Analyzers, but a single installation may not contain subscriptions from different tiers.