Anchore
LightNews LightNews
banner
anchore.com
Anchore
@anchore.com
120 followers 1K following 530 posts
Securing and managing the software supply chain. Proud parent of @syftproject.bsky.social and @grypeproject.bsky.social
Posts Replies Media Videos
anchore.com
Looking for advanced jq recipes or detailed config guides? You won't find them in the repo anymore.

We've launched a dedicated docs site to capture the things that don't fit neatly into a README.

Read the launch post by @alexgoodman87: https://anchore.com/blog/anchore-oss-docs-have-a-new-home/
December 20, 2025 at 4:47 PM
anchore.com
Runtime intelligence without the redeployment headache. 🧠

"Anchore scans SBOMs built whenever: five months from now, six months ago, 30 years in the future."

When the next zero-day hits, will you spend months... https://anchore.com/blog/the-death-of-manual-sbom-management-and-an-automated-future/
December 20, 2025 at 1:51 AM
anchore.com
Is your AI writing code or just copy-pasting bugs? 🐛

On @techstronggroup.bsky.social, our VP Security Josh Bressers warns of "Hidden Dependencies": AI copies vulnerable logic but skips the package manifest your scann... https://techstrong.ai/contributed-content/the-curious-case-of-ai-dependencies/
December 19, 2025 at 8:09 PM
anchore.com
FedRAMP compliance doesn't have to be a manual headache. 🏛️

We've added new DISA STIG profiles for Tomcat and NGINX. Automate validation for your web servers and speed up your authorization process.

https://anchore.com/blog/anchore-enterprise-5-24/
December 19, 2025 at 3:43 AM
anchore.com
MCP is having a moment. @josh.bressers.name wanted to know: what are we actually shipping?

9,000 vulns
263 critical findings
36K+ NPM packages
Outdated base images

Not fear-mongering—just data-driven real... https://anchore.com/blog/analyzing-the-top-mcp-docker-containers/

#MCP #ContainerSecurity
December 19, 2025 at 1:21 AM
anchore.com
"Bring Your Own SBOM" sounds simple...

Until you try to manage thousands of them 📊

Scale is everything 📈

https://anchore.com/platform/sbom/

#SoftwareSupplyChain #SBOM #CyberSecurity #Compliance #DevSecOps
December 19, 2025 at 12:24 AM
anchore.com
Shift-left compliance checking ⬅️

Catch violations before deployment, not during audits 🛡️

https://anchore.com/platform/enforce/

#SoftwareSupplyChain #SBOM #CyberSecurity #Compliance
December 18, 2025 at 11:18 PM
anchore.com
@josh.bressers.name scanned 161 MCP containers. Found 9k vulnerabilities. 263 were critical.
"Software ages like milk, not wine." His analysis breaks down what's actually being deployed in the MCP ecosystem and what to do about it. https://anchore.com/blog/analyzing-the-top-mcp-docker-containers/
December 18, 2025 at 10:44 PM
anchore.com
Open source maintainers: drowning in a sea of "good first issues" that never get picked up? You're not alone.

It's a contributor time-shortage problem. Our Dir of DevRel @popey.me wondered if an AI could help. So ... https://anchore.com/blog/can-an-llm-really-fix-a-bug-a-start-to-finish-case-study/
December 18, 2025 at 9:50 PM
anchore.com
Stop guessing what "GPL-ish" means. Grant groups licenses by risk so you can approve/deny in seconds. One list, not fifty rules.

👉 https://anchore.com/blog/grants-release-0-3-0-smarter-policies-faster-scans-and-simpler-compliance/

#OpenSource #SupplyChainSecurity #Compliance #DevSecOps
December 18, 2025 at 1:29 AM
anchore.com
Rust is secure by design, but your supply chain might not be. 🔒

Don't let your container images become a blind spot. @tyranhenry breaks down the best practices for securing Rust crates in our latest blog.

https://anchore.com/blog/beyond-cargo-audit-securing-your-rust-crates-in-container-images/
December 17, 2025 at 10:20 PM
anchore.com
We've reached a new inflection point. 📈

Syft, Grype, and Grant have grown way beyond a single GitHub page. We finally built a space that matches the maturity of our tools. @alexgoodman87, introduces oss.anchore.com—the new home for Anch... https://anchore.com/blog/anchore-oss-docs-have-a-new-home/
December 17, 2025 at 8:39 PM
anchore.com
⏰ We are live for the latest Anchore Release webinar in one hour. Join us to see demos including native filesystem scanning and compliance assessments for imported SBOMs.

👉 https://go.anchore.com/anchore-enterprise-Q4-release.html
December 17, 2025 at 5:00 PM
anchore.com
Stop checking boxes and start building trust. 🛡️

"Establishing trust starts with verifying the provenance of OSS code and validating supplier SBOMs."

At enterprise scale, you can't trust what you can't verify. https://anchore.com/blog/the-death-of-manual-sbom-management-and-an-automated-future/
December 17, 2025 at 5:00 AM
anchore.com
Tired of compliance being a roadblock? Join us on Sept... #FedRAMP, #PCIDSS, #HIPAA, #SOC2 https://events.chainguard.dev/02c6031d-d65b-417d-b62d-858f53c144f5/?utm_medium=referral&utm_source=anchore&utm_campaign=FY26-GL-LW-ChainguardxAnchoreWebinar2025

#DevSecOps #Cybersecurity #SupplyChainSecurity
December 17, 2025 at 2:00 AM
anchore.com
React isn't the problem. Next.js is. 🛡️

Josh Bressers (Anchore) joined the Pauls Security Weekly show to explain why the panic over the React vuln was misplaced, and why Next.js defaults are the real danger zone (34:20).

He also dives int...
https://youtu.be/e6yvNJnGRM8?si=X6UJ21-xAfLZTN6P&t=2062
December 16, 2025 at 9:04 PM
anchore.com
Last call! We're joining ITGRC to discuss NIST 2.0 failures & supply chain resilience tomorrow 10am PT. If you want to move beyond the "checkbox" mentality, this is for you.... https://www.executiveitforums.org/index.php/11032-cpe-nist-2-0-common-failures-and-their-impact-on-cybersecurity-resilience
December 16, 2025 at 8:24 PM
anchore.com
Tomorrow is the Anchore Enterprise Q4 Launch webinar. We are showing how to handle false positives more effectively by annotating vulnerabilities & generating VDRs (Vulnerability Disclosure Reports), & more. Join a live demo + Q&A.

👉 https://go.anchore.com/anchore-enterprise-Q4-release.html
December 16, 2025 at 6:50 PM
anchore.com
Stop juggling filters during a crisis. ⏱️

New in Anchore Enterprise 5.24: Paste a CVE or Advisory ID into a single search field to instantly see your total exposure across all SBOMs and images. Rapid response just got faster.

https://anchore.com/blog/anchore-enterprise-5-24/
December 15, 2025 at 9:32 PM
anchore.com
Typosquatting is bad, but our VP Security Josh Bressers warns that "Slopsquatting" is worse!

On the @techstronggroup.bsky.social AI blog, he explains how AI hallucinations allow attackers to hijack your builds. AI doe...
https://techstrong.ai/contributed-content/the-curious-case-of-ai-dependencies/
December 15, 2025 at 6:00 PM
anchore.com
The missing link for Rust security: How to bake your SBOM directly into your binary without the bloat. 🦀

Check out @tyranhenry's guide on using cargo-auditable to make your containers fully transparent to...
https://anchore.com/blog/beyond-cargo-audit-securing-your-rust-crates-in-container-images/
December 14, 2025 at 10:11 PM
anchore.com
Everyone wants perfect security from day one, but deadlines and real-world needs often get in the way. 🚧

You need a strategy that covers you when things go off-script.

See how Anchore x @chainguard.dev keeps you ... https://anchore.com/blog/start-safe-stay-secure-anchore-and-chainguard-libraries/
December 13, 2025 at 4:57 PM
anchore.com
We need to stop looking at just "packages" & start looking for the "atomic unit of software."

On Paul's Security Weekly, Josh Bressers discusses why surface-level SBOMs fail. If you aren't unzipping the "jars within jars," you are missing y...
https://youtu.be/e6yvNJnGRM8?si=U33AHltjh3FbnoY9&t=2816
December 13, 2025 at 3:51 AM
anchore.com
Don't just trust vendor software—verify it. 🛡️

Anchore Enterprise 5.24 lets you apply policy gates to imported SBOMs. Automatically block builds if a third-party SBOM violates your security standards. Turn visibility into enforcement.

https://anchore.com/blog/anchore-enterprise-5-24/
December 13, 2025 at 1:45 AM
anchore.com
Next week, @josh.bressers.name is joining a panel of experts to break down where orgs are failing with NIST 2.0, specifically around supply chain visibility, & how to fix it... https://www.executiveitforums.org/index.php/11032-cpe-nist-2-0-common-failures-and-their-impact-on-cybersecurity-resilience
December 12, 2025 at 11:42 PM