Anchore Pricing

Team

For teams just getting started with their cloud-native journey

Features included in Team:

  • SBOM Generation & Management
  • Vulnerability Scans & Policies
  • OSS Dependencies & Licenses
  • Rich APIs
  • Standard Reporting
  • Single Team
  • 9×5 Support SLA

Business

For medium-size orgs and mature cloud-native users

All the features of Team, and:

  • Malware Scans & Policies
  • Secret Scans & Policies
  • License & SBOM Policies
  • CIS & NIST Policy Packs
  • Windows & .NET Support
  • Custom SSO

Ultimate

For large orgs securing their software supply chain

All the goodness of Business, and:

  • FedRAMP Policy Pack
  • HIPAA Policy Pack
  • PCI DSS Policy Pack
  • Policies by Team
  • Custom Reporting
  • Reporting by Team
  • Unlimited Teams
  • 24×7 Support SLA

Ultimate+

Customizable for large organizations with high-capacity needs

All the greatness of Ultimate, and:

  • Custom environment sizes

Basic

For teams just getting started with their
cloud-native journey

1 Analyzer per Subscription

Included in Basic:

  • Unlimited Nodes & Pipelines
  • Unlimited Repos & Scan
  • Air-Gapped Feed Service
  • CIS, NIST & CISA Policy Packs
  • 8×5 Support SLA

Premium

For federal agencies or orgs selling/serving
the public sector

1 Analyzer per Subscription

Includes everything in Basic, plus:

  • DoD (Iron Bank) & DISA Policy Packs
  • Runtime Image Monitoring
  • DISA STIG Compliance Checks
  • Windows & .NET Support
  • 24×7 Support SLA
SBOM Management
Generate, Monitor & Export SBOMs
Checkmark
Checkmark
Checkmark
Checkmark
Scanning
Identify OSS Dependencies & Licenses
Checkmark
Checkmark
Checkmark
Checkmark
Identify Vulnerabilities
Checkmark
Checkmark
Checkmark
Checkmark
Identify Secrets, Malware & Misconfigurations
Checkmark
Checkmark
Checkmark
Windows & .Net Support
Checkmark
Checkmark
Checkmark
Scanning Stages
Source (Source code repos) *Pricing based on number of selected scanning stages
Available
Available
Available
Available
Build (CI/CD) *Pricing based on number of selected scanning stages
Available
Available
Available
Available
Stage (Registry) *Pricing based on number of selected scanning stages
Available
Available
Available
Available
Deploy (Admission Controller) *Pricing based on number of selected scanning stages
Available
Available
Available
Available
Run (Runtime Image Monitoring) *Pricing based on number of selected scanning stages
Available
Available
Available
Available
Policy Controls
Vulnerability Policies
Checkmark
Checkmark
Checkmark
Checkmark
OSS License Policies
Checkmark
Checkmark
Checkmark
Secrets & Malware Policies
Checkmark
Checkmark
Checkmark
SBOM Policies
Checkmark
Checkmark
Checkmark
Customize Policies by Team
Checkmark
Checkmark
Out-of-the-Box Policy Packs
CIS & NIST
Checkmark
Checkmark
Checkmark
FedRAMP
Available as add-on
Checkmark
Checkmark
PCI DSS
Available as add-on
Checkmark
Checkmark
HIPAA
Available as add-on
Checkmark
Checkmark
Reporting
Standard Reports
Checkmark
Checkmark
Checkmark
Checkmark
Custom Reports
Checkmark
Checkmark
Reports by Team
Checkmark
Checkmark
Integrations
Cloud and Private Environments
Checkmark
Checkmark
Checkmark
Checkmark
Notifications (Webhook, GitHub, Jira, Slack, and more)
Checkmark
Checkmark
Checkmark
Checkmark
API
Full access
Checkmark
Checkmark
Checkmark
Checkmark
Account & User Management
Teams
One
One
Unlimited
Unlimited
Roll-Based Access Control (RBAC)
Checkmark
Checkmark
Checkmark
Checkmark
Custom Single Sign-on (SSO)
Checkmark
Checkmark
Checkmark
Environment Size (per stage purchased)
New SBOMs added to Anchore Enterprise repository
Up to 100/mo
Up to 500/mo
Up to 3000/mo
Customizable
Working Set of SBOMs
Up to 1200
Up to 6000
Up to 36k
Customizable
Support
Standard SLA (8x5 Support)
Checkmark
Checkmark
Premium SLA (24x7)
Checkmark
Checkmark
Software Bill of Materials
Linux Containers
Checkmark
Checkmark
Windows Containers
Checkmark
Ecosystems Supported
Support for NPM, Python, Node, Java, Ruby
Checkmark
Checkmark
Support for Nuget (.Net)
Checkmark
Security Capabilities
CVE Scanning
Checkmark
Checkmark
Credential Scanning
Checkmark
Checkmark
Malware Scanning
Checkmark
Checkmark
Dockerfile Checks
Checkmark
Checkmark
Allowlist & Denylist
Checkmark
Checkmark
Base vs Application Vulnerability Diff.
Checkmark
Checkmark
False Positive Management
Checkmark
Checkmark
Runtime Image Monitoring
Available as add-on
Checkmark
Remediation
Remediation Recommendations
Checkmark
Checkmark
Automated Action Plans
Checkmark
Checkmark
Compliance & Audit
Dashboards and Reporting
Checkmark
Checkmark
Reporting API (GraphQL)
Checkmark
Checkmark
Graphical Policy Editor
Checkmark
Checkmark
Custom Policies
Checkmark
Checkmark
CIS Benchmarks Policy Pack
Checkmark
Checkmark
NIST 800-190 & NIST 800-53 Policy Packs
Checkmark
Checkmark
DoD & DISA Policy Packs
Available as add-on
Checkmark
DISA STIG Runtime Compliance
Available as add-on
Checkmark
FedRAMP Policy Pack
Available as add-on
Available as add-on
Integrations
CI/CD Integration
Checkmark
Checkmark
Kubernetes Admission Controller
Checkmark
Checkmark
Third-Party Notifications (Slack, Jira, GitHub, MS Teams & More)
Checkmark
Checkmark
Vulnerability Data
Enhanced Custom Feed Service
Checkmark
Checkmark
Air-Gapped Feed Service
Checkmark
Checkmark
Access & Authentication
Role-Based Access Control
Checkmark
Checkmark
Single Sign-on (SSO)
Checkmark
Checkmark
Enterprise Authentication (LDAP/SAML)
Checkmark
Checkmark
Support
Standard SLA (9x5 Support)
Checkmark
Premium SLA (24x7 Support)
Checkmark
US-only based Support
Available as add-on
Available as add-on

Trusted by leading organizations and agencies.

Anchore Enterprise FAQs

Scanning Stages represent different stages in the development lifecycle during which you can use Anchore Enterprise to scan artifacts such as source code or container images. Your pricing will be determined by the number of scanning stages you want to implement. There are five different scanning stages and you can choose from and combine any number of the five, including:

  • Source – scanning of source code repos before images are built
  • Build – scanning of container images in CI/CD pipelines
  • Stage – scanning of images in container registries
  • Deploy – scanning of images via the Admission Controller before they are deployed to a container runtime environment
  • Run – inventory of container images deployed in your container runtime environment for reporting and alerting

Risk can enter at any stage of the software lifecycle. Scanning in the early phases will enable teams to identify issues before they become complex and resource intensive to remediate. Scanning during the later stages will catch any new vulnerabilities or other security issues that have been introduced throughout the process and ensure continued security monitoring after deployment. Scanning throughout multiple stages is recommended to ensure the integrity of the entire development process.

Subscription Tiers determine the capabilities and features that you can use in Anchore Enterprise.

Each Subscription Tier is designed for specific use cases, from individual teams up to large enterprise deployments. Depending on the Subscription Tier you select, you will be entitled to use Anchore Enterprise up to the capacity specified in the Environment Size.

For each additional Scanning Stage that you purchase, your Environment Size will increase by the specified amount. For example, if you purchase two Scanning Stages, your Environment Size will be twice as large. If you purchase three Scanning Stages, your Environment Size will be three times as large.

Each scan of a unique container image digest (hash) and/or each unique source code repo will generate a unique SBOM. Each unique SBOM that is added to Anchore Enterprise will count toward the SBOMs Added limit. Your SBOMs Added limit is based on your monthly average of SBOMs Added over the course of your subscription year.

The Working Set includes the SBOMs that are actively available for vulnerability analysis, policy compliance, export, and reporting. The number of SBOMs that you can maintain in your Working Set is based on your Subscription Tier level. Inactive SBOMs can be removed from your Working Set by either archiving or deleting them.

No actions in Anchore Enterprise will be blocked or stop working if you add more SBOMs than your limit allows. Every three months during your subscription, your Customer Success Team will work with you to run a tool that will report on your usage, including SBOMs Added per month and the size of your Working Set.

For Team or Business Subscription Tiers, there are no additional costs during the initial subscription year if you exceed those limits. At the time of your renewal, you will have the opportunity to work with your Account Manager to adjust your subscription to meet your needs.

For Ultimate and Ultimate Plus Tiers, if the monthly averages are consistently higher than your limits over a quarter or more, then you can purchase additional capacity.

The first month of your subscription is a “grace period” for your SBOMs Added. Your monthly average for SBOMs Added will be calculated starting after the first full calendar month.

Anchore Enterprise, itself, is delivered as a set of containers that can be deployed on nearly all Kubernetes or container platforms in on-premises, hosted, and public cloud environments. As a scalable application, Anchore Enterprise is offered in tiers, each providing for different sets of capabilities and environment sizes which are determined by your number of SBOMs. Your particular infrastructure configuration is dependent on your selected tier. If you need assistance, Anchore solution architects are available to help you determine the best architecture for your deployment based on your use case.

Anchore Enterprise (Federal Edition) FAQs

An Analyzer is a software process that runs in your computing environment and processes software artifacts one at a time. Depending on the deployment model, processing tasks can include accessing the artifact, generating a software bill of materials (SBOM), generating a vulnerability list, or performing policy evaluations. Two Analyzers allow you to process two software artifacts simultaneously.

AnchoreCTL is a client that runs inside your CI/CD platform to generate an SBOM as part of a CI/CD build. AnchoreCTL scans a container image locally to generate an SBOM and then sends it to Anchore Enterprise. An Analyzer then uses the SBOM to generate a vulnerability list, perform malware scanning, check for secrets, and perform prescribed policy evaluations. This distributed processing arrangement significantly reduces the time to pass/fail a build in your CI/CD pipeline.

The time can vary based on a number of factors including artifact size and complexity, as well as Analyzer CPU speed and memory. If an artifact has to be downloaded from a registry/repo, network latency can also be a factor. General benchmarks for container images that have to be downloaded from a registry range from a few seconds (for example, a small Alpine container) to a few minutes for very large containers. When you use the AnchoreCTL client to scan images in your CI/CD pipeline and generate an SBOM, the Analyzer time is reduced because it does not have to generate the SBOM.

The addition of an Analyzer allows you to process more artifacts concurrently. In cases where delivery time is a concern, increasing the number of available Analyzers will increase processing throughput. In addition, if you need an Anchore installation for multiple IL environments such as IL2 and IL5, for example, you will need to purchase at least one subscription per environment.

Typical teams start with installations of 2-8 Analyzers (2-8 subscriptions) for securing their applications. For federal programs and agencies securing a larger number of applications, more analyzers may be desired. For the typical one unclassified + one classified environment setup that many DoD programs have, a minimum of two subscriptions is required. Anchore solutions architects can help you determine the right installation size for your current and expected needs.

You may move an Analyzer from one installation to another provided that all subscriptions in an installation are of the same tier.

Anchore Enterprise, itself, is delivered as a set of containers and can be deployed on nearly all Kubernetes or container platforms, whether on-premises, hosted, or in the cloud. As a scale-out application, Anchore Enterprise can start small and grow to scan thousands of software artifacts. Anchore solutions architects can help you determine the best architecture based on your budget and use case.

You can use multiple subscriptions of the same tier in a single installation to increase the number of Analyzers, but a single installation may not contain subscriptions from different tiers.

Speak with our security experts

Learn how Anchore’s SBOM-powered platform can help secure your software supply chain.