Anchore
@anchore.com
Securing and managing the software supply chain. Proud parent of @syftproject.bsky.social and @grypeproject.bsky.social
Pinned
Anchore
@anchore.com
· Sep 8
Syft & Grype have hit 40 million downloads!
A massive thank you to the open source community for trusting us to secure their software supply chains.
#OpenSource #SBOM #DevSecOps
https://anchore.com/opensource
A massive thank you to the open source community for trusting us to secure their software supply chains.
#OpenSource #SBOM #DevSecOps
https://anchore.com/opensource
What you intended to build vs. what you actually built.
@stevespringett.bsky.social explains the power of the Manufacturing BOM to catch drift and compromise in the build pipeline. Don't trust the source;... https://anchore.com/blog/4-lessons-on-future-of-software-transparency-with-steve-springett/
@stevespringett.bsky.social explains the power of the Manufacturing BOM to catch drift and compromise in the build pipeline. Don't trust the source;... https://anchore.com/blog/4-lessons-on-future-of-software-transparency-with-steve-springett/
December 6, 2025 at 9:37 PM
What you intended to build vs. what you actually built.
@stevespringett.bsky.social explains the power of the Manufacturing BOM to catch drift and compromise in the build pipeline. Don't trust the source;... https://anchore.com/blog/4-lessons-on-future-of-software-transparency-with-steve-springett/
@stevespringett.bsky.social explains the power of the Manufacturing BOM to catch drift and compromise in the build pipeline. Don't trust the source;... https://anchore.com/blog/4-lessons-on-future-of-software-transparency-with-steve-springett/
FedRAMP compliance in weeks, not months ⚡
Ready-to-deploy policy packs for instant compliance feedback 📋
https://anchore.com/platform/enforce/
#SoftwareSupplyChain #SBOM #CyberSecurity #Compliance
Ready-to-deploy policy packs for instant compliance feedback 📋
https://anchore.com/platform/enforce/
#SoftwareSupplyChain #SBOM #CyberSecurity #Compliance
December 6, 2025 at 7:27 PM
FedRAMP compliance in weeks, not months ⚡
Ready-to-deploy policy packs for instant compliance feedback 📋
https://anchore.com/platform/enforce/
#SoftwareSupplyChain #SBOM #CyberSecurity #Compliance
Ready-to-deploy policy packs for instant compliance feedback 📋
https://anchore.com/platform/enforce/
#SoftwareSupplyChain #SBOM #CyberSecurity #Compliance
The messy reality of user needs often forces orgs off the "golden path" of security. 🛣️
It happens. The key is what you do next.
Here is how Anchore + @chainguard.dev help you "Start Safe and Stay Secure" even wh...
https://anchore.com/blog/start-safe-stay-secure-anchore-and-chainguard-libraries/
It happens. The key is what you do next.
Here is how Anchore + @chainguard.dev help you "Start Safe and Stay Secure" even wh...
https://anchore.com/blog/start-safe-stay-secure-anchore-and-chainguard-libraries/
December 5, 2025 at 2:21 AM
The messy reality of user needs often forces orgs off the "golden path" of security. 🛣️
It happens. The key is what you do next.
Here is how Anchore + @chainguard.dev help you "Start Safe and Stay Secure" even wh...
https://anchore.com/blog/start-safe-stay-secure-anchore-and-chainguard-libraries/
It happens. The key is what you do next.
Here is how Anchore + @chainguard.dev help you "Start Safe and Stay Secure" even wh...
https://anchore.com/blog/start-safe-stay-secure-anchore-and-chainguard-libraries/
Storing millions of old build artifacts is expensive and inefficient for forensics.
@josh.bressers.name suggests a better way: "Rather than keeping old build artifacts around, we can instead just store their metadata as SBOMs."
https://anchore.com/blog/sbom-is-an-investment-in-the-future/
@josh.bressers.name suggests a better way: "Rather than keeping old build artifacts around, we can instead just store their metadata as SBOMs."
https://anchore.com/blog/sbom-is-an-investment-in-the-future/
December 4, 2025 at 6:07 PM
Storing millions of old build artifacts is expensive and inefficient for forensics.
@josh.bressers.name suggests a better way: "Rather than keeping old build artifacts around, we can instead just store their metadata as SBOMs."
https://anchore.com/blog/sbom-is-an-investment-in-the-future/
@josh.bressers.name suggests a better way: "Rather than keeping old build artifacts around, we can instead just store their metadata as SBOMs."
https://anchore.com/blog/sbom-is-an-investment-in-the-future/
"The format doesn't really matter... It's really about the content."
We hosted @stevespringett.bsky.social, Chair of the CycloneDX WG, to discuss why the industry needs to stop fighting format wars and st... https://anchore.com/blog/4-lessons-on-future-of-software-transparency-with-steve-springett/
We hosted @stevespringett.bsky.social, Chair of the CycloneDX WG, to discuss why the industry needs to stop fighting format wars and st... https://anchore.com/blog/4-lessons-on-future-of-software-transparency-with-steve-springett/
December 3, 2025 at 2:30 AM
"The format doesn't really matter... It's really about the content."
We hosted @stevespringett.bsky.social, Chair of the CycloneDX WG, to discuss why the industry needs to stop fighting format wars and st... https://anchore.com/blog/4-lessons-on-future-of-software-transparency-with-steve-springett/
We hosted @stevespringett.bsky.social, Chair of the CycloneDX WG, to discuss why the industry needs to stop fighting format wars and st... https://anchore.com/blog/4-lessons-on-future-of-software-transparency-with-steve-springett/
Seconds matter in a security incident.
"If you have a store of all your SBOMs, searching through them is extremely fast." - Anchore VP of Security @josh.bressers.name
Metadata over manual audits = instant impact analysis.
https://anchore.com/blog/sbom-is-an-investment-in-the-future/
"If you have a store of all your SBOMs, searching through them is extremely fast." - Anchore VP of Security @josh.bressers.name
Metadata over manual audits = instant impact analysis.
https://anchore.com/blog/sbom-is-an-investment-in-the-future/
December 1, 2025 at 6:07 PM
Seconds matter in a security incident.
"If you have a store of all your SBOMs, searching through them is extremely fast." - Anchore VP of Security @josh.bressers.name
Metadata over manual audits = instant impact analysis.
https://anchore.com/blog/sbom-is-an-investment-in-the-future/
"If you have a store of all your SBOMs, searching through them is extremely fast." - Anchore VP of Security @josh.bressers.name
Metadata over manual audits = instant impact analysis.
https://anchore.com/blog/sbom-is-an-investment-in-the-future/
If you write code, buy software, or run apps (so... everyone in 2025), everything you know about software development is changing.
The "move fast and break things" era is now "move fast and document everything."
What's your compli... https://anchore.com/blog/navigating-the-new-compliance-frontier/
The "move fast and break things" era is now "move fast and document everything."
What's your compli... https://anchore.com/blog/navigating-the-new-compliance-frontier/
November 29, 2025 at 8:48 PM
If you write code, buy software, or run apps (so... everyone in 2025), everything you know about software development is changing.
The "move fast and break things" era is now "move fast and document everything."
What's your compli... https://anchore.com/blog/navigating-the-new-compliance-frontier/
The "move fast and break things" era is now "move fast and document everything."
What's your compli... https://anchore.com/blog/navigating-the-new-compliance-frontier/
@josh.bressers.name cuts through the complexity: "Your infrastructure could be a container image... how do you even start to understand what's inside?"
Stop guessing. Start using SBOMs. 💡
https://anchore.com/blog/sbom-is-an-investment-in-the-future/
Stop guessing. Start using SBOMs. 💡
https://anchore.com/blog/sbom-is-an-investment-in-the-future/
November 28, 2025 at 8:23 PM
@josh.bressers.name cuts through the complexity: "Your infrastructure could be a container image... how do you even start to understand what's inside?"
Stop guessing. Start using SBOMs. 💡
https://anchore.com/blog/sbom-is-an-investment-in-the-future/
Stop guessing. Start using SBOMs. 💡
https://anchore.com/blog/sbom-is-an-investment-in-the-future/
Reality Check: Container scanning finds known vulnerabilities. Source code scanning protects against the unknown exploits that attackers actually use.
Don't let a blind spot become a breach.
Read the ... https://anchore.com/blog/the-unseen-threat-why-you-need-to-scan-your-source-code-repositories/
Don't let a blind spot become a breach.
Read the ... https://anchore.com/blog/the-unseen-threat-why-you-need-to-scan-your-source-code-repositories/
November 27, 2025 at 8:53 PM
Reality Check: Container scanning finds known vulnerabilities. Source code scanning protects against the unknown exploits that attackers actually use.
Don't let a blind spot become a breach.
Read the ... https://anchore.com/blog/the-unseen-threat-why-you-need-to-scan-your-source-code-repositories/
Don't let a blind spot become a breach.
Read the ... https://anchore.com/blog/the-unseen-threat-why-you-need-to-scan-your-source-code-repositories/
Syft & Grype have hit 40 million downloads!
A massive thank you to the open source community for trusting us to secure their software supply chains.
#OpenSource #SBOM #DevSecOps
https://anchore.com/opensource
A massive thank you to the open source community for trusting us to secure their software supply chains.
#OpenSource #SBOM #DevSecOps
https://anchore.com/opensource
November 26, 2025 at 10:30 PM
Syft & Grype have hit 40 million downloads!
A massive thank you to the open source community for trusting us to secure their software supply chains.
#OpenSource #SBOM #DevSecOps
https://anchore.com/opensource
A massive thank you to the open source community for trusting us to secure their software supply chains.
#OpenSource #SBOM #DevSecOps
https://anchore.com/opensource
SBOMs are fundamentally an investment for our future selves who will need to know what our software is made from."
Anchore VP of Security @josh.bressers.name explains why your SBOM strategy is the only way to pay down your security de...
https://anchore.com/blog/sbom-is-an-investment-in-the-future/
Anchore VP of Security @josh.bressers.name explains why your SBOM strategy is the only way to pay down your security de...
https://anchore.com/blog/sbom-is-an-investment-in-the-future/
November 26, 2025 at 4:13 AM
SBOMs are fundamentally an investment for our future selves who will need to know what our software is made from."
Anchore VP of Security @josh.bressers.name explains why your SBOM strategy is the only way to pay down your security de...
https://anchore.com/blog/sbom-is-an-investment-in-the-future/
Anchore VP of Security @josh.bressers.name explains why your SBOM strategy is the only way to pay down your security de...
https://anchore.com/blog/sbom-is-an-investment-in-the-future/
Stop treating source code scanning and container scanning as "either/or."
They are complementary layers.
✅ Source: Catches bad deps & secrets early.
✅ Container: Catches OS & runtime risks.
You need...
https://anchore.com/blog/the-unseen-threat-why-you-need-to-scan-your-source-code-repositories/
They are complementary layers.
✅ Source: Catches bad deps & secrets early.
✅ Container: Catches OS & runtime risks.
You need...
https://anchore.com/blog/the-unseen-threat-why-you-need-to-scan-your-source-code-repositories/
November 24, 2025 at 9:03 PM
Stop treating source code scanning and container scanning as "either/or."
They are complementary layers.
✅ Source: Catches bad deps & secrets early.
✅ Container: Catches OS & runtime risks.
You need...
https://anchore.com/blog/the-unseen-threat-why-you-need-to-scan-your-source-code-repositories/
They are complementary layers.
✅ Source: Catches bad deps & secrets early.
✅ Container: Catches OS & runtime risks.
You need...
https://anchore.com/blog/the-unseen-threat-why-you-need-to-scan-your-source-code-repositories/
The OWASP Top 10 just added supply chain security.
But as @josh.bressers.name writes, just being on the list changes nothing. We don't solve systemic problems by buying a tool or just talking about them.
... https://anchore.com/blog/supply-chain-security-made-the-owasp-top-ten-this-changes-nothing/
But as @josh.bressers.name writes, just being on the list changes nothing. We don't solve systemic problems by buying a tool or just talking about them.
... https://anchore.com/blog/supply-chain-security-made-the-owasp-top-ten-this-changes-nothing/
November 22, 2025 at 4:50 PM
The OWASP Top 10 just added supply chain security.
But as @josh.bressers.name writes, just being on the list changes nothing. We don't solve systemic problems by buying a tool or just talking about them.
... https://anchore.com/blog/supply-chain-security-made-the-owasp-top-ten-this-changes-nothing/
But as @josh.bressers.name writes, just being on the list changes nothing. We don't solve systemic problems by buying a tool or just talking about them.
... https://anchore.com/blog/supply-chain-security-made-the-owasp-top-ten-this-changes-nothing/
⚠️ The Timing Gap: By the time you scan a container image, package installation scripts have already run with full privileges.
If that package was malicious, it's already too late.
Stop the threat at ... https://anchore.com/blog/the-unseen-threat-why-you-need-to-scan-your-source-code-repositories/
If that package was malicious, it's already too late.
Stop the threat at ... https://anchore.com/blog/the-unseen-threat-why-you-need-to-scan-your-source-code-repositories/
November 21, 2025 at 6:13 PM
⚠️ The Timing Gap: By the time you scan a container image, package installation scripts have already run with full privileges.
If that package was malicious, it's already too late.
Stop the threat at ... https://anchore.com/blog/the-unseen-threat-why-you-need-to-scan-your-source-code-repositories/
If that package was malicious, it's already too late.
Stop the threat at ... https://anchore.com/blog/the-unseen-threat-why-you-need-to-scan-your-source-code-repositories/
**Last Chance! We start in ONE HOUR!** ⏳Neil Levine and Nurit from Echo are ready to show you the proactive path to container security.
Get the playbook for eliminating vulnerabilities at the source and... https://go.anchore.com/anchore-and-echo.html
#hardenedimages #ContainerSecurity #Anchore #Echo
Get the playbook for eliminating vulnerabilities at the source and... https://go.anchore.com/anchore-and-echo.html
#hardenedimages #ContainerSecurity #Anchore #Echo
November 21, 2025 at 2:50 AM
**Last Chance! We start in ONE HOUR!** ⏳Neil Levine and Nurit from Echo are ready to show you the proactive path to container security.
Get the playbook for eliminating vulnerabilities at the source and... https://go.anchore.com/anchore-and-echo.html
#hardenedimages #ContainerSecurity #Anchore #Echo
Get the playbook for eliminating vulnerabilities at the source and... https://go.anchore.com/anchore-and-echo.html
#hardenedimages #ContainerSecurity #Anchore #Echo
🚨 **Final Call: Just 24 Hours Until Our Live Demo!** 🚨
Tomorrow, us and our friends at Echo are showing you how to quit the vulnerability patching cycle for good. If your team is buried under a backlog of cont... https://go.anchore.com/anchore-and-echo.html #DevSecOps #ContainerSecurity #FinalCall
Tomorrow, us and our friends at Echo are showing you how to quit the vulnerability patching cycle for good. If your team is buried under a backlog of cont... https://go.anchore.com/anchore-and-echo.html #DevSecOps #ContainerSecurity #FinalCall
November 20, 2025 at 3:59 AM
🚨 **Final Call: Just 24 Hours Until Our Live Demo!** 🚨
Tomorrow, us and our friends at Echo are showing you how to quit the vulnerability patching cycle for good. If your team is buried under a backlog of cont... https://go.anchore.com/anchore-and-echo.html #DevSecOps #ContainerSecurity #FinalCall
Tomorrow, us and our friends at Echo are showing you how to quit the vulnerability patching cycle for good. If your team is buried under a backlog of cont... https://go.anchore.com/anchore-and-echo.html #DevSecOps #ContainerSecurity #FinalCall
The cavalry isn't coming to save us, we are the cavalry."
A powerful call to action from @josh.bressers.name on the new OWASP #3.
Stop waiting for a tool to solve supply chain security. We h... https://anchore.com/blog/supply-chain-security-made-the-owasp-top-ten-this-changes-nothing/
#OWASPTop10
A powerful call to action from @josh.bressers.name on the new OWASP #3.
Stop waiting for a tool to solve supply chain security. We h... https://anchore.com/blog/supply-chain-security-made-the-owasp-top-ten-this-changes-nothing/
#OWASPTop10
November 19, 2025 at 10:39 PM
The cavalry isn't coming to save us, we are the cavalry."
A powerful call to action from @josh.bressers.name on the new OWASP #3.
Stop waiting for a tool to solve supply chain security. We h... https://anchore.com/blog/supply-chain-security-made-the-owasp-top-ten-this-changes-nothing/
#OWASPTop10
A powerful call to action from @josh.bressers.name on the new OWASP #3.
Stop waiting for a tool to solve supply chain security. We h... https://anchore.com/blog/supply-chain-security-made-the-owasp-top-ten-this-changes-nothing/
#OWASPTop10
Container scanning checks if your ingredients are fresh. Source code scanning checks if your recipe is poisoned. 🍲☠️
If you aren't doing both, you're only seeing half the risk.
Read why you need to s... https://anchore.com/blog/the-unseen-threat-why-you-need-to-scan-your-source-code-repositories/
If you aren't doing both, you're only seeing half the risk.
Read why you need to s... https://anchore.com/blog/the-unseen-threat-why-you-need-to-scan-your-source-code-repositories/
November 19, 2025 at 5:41 AM
Container scanning checks if your ingredients are fresh. Source code scanning checks if your recipe is poisoned. 🍲☠️
If you aren't doing both, you're only seeing half the risk.
Read why you need to s... https://anchore.com/blog/the-unseen-threat-why-you-need-to-scan-your-source-code-repositories/
If you aren't doing both, you're only seeing half the risk.
Read why you need to s... https://anchore.com/blog/the-unseen-threat-why-you-need-to-scan-your-source-code-repositories/
Struggling to secure your pipeline without... @Chainguard https://webinars.techstronglearning.com/accelerate-secure-optimizing-your-software-supply-chain-with-devsecops?utm_campaign=17773385-2025.09.23-DSOCRT-DO&utm_source=dsocrt&utm_medium=anchore
#DevSecOps #AppSec #SoftwareSupplyChain #Chainguard
#DevSecOps #AppSec #SoftwareSupplyChain #Chainguard
Accelerate & Secure: Optimizing Your Software Supply Chain with DevSecOps
Join us for an insightful webinar where we bring together application development and cybersecurity teams to explore how to shift application security further left in the development process as seamlessly as possible. This roundtable discussion will provide valuable insights and practical strategies to enhance the security of your software supply chains.
webinars.techstronglearning.com
November 17, 2025 at 9:36 PM
Struggling to secure your pipeline without... @Chainguard https://webinars.techstronglearning.com/accelerate-secure-optimizing-your-software-supply-chain-with-devsecops?utm_campaign=17773385-2025.09.23-DSOCRT-DO&utm_source=dsocrt&utm_medium=anchore
#DevSecOps #AppSec #SoftwareSupplyChain #Chainguard
#DevSecOps #AppSec #SoftwareSupplyChain #Chainguard
With the EU's Cyber Resilience Act, #SoftwareTransparency isn't optional. It's a global mandate.
We're thrilled to announce #SBOM pioneer @allanfriedman.bsky.social is joining the Anchore board to help nav... https://anchore.com/blog/anchore-welcomes-sbom-pioneer-dr-allan-friedman-as-board-advisor/
We're thrilled to announce #SBOM pioneer @allanfriedman.bsky.social is joining the Anchore board to help nav... https://anchore.com/blog/anchore-welcomes-sbom-pioneer-dr-allan-friedman-as-board-advisor/
November 17, 2025 at 6:16 PM
With the EU's Cyber Resilience Act, #SoftwareTransparency isn't optional. It's a global mandate.
We're thrilled to announce #SBOM pioneer @allanfriedman.bsky.social is joining the Anchore board to help nav... https://anchore.com/blog/anchore-welcomes-sbom-pioneer-dr-allan-friedman-as-board-advisor/
We're thrilled to announce #SBOM pioneer @allanfriedman.bsky.social is joining the Anchore board to help nav... https://anchore.com/blog/anchore-welcomes-sbom-pioneer-dr-allan-friedman-as-board-advisor/
The new OWASP entry isn't "Software Supply Chain Failures."
It's "'Random software I found in the couch cushions that I don't understand.'"
A hilarious, and painfully true, take from @josh.bressers.name ... https://anchore.com/blog/supply-chain-security-made-the-owasp-top-ten-this-changes-nothing/
It's "'Random software I found in the couch cushions that I don't understand.'"
A hilarious, and painfully true, take from @josh.bressers.name ... https://anchore.com/blog/supply-chain-security-made-the-owasp-top-ten-this-changes-nothing/
November 16, 2025 at 7:57 PM
The new OWASP entry isn't "Software Supply Chain Failures."
It's "'Random software I found in the couch cushions that I don't understand.'"
A hilarious, and painfully true, take from @josh.bressers.name ... https://anchore.com/blog/supply-chain-security-made-the-owasp-top-ten-this-changes-nothing/
It's "'Random software I found in the couch cushions that I don't understand.'"
A hilarious, and painfully true, take from @josh.bressers.name ... https://anchore.com/blog/supply-chain-security-made-the-owasp-top-ten-this-changes-nothing/
Vulnerability scanners → what's there
VEX → what it means
Anchore Enterprise 5.23 adds CycloneDX VEX/VDR support. Software publishers can now share authoritative vulnerability context across their entire supply chain.
https://anchore.com/blog/anchore-enterprise-5-23-cyclonedx-vex-and-vdr-support/
VEX → what it means
Anchore Enterprise 5.23 adds CycloneDX VEX/VDR support. Software publishers can now share authoritative vulnerability context across their entire supply chain.
https://anchore.com/blog/anchore-enterprise-5-23-cyclonedx-vex-and-vdr-support/
November 15, 2025 at 11:50 PM
Vulnerability scanners → what's there
VEX → what it means
Anchore Enterprise 5.23 adds CycloneDX VEX/VDR support. Software publishers can now share authoritative vulnerability context across their entire supply chain.
https://anchore.com/blog/anchore-enterprise-5-23-cyclonedx-vex-and-vdr-support/
VEX → what it means
Anchore Enterprise 5.23 adds CycloneDX VEX/VDR support. Software publishers can now share authoritative vulnerability context across their entire supply chain.
https://anchore.com/blog/anchore-enterprise-5-23-cyclonedx-vex-and-vdr-support/
We've partnered with @allanfriedman.bsky.social for years on "SBOM-a-Rama" & VEX. Today, we're thrilled to announce the primary architect of the #SBOM movement is joining the Anchore Board of Advisors.
A s... https://anchore.com/blog/anchore-welcomes-sbom-pioneer-dr-allan-friedman-as-board-advisor/
A s... https://anchore.com/blog/anchore-welcomes-sbom-pioneer-dr-allan-friedman-as-board-advisor/
November 14, 2025 at 9:57 PM
We've partnered with @allanfriedman.bsky.social for years on "SBOM-a-Rama" & VEX. Today, we're thrilled to announce the primary architect of the #SBOM movement is joining the Anchore Board of Advisors.
A s... https://anchore.com/blog/anchore-welcomes-sbom-pioneer-dr-allan-friedman-as-board-advisor/
A s... https://anchore.com/blog/anchore-welcomes-sbom-pioneer-dr-allan-friedman-as-board-advisor/
The biggest fear in B2B sales right now? An auditor saying, "You didn't do the reasonable thing... what everybody else is doing."
The "reasonable" standard is being... https://anchore.com/blog/the-eu-cra-compliance-cascade-why-your-customers-and-acquirers-now-demand-a-verifiable-devsecops-pipeline/
The "reasonable" standard is being... https://anchore.com/blog/the-eu-cra-compliance-cascade-why-your-customers-and-acquirers-now-demand-a-verifiable-devsecops-pipeline/
November 14, 2025 at 8:22 PM
The biggest fear in B2B sales right now? An auditor saying, "You didn't do the reasonable thing... what everybody else is doing."
The "reasonable" standard is being... https://anchore.com/blog/the-eu-cra-compliance-cascade-why-your-customers-and-acquirers-now-demand-a-verifiable-devsecops-pipeline/
The "reasonable" standard is being... https://anchore.com/blog/the-eu-cra-compliance-cascade-why-your-customers-and-acquirers-now-demand-a-verifiable-devsecops-pipeline/
If you write code, buy software, or run apps (so... everyone in 2025), everything you know about software development is changing.
The "move fast and break things" era is now "move fast and document everything."
What's your compli... https://anchore.com/blog/navigating-the-new-compliance-frontier/
The "move fast and break things" era is now "move fast and document everything."
What's your compli... https://anchore.com/blog/navigating-the-new-compliance-frontier/
November 14, 2025 at 6:11 PM
If you write code, buy software, or run apps (so... everyone in 2025), everything you know about software development is changing.
The "move fast and break things" era is now "move fast and document everything."
What's your compli... https://anchore.com/blog/navigating-the-new-compliance-frontier/
The "move fast and break things" era is now "move fast and document everything."
What's your compli... https://anchore.com/blog/navigating-the-new-compliance-frontier/