Anchore
@anchore.com
Securing and managing the software supply chain. Proud parent of @syftproject.bsky.social and @grypeproject.bsky.social
Pinned
Anchore
@anchore.com
· Sep 8
Syft & Grype have hit 40 million downloads!
A massive thank you to the open source community for trusting us to secure their software supply chains.
#OpenSource #SBOM #DevSecOps
https://anchore.com/opensource
A massive thank you to the open source community for trusting us to secure their software supply chains.
#OpenSource #SBOM #DevSecOps
https://anchore.com/opensource
Shift-left compliance checking ⬅️
Catch violations before deployment, not during audits 🛡️
https://anchore.com/platform/enforce/
#SoftwareSupplyChain #SBOM #CyberSecurity #Compliance
Catch violations before deployment, not during audits 🛡️
https://anchore.com/platform/enforce/
#SoftwareSupplyChain #SBOM #CyberSecurity #Compliance
December 18, 2025 at 11:18 PM
Shift-left compliance checking ⬅️
Catch violations before deployment, not during audits 🛡️
https://anchore.com/platform/enforce/
#SoftwareSupplyChain #SBOM #CyberSecurity #Compliance
Catch violations before deployment, not during audits 🛡️
https://anchore.com/platform/enforce/
#SoftwareSupplyChain #SBOM #CyberSecurity #Compliance
@josh.bressers.name scanned 161 MCP containers. Found 9k vulnerabilities. 263 were critical.
"Software ages like milk, not wine." His analysis breaks down what's actually being deployed in the MCP ecosystem and what to do about it. https://anchore.com/blog/analyzing-the-top-mcp-docker-containers/
"Software ages like milk, not wine." His analysis breaks down what's actually being deployed in the MCP ecosystem and what to do about it. https://anchore.com/blog/analyzing-the-top-mcp-docker-containers/
December 18, 2025 at 10:44 PM
@josh.bressers.name scanned 161 MCP containers. Found 9k vulnerabilities. 263 were critical.
"Software ages like milk, not wine." His analysis breaks down what's actually being deployed in the MCP ecosystem and what to do about it. https://anchore.com/blog/analyzing-the-top-mcp-docker-containers/
"Software ages like milk, not wine." His analysis breaks down what's actually being deployed in the MCP ecosystem and what to do about it. https://anchore.com/blog/analyzing-the-top-mcp-docker-containers/
Open source maintainers: drowning in a sea of "good first issues" that never get picked up? You're not alone.
It's a contributor time-shortage problem. Our Dir of DevRel @popey.me wondered if an AI could help. So ... https://anchore.com/blog/can-an-llm-really-fix-a-bug-a-start-to-finish-case-study/
It's a contributor time-shortage problem. Our Dir of DevRel @popey.me wondered if an AI could help. So ... https://anchore.com/blog/can-an-llm-really-fix-a-bug-a-start-to-finish-case-study/
December 18, 2025 at 9:50 PM
Open source maintainers: drowning in a sea of "good first issues" that never get picked up? You're not alone.
It's a contributor time-shortage problem. Our Dir of DevRel @popey.me wondered if an AI could help. So ... https://anchore.com/blog/can-an-llm-really-fix-a-bug-a-start-to-finish-case-study/
It's a contributor time-shortage problem. Our Dir of DevRel @popey.me wondered if an AI could help. So ... https://anchore.com/blog/can-an-llm-really-fix-a-bug-a-start-to-finish-case-study/
Stop guessing what "GPL-ish" means. Grant groups licenses by risk so you can approve/deny in seconds. One list, not fifty rules.
👉 https://anchore.com/blog/grants-release-0-3-0-smarter-policies-faster-scans-and-simpler-compliance/
#OpenSource #SupplyChainSecurity #Compliance #DevSecOps
👉 https://anchore.com/blog/grants-release-0-3-0-smarter-policies-faster-scans-and-simpler-compliance/
#OpenSource #SupplyChainSecurity #Compliance #DevSecOps
December 18, 2025 at 1:29 AM
Stop guessing what "GPL-ish" means. Grant groups licenses by risk so you can approve/deny in seconds. One list, not fifty rules.
👉 https://anchore.com/blog/grants-release-0-3-0-smarter-policies-faster-scans-and-simpler-compliance/
#OpenSource #SupplyChainSecurity #Compliance #DevSecOps
👉 https://anchore.com/blog/grants-release-0-3-0-smarter-policies-faster-scans-and-simpler-compliance/
#OpenSource #SupplyChainSecurity #Compliance #DevSecOps
Rust is secure by design, but your supply chain might not be. 🔒
Don't let your container images become a blind spot. @tyranhenry breaks down the best practices for securing Rust crates in our latest blog.
https://anchore.com/blog/beyond-cargo-audit-securing-your-rust-crates-in-container-images/
Don't let your container images become a blind spot. @tyranhenry breaks down the best practices for securing Rust crates in our latest blog.
https://anchore.com/blog/beyond-cargo-audit-securing-your-rust-crates-in-container-images/
December 17, 2025 at 10:20 PM
Rust is secure by design, but your supply chain might not be. 🔒
Don't let your container images become a blind spot. @tyranhenry breaks down the best practices for securing Rust crates in our latest blog.
https://anchore.com/blog/beyond-cargo-audit-securing-your-rust-crates-in-container-images/
Don't let your container images become a blind spot. @tyranhenry breaks down the best practices for securing Rust crates in our latest blog.
https://anchore.com/blog/beyond-cargo-audit-securing-your-rust-crates-in-container-images/
We've reached a new inflection point. 📈
Syft, Grype, and Grant have grown way beyond a single GitHub page. We finally built a space that matches the maturity of our tools. @alexgoodman87, introduces oss.anchore.com—the new home for Anch... https://anchore.com/blog/anchore-oss-docs-have-a-new-home/
Syft, Grype, and Grant have grown way beyond a single GitHub page. We finally built a space that matches the maturity of our tools. @alexgoodman87, introduces oss.anchore.com—the new home for Anch... https://anchore.com/blog/anchore-oss-docs-have-a-new-home/
December 17, 2025 at 8:39 PM
We've reached a new inflection point. 📈
Syft, Grype, and Grant have grown way beyond a single GitHub page. We finally built a space that matches the maturity of our tools. @alexgoodman87, introduces oss.anchore.com—the new home for Anch... https://anchore.com/blog/anchore-oss-docs-have-a-new-home/
Syft, Grype, and Grant have grown way beyond a single GitHub page. We finally built a space that matches the maturity of our tools. @alexgoodman87, introduces oss.anchore.com—the new home for Anch... https://anchore.com/blog/anchore-oss-docs-have-a-new-home/
⏰ We are live for the latest Anchore Release webinar in one hour. Join us to see demos including native filesystem scanning and compliance assessments for imported SBOMs.
👉 https://go.anchore.com/anchore-enterprise-Q4-release.html
👉 https://go.anchore.com/anchore-enterprise-Q4-release.html
December 17, 2025 at 5:00 PM
⏰ We are live for the latest Anchore Release webinar in one hour. Join us to see demos including native filesystem scanning and compliance assessments for imported SBOMs.
👉 https://go.anchore.com/anchore-enterprise-Q4-release.html
👉 https://go.anchore.com/anchore-enterprise-Q4-release.html
Stop checking boxes and start building trust. 🛡️
"Establishing trust starts with verifying the provenance of OSS code and validating supplier SBOMs."
At enterprise scale, you can't trust what you can't verify. https://anchore.com/blog/the-death-of-manual-sbom-management-and-an-automated-future/
"Establishing trust starts with verifying the provenance of OSS code and validating supplier SBOMs."
At enterprise scale, you can't trust what you can't verify. https://anchore.com/blog/the-death-of-manual-sbom-management-and-an-automated-future/
December 17, 2025 at 5:00 AM
Stop checking boxes and start building trust. 🛡️
"Establishing trust starts with verifying the provenance of OSS code and validating supplier SBOMs."
At enterprise scale, you can't trust what you can't verify. https://anchore.com/blog/the-death-of-manual-sbom-management-and-an-automated-future/
"Establishing trust starts with verifying the provenance of OSS code and validating supplier SBOMs."
At enterprise scale, you can't trust what you can't verify. https://anchore.com/blog/the-death-of-manual-sbom-management-and-an-automated-future/
Tired of compliance being a roadblock? Join us on Sept... #FedRAMP, #PCIDSS, #HIPAA, #SOC2 https://events.chainguard.dev/02c6031d-d65b-417d-b62d-858f53c144f5/?utm_medium=referral&utm_source=anchore&utm_campaign=FY26-GL-LW-ChainguardxAnchoreWebinar2025
#DevSecOps #Cybersecurity #SupplyChainSecurity
#DevSecOps #Cybersecurity #SupplyChainSecurity
December 17, 2025 at 2:00 AM
Tired of compliance being a roadblock? Join us on Sept... #FedRAMP, #PCIDSS, #HIPAA, #SOC2 https://events.chainguard.dev/02c6031d-d65b-417d-b62d-858f53c144f5/?utm_medium=referral&utm_source=anchore&utm_campaign=FY26-GL-LW-ChainguardxAnchoreWebinar2025
#DevSecOps #Cybersecurity #SupplyChainSecurity
#DevSecOps #Cybersecurity #SupplyChainSecurity
React isn't the problem. Next.js is. 🛡️
Josh Bressers (Anchore) joined the Pauls Security Weekly show to explain why the panic over the React vuln was misplaced, and why Next.js defaults are the real danger zone (34:20).
He also dives int...
https://youtu.be/e6yvNJnGRM8?si=X6UJ21-xAfLZTN6P&t=2062
Josh Bressers (Anchore) joined the Pauls Security Weekly show to explain why the panic over the React vuln was misplaced, and why Next.js defaults are the real danger zone (34:20).
He also dives int...
https://youtu.be/e6yvNJnGRM8?si=X6UJ21-xAfLZTN6P&t=2062
December 16, 2025 at 9:04 PM
React isn't the problem. Next.js is. 🛡️
Josh Bressers (Anchore) joined the Pauls Security Weekly show to explain why the panic over the React vuln was misplaced, and why Next.js defaults are the real danger zone (34:20).
He also dives int...
https://youtu.be/e6yvNJnGRM8?si=X6UJ21-xAfLZTN6P&t=2062
Josh Bressers (Anchore) joined the Pauls Security Weekly show to explain why the panic over the React vuln was misplaced, and why Next.js defaults are the real danger zone (34:20).
He also dives int...
https://youtu.be/e6yvNJnGRM8?si=X6UJ21-xAfLZTN6P&t=2062
Last call! We're joining ITGRC to discuss NIST 2.0 failures & supply chain resilience tomorrow 10am PT. If you want to move beyond the "checkbox" mentality, this is for you.... https://www.executiveitforums.org/index.php/11032-cpe-nist-2-0-common-failures-and-their-impact-on-cybersecurity-resilience
December 16, 2025 at 8:24 PM
Last call! We're joining ITGRC to discuss NIST 2.0 failures & supply chain resilience tomorrow 10am PT. If you want to move beyond the "checkbox" mentality, this is for you.... https://www.executiveitforums.org/index.php/11032-cpe-nist-2-0-common-failures-and-their-impact-on-cybersecurity-resilience
Tomorrow is the Anchore Enterprise Q4 Launch webinar. We are showing how to handle false positives more effectively by annotating vulnerabilities & generating VDRs (Vulnerability Disclosure Reports), & more. Join a live demo + Q&A.
👉 https://go.anchore.com/anchore-enterprise-Q4-release.html
👉 https://go.anchore.com/anchore-enterprise-Q4-release.html
December 16, 2025 at 6:50 PM
Tomorrow is the Anchore Enterprise Q4 Launch webinar. We are showing how to handle false positives more effectively by annotating vulnerabilities & generating VDRs (Vulnerability Disclosure Reports), & more. Join a live demo + Q&A.
👉 https://go.anchore.com/anchore-enterprise-Q4-release.html
👉 https://go.anchore.com/anchore-enterprise-Q4-release.html
Stop juggling filters during a crisis. ⏱️
New in Anchore Enterprise 5.24: Paste a CVE or Advisory ID into a single search field to instantly see your total exposure across all SBOMs and images. Rapid response just got faster.
https://anchore.com/blog/anchore-enterprise-5-24/
New in Anchore Enterprise 5.24: Paste a CVE or Advisory ID into a single search field to instantly see your total exposure across all SBOMs and images. Rapid response just got faster.
https://anchore.com/blog/anchore-enterprise-5-24/
December 15, 2025 at 9:32 PM
Stop juggling filters during a crisis. ⏱️
New in Anchore Enterprise 5.24: Paste a CVE or Advisory ID into a single search field to instantly see your total exposure across all SBOMs and images. Rapid response just got faster.
https://anchore.com/blog/anchore-enterprise-5-24/
New in Anchore Enterprise 5.24: Paste a CVE or Advisory ID into a single search field to instantly see your total exposure across all SBOMs and images. Rapid response just got faster.
https://anchore.com/blog/anchore-enterprise-5-24/
Typosquatting is bad, but our VP Security Josh Bressers warns that "Slopsquatting" is worse!
On the @techstronggroup.bsky.social AI blog, he explains how AI hallucinations allow attackers to hijack your builds. AI doe...
https://techstrong.ai/contributed-content/the-curious-case-of-ai-dependencies/
On the @techstronggroup.bsky.social AI blog, he explains how AI hallucinations allow attackers to hijack your builds. AI doe...
https://techstrong.ai/contributed-content/the-curious-case-of-ai-dependencies/
December 15, 2025 at 6:00 PM
Typosquatting is bad, but our VP Security Josh Bressers warns that "Slopsquatting" is worse!
On the @techstronggroup.bsky.social AI blog, he explains how AI hallucinations allow attackers to hijack your builds. AI doe...
https://techstrong.ai/contributed-content/the-curious-case-of-ai-dependencies/
On the @techstronggroup.bsky.social AI blog, he explains how AI hallucinations allow attackers to hijack your builds. AI doe...
https://techstrong.ai/contributed-content/the-curious-case-of-ai-dependencies/
The missing link for Rust security: How to bake your SBOM directly into your binary without the bloat. 🦀
Check out @tyranhenry's guide on using cargo-auditable to make your containers fully transparent to...
https://anchore.com/blog/beyond-cargo-audit-securing-your-rust-crates-in-container-images/
Check out @tyranhenry's guide on using cargo-auditable to make your containers fully transparent to...
https://anchore.com/blog/beyond-cargo-audit-securing-your-rust-crates-in-container-images/
December 14, 2025 at 10:11 PM
The missing link for Rust security: How to bake your SBOM directly into your binary without the bloat. 🦀
Check out @tyranhenry's guide on using cargo-auditable to make your containers fully transparent to...
https://anchore.com/blog/beyond-cargo-audit-securing-your-rust-crates-in-container-images/
Check out @tyranhenry's guide on using cargo-auditable to make your containers fully transparent to...
https://anchore.com/blog/beyond-cargo-audit-securing-your-rust-crates-in-container-images/
Everyone wants perfect security from day one, but deadlines and real-world needs often get in the way. 🚧
You need a strategy that covers you when things go off-script.
See how Anchore x @chainguard.dev keeps you ... https://anchore.com/blog/start-safe-stay-secure-anchore-and-chainguard-libraries/
You need a strategy that covers you when things go off-script.
See how Anchore x @chainguard.dev keeps you ... https://anchore.com/blog/start-safe-stay-secure-anchore-and-chainguard-libraries/
December 13, 2025 at 4:57 PM
Everyone wants perfect security from day one, but deadlines and real-world needs often get in the way. 🚧
You need a strategy that covers you when things go off-script.
See how Anchore x @chainguard.dev keeps you ... https://anchore.com/blog/start-safe-stay-secure-anchore-and-chainguard-libraries/
You need a strategy that covers you when things go off-script.
See how Anchore x @chainguard.dev keeps you ... https://anchore.com/blog/start-safe-stay-secure-anchore-and-chainguard-libraries/
We need to stop looking at just "packages" & start looking for the "atomic unit of software."
On Paul's Security Weekly, Josh Bressers discusses why surface-level SBOMs fail. If you aren't unzipping the "jars within jars," you are missing y...
https://youtu.be/e6yvNJnGRM8?si=U33AHltjh3FbnoY9&t=2816
On Paul's Security Weekly, Josh Bressers discusses why surface-level SBOMs fail. If you aren't unzipping the "jars within jars," you are missing y...
https://youtu.be/e6yvNJnGRM8?si=U33AHltjh3FbnoY9&t=2816
December 13, 2025 at 3:51 AM
We need to stop looking at just "packages" & start looking for the "atomic unit of software."
On Paul's Security Weekly, Josh Bressers discusses why surface-level SBOMs fail. If you aren't unzipping the "jars within jars," you are missing y...
https://youtu.be/e6yvNJnGRM8?si=U33AHltjh3FbnoY9&t=2816
On Paul's Security Weekly, Josh Bressers discusses why surface-level SBOMs fail. If you aren't unzipping the "jars within jars," you are missing y...
https://youtu.be/e6yvNJnGRM8?si=U33AHltjh3FbnoY9&t=2816
Don't just trust vendor software—verify it. 🛡️
Anchore Enterprise 5.24 lets you apply policy gates to imported SBOMs. Automatically block builds if a third-party SBOM violates your security standards. Turn visibility into enforcement.
https://anchore.com/blog/anchore-enterprise-5-24/
Anchore Enterprise 5.24 lets you apply policy gates to imported SBOMs. Automatically block builds if a third-party SBOM violates your security standards. Turn visibility into enforcement.
https://anchore.com/blog/anchore-enterprise-5-24/
December 13, 2025 at 1:45 AM
Don't just trust vendor software—verify it. 🛡️
Anchore Enterprise 5.24 lets you apply policy gates to imported SBOMs. Automatically block builds if a third-party SBOM violates your security standards. Turn visibility into enforcement.
https://anchore.com/blog/anchore-enterprise-5-24/
Anchore Enterprise 5.24 lets you apply policy gates to imported SBOMs. Automatically block builds if a third-party SBOM violates your security standards. Turn visibility into enforcement.
https://anchore.com/blog/anchore-enterprise-5-24/
Next week, @josh.bressers.name is joining a panel of experts to break down where orgs are failing with NIST 2.0, specifically around supply chain visibility, & how to fix it... https://www.executiveitforums.org/index.php/11032-cpe-nist-2-0-common-failures-and-their-impact-on-cybersecurity-resilience
December 12, 2025 at 11:42 PM
Next week, @josh.bressers.name is joining a panel of experts to break down where orgs are failing with NIST 2.0, specifically around supply chain visibility, & how to fix it... https://www.executiveitforums.org/index.php/11032-cpe-nist-2-0-common-failures-and-their-impact-on-cybersecurity-resilience
Compliance doesn't have to mean endless spreadsheets. 📉
@stevespringett.bsky.social on machine-readable attestations: "A single attestation can attest to multiple standards simultaneously. This saves a l... https://anchore.com/blog/4-lessons-on-future-of-software-transparency-with-steve-springett/
@stevespringett.bsky.social on machine-readable attestations: "A single attestation can attest to multiple standards simultaneously. This saves a l... https://anchore.com/blog/4-lessons-on-future-of-software-transparency-with-steve-springett/
December 12, 2025 at 9:00 PM
Compliance doesn't have to mean endless spreadsheets. 📉
@stevespringett.bsky.social on machine-readable attestations: "A single attestation can attest to multiple standards simultaneously. This saves a l... https://anchore.com/blog/4-lessons-on-future-of-software-transparency-with-steve-springett/
@stevespringett.bsky.social on machine-readable attestations: "A single attestation can attest to multiple standards simultaneously. This saves a l... https://anchore.com/blog/4-lessons-on-future-of-software-transparency-with-steve-springett/
Bringing your own SBOMs? You can finally enforce policy on them. Anchore Enterprise 5.24 allows compliance assessments against any imported SBOM, not just the ones we generate. See how it works in our launch release webinar.
Register at: https://go.anchore.com/anchore-enterprise-Q4-release.html
Register at: https://go.anchore.com/anchore-enterprise-Q4-release.html
December 12, 2025 at 5:49 PM
Bringing your own SBOMs? You can finally enforce policy on them. Anchore Enterprise 5.24 allows compliance assessments against any imported SBOM, not just the ones we generate. See how it works in our launch release webinar.
Register at: https://go.anchore.com/anchore-enterprise-Q4-release.html
Register at: https://go.anchore.com/anchore-enterprise-Q4-release.html
Timestamp differences? Build machine variances? 🏗️
Relying on cargo.lock for production scanning is a security risk. Anchore Technical Support Lead, @tyranhenry explains why file-based scanning fails for ... https://anchore.com/blog/beyond-cargo-audit-securing-your-rust-crates-in-container-images/
Relying on cargo.lock for production scanning is a security risk. Anchore Technical Support Lead, @tyranhenry explains why file-based scanning fails for ... https://anchore.com/blog/beyond-cargo-audit-securing-your-rust-crates-in-container-images/
December 12, 2025 at 2:50 AM
Timestamp differences? Build machine variances? 🏗️
Relying on cargo.lock for production scanning is a security risk. Anchore Technical Support Lead, @tyranhenry explains why file-based scanning fails for ... https://anchore.com/blog/beyond-cargo-audit-securing-your-rust-crates-in-container-images/
Relying on cargo.lock for production scanning is a security risk. Anchore Technical Support Lead, @tyranhenry explains why file-based scanning fails for ... https://anchore.com/blog/beyond-cargo-audit-securing-your-rust-crates-in-container-images/
Don't begin your security process by scrubbing vulns from unvetted public components. That's a losing battle.
✅ Start with a pristine base
✅ Automate validation
✅ Trust, but verify
Read more: https://anchore.com/blog/start-safe-stay-secure-anchore-and-chainguard-libraries/
✅ Start with a pristine base
✅ Automate validation
✅ Trust, but verify
Read more: https://anchore.com/blog/start-safe-stay-secure-anchore-and-chainguard-libraries/
December 11, 2025 at 3:57 AM
Don't begin your security process by scrubbing vulns from unvetted public components. That's a losing battle.
✅ Start with a pristine base
✅ Automate validation
✅ Trust, but verify
Read more: https://anchore.com/blog/start-safe-stay-secure-anchore-and-chainguard-libraries/
✅ Start with a pristine base
✅ Automate validation
✅ Trust, but verify
Read more: https://anchore.com/blog/start-safe-stay-secure-anchore-and-chainguard-libraries/
Syft & Grype have hit 40 million downloads!
A massive thank you to the open source community for trusting us to secure their software supply chains.
#OpenSource #SBOM #DevSecOps
https://anchore.com/opensource
A massive thank you to the open source community for trusting us to secure their software supply chains.
#OpenSource #SBOM #DevSecOps
https://anchore.com/opensource
December 11, 2025 at 1:32 AM
Syft & Grype have hit 40 million downloads!
A massive thank you to the open source community for trusting us to secure their software supply chains.
#OpenSource #SBOM #DevSecOps
https://anchore.com/opensource
A massive thank you to the open source community for trusting us to secure their software supply chains.
#OpenSource #SBOM #DevSecOps
https://anchore.com/opensource
NIST 2.0 brings a new focus on "Govern," but also new implementation hurdles.
@josh.bressers.name is live Dec 17 to discuss why orgs are struggling to adapt & how to fix "c... https://www.executiveitforums.org/index.php/11032-cpe-nist-2-0-common-failures-and-their-impact-on-cybersecurity-resilience
@josh.bressers.name is live Dec 17 to discuss why orgs are struggling to adapt & how to fix "c... https://www.executiveitforums.org/index.php/11032-cpe-nist-2-0-common-failures-and-their-impact-on-cybersecurity-resilience
December 10, 2025 at 11:58 PM
NIST 2.0 brings a new focus on "Govern," but also new implementation hurdles.
@josh.bressers.name is live Dec 17 to discuss why orgs are struggling to adapt & how to fix "c... https://www.executiveitforums.org/index.php/11032-cpe-nist-2-0-common-failures-and-their-impact-on-cybersecurity-resilience
@josh.bressers.name is live Dec 17 to discuss why orgs are struggling to adapt & how to fix "c... https://www.executiveitforums.org/index.php/11032-cpe-nist-2-0-common-failures-and-their-impact-on-cybersecurity-resilience