organizations of all sizes.
An Analyzer is a software process that runs in your Kubernetes cluster and processes container images one at a time. Depending on the deployment model, processing tasks can include downloading an image, generating a software bill of materials (SBOM), generating a vulnerability list, or performing policy evaluations. Two Analyzers allow you to process two container images simultaneously.
AnchoreCTL is a client that can run inside your CI/CD platform to generate an SBOM as part of a CI/CD build. AnchoreCTL scans an image locally to generate an SBOM and then sends it to Anchore Enterprise. An Analyzer then uses the SBOM to generate a vulnerability list and perform policy evaluations. This can significantly reduce the time to pass/fail a build in your CI/CD pipeline.
The time can vary based on a number of factors including image size and complexity, as well as CPU speed and memory. If an image has to be downloaded from a registry, network latency can also be a factor. General benchmarks for images that have to be downloaded from a registry range from a few seconds to a few minutes for typical very large containers. When AnchoreCTL has been used to scan images in your CI/CD pipeline and generate an SBOM, the Analyzer time is reduced as it does not have to do the SBOM generation itself
Each subscription provides two additional Analyzers, allowing you to process more images concurrently. In cases where delivery time is a concern, increasing the number of Analyzers available will increase image processing throughput. In addition, if you need Anchore installation for multiple IL environments, you will need to purchase at least one subscription per environment (e.g. IL2, IL5, etc.). Please contact sales for larger environments that need to scale above 50,000 images processed per month.
Typical teams start with installations of 4-16 Analyzers (2-8 subscriptions) for securing their container-based applications. For federal programs and agencies securing a larger number of applications and a need for high throughput capacity, more analyzers may be desired. For classified environments, a minimum of two subscriptions is typical. Anchore Solution Architects can help you determine the right size for your current and expected needs.
Each Anchore Enterprise installation must have at least one valid subscription with two Analyzers associated with it. One subscription includes two Analyzers. Subscriptions may not be divided across installations. If you have four subscriptions you may only split your eight Analyzers into groupings of two (e.g. 2, 4, 6, 8).
Analyzers can only be moved in groups of two (i.e as a whole subscription). Subscriptions may be moved from one installation to another given all subscriptions in an installation are of the same tier. Subscriptions must be moved in whole; partial or dis-aggregated subscription moves are not allowed.
Anchore Enterprise itself is delivered as a set of containers and can be deployed on nearly all Kubernetes or container platforms, whether on-premise, hosted, or in a cloud provider. As a scale-out application, Anchore can start small and grow to scan thousands of containers. Anchore Solution Architects can help you determine the best architecture based on your budget and use-case.
Multiple subscriptions of the same tier can be used in a single installation to increase the number of Analyzers but a single installation may not contain subscriptions from different tiers.