anchore

@[email protected]
69 Followers
21 Following
1,052 Posts
Securing and managing the software supply chain. Proud parent of https://fosstodon.org/@syft and https://fosstodon.org/@grype
Anchorehttps://anchore.com/
Bloghttps://anchore.com/blog
Open Sourcehttps://github.com/anchore/
anchore16h ago

Verifying software origins and integrity is a core part of zero-trust. Doing this in air-gapped environments adds complexity. Our guide provides a matrix mapping automated image inspection to specific NIST controls for government environments.
https://anchore.com/wp-content/uploads/2026/04/WP2026_The-Practitioners-Guide-Mapping-Container-Inspection-to-DoW-RMF-Controls.pdf

#NIST80053 #ZeroTrust #Security

anchore19h ago

How do you translate rigorous NIST 800-53 Risk Management Framework requirements into the automated world of containers? Achieving an ATO requires a technical blueprint.

Read our breakdown on baking compliance directly into the CI/CD pipeline.
https://anchore.com/blog/mapping-container-inspection-to-dow-rmf-controls/

#NIST80053 #CyberSecurity #DevOps

anchore22h ago

Anchore CRO Dan Nurmi poses a great question: "What if there's no evidence that that project exists at all on the internet"? With AI code assistants generating hallucinated library imports, malicious name-squatting is a real threat.

Our latest blog breaks down a data-pipeline approach to catching these non-existent packages. https://anchore.com/blog/threat-hunting-your-open-source-code/

anchore1d ago

Let's talk about pipeline friction. Usually, adding SBOM generation to your workflow just results in thousands of uncontextualized false positives being thrown over the fence at developers.

We curated a technical resource library showing how to automate generation, handle the massive JSON data sprawl, and actually reduce false positives directly within your CI/CD workflows.
https://go.anchore.com/introduction-to-sboms.html?utm_source=sbom-campaign&utm_medium=social&utm_campaign=2026-04

anchore1d ago
The UI is fine for general reporting, but the API is much faster for automation focused teams. If you need to query vulnerabilities by ID across your entire inventory right now, we documented a zero-day response action plan and curl commands to get it done. https://anchore.com/blog/zero-day-response-rapid-impact-assessment/
anchore2d ago

The FOSS community builds the foundation of modern software, but we need better ways to evaluate project health. A vulnerability scanner misses systemic risks like an unmaintained or abandoned repository.

We recently explored how to gather OSINT on dependencies to proactively threat hunt supply chain risks. https://anchore.com/blog/threat-hunting-your-open-source-code/

anchore3d ago

🎥 Tomorrow!
2026 is the year of FedRAMP 20x, and it's changing everything for cloud-native engineering. 🛠️
We're breaking down:
🔹 Automating OSCAL-compliant logs
🔹 Streaming Key Security Indicators (KSIs)
🔹 Navigating AI governance overlays

Sign up: https://go.anchore.com/navigating-the-fedramp-pivot.html

#GovCloud #FedRAMP #InfoSec #OSCAL

anchore4d ago

Supply chain attacks ↗️ 742% in 2023

Your traditional security stack wasn't built for this fight.

SBOM-first architecture changes everything ⚡

https://anchore.com/platform/

#SoftwareSupplyChain #SBOM #CyberSecurity

anchore4d ago

Shift-left compliance checking ⬅️

Catch violations before deployment, not during audits 🛡️

https://anchore.com/platform/enforce/

#SoftwareSupplyChain #SBOM #CyberSecurity #Compliance

anchore5d ago

"Cybersecurity Awareness Month had its moment. It's over."

New from Anchore VP of Security, @Josh Bressers: ditch the calendar ritual/ Instead build trust daily.

Read: https://anchore.com/blog/cybersecurity-awareness-month-no-longer-works/