Beyond The CVE: Deep Container Analysis with Anchore
None
<p>As an Associate Professor of Cybersecurity, I spend a lot of time thinking about risk, and increasingly, that risk lives within the software supply chain. The current industry focus on CVEs is a necessary, but ultimately insufficient, approach to securing modern, containerized applications.</p><p>Frankly, relying on basic vulnerability scanning alone is like putting a single padlock on a vault with an open back door, it gives a false sense of security. If we are serious about container security, we need to go beyond the patch-and-pray cycle and start enforcing comprehensive, deep inspection.</p><div class="code-block code-block-13" style="margin: 8px 0; clear: both;"> <style> .ai-rotate {position: relative;} .ai-rotate-hidden {visibility: hidden;} .ai-rotate-hidden-2 {position: absolute; top: 0; left: 0; width: 100%; height: 100%;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback, .ai-list-block, .ai-list-block-ip, .ai-list-block-filter {visibility: hidden; position: absolute; width: 50%; height: 1px; top: -1000px; z-index: -9999; margin: 0px!important;} .ai-list-data, .ai-ip-data, .ai-filter-check, .ai-fallback {min-width: 1px;} </style> <div class="ai-rotate ai-unprocessed ai-timed-rotation ai-13-1" data-info="WyIxMy0xIiwxXQ==" style="position: relative;"> <div class="ai-rotate-option" style="visibility: hidden;" data-index="1" data-name="U2hvcnQ=" data-time="MTA="> <div class="custom-ad"> <div style="margin: auto; text-align: center;"><a href="https://www.techstrongevents.com/cruisecon-virtual-west-2025/home?ref=in-article-ad-2&utm_source=sb&utm_medium=referral&utm_campaign=in-article-ad-2" target="_blank"><img src="https://securityboulevard.com/wp-content/uploads/2025/10/Banner-770x330-social-1.png" alt="Cruise Con 2025"></a></div> <div class="clear-custom-ad"></div> </div></div> </div> </div><h2 class="wp-block-heading" id="h-the-limitation-of-cve-only-scanning"><strong>The Limitation of CVE-Only Scanning</strong></h2><p>The vast majority of container security tools trumpet their ability to find CVEs or <a href="https://anchore.com/blog/hardened-images-are-here-to-stay/">remove all CVEs from base images</a>. While identifying known vulnerabilities is crucial, it only addresses one facet of risk. What about the other, often more insidious, security pitfalls?</p><ul class="wp-block-list"> <li><strong>Misconfigurations:</strong> An application might have zero known vulnerabilities, but if a critical configuration file is improperly set (e.g., exposed ports, weak permissions), the image is fundamentally insecure.</li> <li><strong>Hidden Secrets:</strong> The accidental inclusion of API keys, SSH keys, or database credentials is a depressingly common issue. A CVE scanner won’t catch these, but a single leaked secret can lead to total environment compromise.</li> <li><strong>Supply Chain Integrity:</strong> Is a package allowed in your image? Are you using specific, approved base images? The presence of unauthorized or blacklisted packages introduces unknown, unvetted risk.</li> <li><strong>License and attestation</strong>: Do you care about licensing and their compliance? The presence of accurate license data and attestation ensures that all software components meet legal and organizational compliance standards, reducing risk and supporting secure, transparent supply chains. </li> </ul><p>I’ve seen first hand how a policy failure, not a zero-day, is often the weakest link. True security means moving from a reactive model of patching what’s known to a proactive model of enforcing what’s correct<strong>.</strong></p><h2 class="wp-block-heading" id="block-1f937e2d-e27b-4599-b058-16767d52723e"><strong>Deeper Analysis with Anchore</strong></h2><p id="block-f1274231-421b-4444-9553-24cffb8f28e9">This is where a tool like Anchore becomes essential. Anchore shifts the focus from merely reporting CVEs to enforcing a robust security and compliance policy based on a complete understanding of the container image. It allows us to codify security expectations directly into the CI/CD pipeline.</p><p id="block-5c9d6db7-4ae6-406b-a206-6c15babe5a44">Here’s how Anchore enables a deep inspection that goes far beyond the basic vulnerability database:</p><h3 class="wp-block-heading" id="block-600d08d7-6b3e-4963-af37-913bacbfb054"><strong>1. Configuration File Compliance</strong></h3><p id="block-0f329255-0099-46b7-942d-f2e65b084a84">Anchore analyzes the actual contents and structure of configuration files within your image.</p><p id="block-0b518f78-fd45-48f1-9ab2-436781f81153"><strong>1. Configuration File Compliance</strong></p><p>Anchore analyzes the actual contents and structure of configuration files within your image.</p><p><strong>Example:</strong> You can enforce a policy that fails any image where the file <code>/etc/ssh/sshd_config</code> contains the line <code>PermitRootLogin yes</code>. This policy ensures that a critical security best practice is always followed, irrespective of any package’s CVE status.</p><p id="block-0b518f78-fd45-48f1-9ab2-436781f81153">Anchore Enterprise’s Policy Engine is configured to enforce these advanced security checks. Let’s explore how to do this:</p><p id="block-0b518f78-fd45-48f1-9ab2-436781f81153">These policies are built from a hierarchy of gates, triggers, and actions. You can read more about policy and its components in my previous blogpost: <a href="https://anchore.com/blog/automate-your-compliance-how-anchore-enforce-secures-the-software-supply-chain/">Automate Your Compliance: How Anchore Enforce Secures the Software Supply Chain</a>.</p><p>Let’s add a policy to fail the build of any image where the file <code>/etc/ssh/sshd_config</code> contains the line <code>PermitRootLogin yes</code>.</p><p>To ensure configuration files comply with security best practices, you can use the <strong><code>retrieved_files</code></strong> policy gate. This gate allows Anchore to inspect the contents of files included in your image, enabling the detection of misconfigurations and other potential issues.</p><p>Learn more about the <code>retrieved_files</code> gate here: <a href="https://docs.anchore.com/current/docs/compliance_management/policy_gates/retrieved_files/">Anchore Documentation – Gate: retrieved_files</a>.</p><p>To add a new rule:</p><ol class="wp-block-list"> <li>Go to your preferred policy settings.</li> <li>Add a new rule.</li> <li>In the Gate dropdown menu, select <code>retrieved_files</code>.</li> <li>Choose a Trigger.</li> <li>Specify the file path (location of the files).</li> <li>Enter the regex pattern you want to detect.</li> <li>Finally, apply the new rule and save the updated policy.</li> </ol><figure class="wp-block-image size-large"><img fetchpriority="high" decoding="async" width="1024" height="382" src="https://anchore.com/wp-content/uploads/2025/10/image-10-1024x382.png" alt="" class="wp-image-987475760" srcset="https://anchore.com/wp-content/uploads/2025/10/image-10-1024x382.png 1024w, https://anchore.com/wp-content/uploads/2025/10/image-10-300x112.png 300w, https://anchore.com/wp-content/uploads/2025/10/image-10-768x287.png 768w, https://anchore.com/wp-content/uploads/2025/10/image-10-1536x573.png 1536w, https://anchore.com/wp-content/uploads/2025/10/image-10.png 1600w" sizes="(max-width: 1024px) 100vw, 1024px"></figure><div style="height:25px" aria-hidden="true" class="wp-block-spacer"></div><h3 class="wp-block-heading" id="block-1a8a8ad7-ff7a-4759-9b9a-7d4fc4167444"><strong>2. Image Whitelists and Blacklists</strong></h3><p id="block-7c7ea9b4-97d0-46b9-ad55-9d715e4cb8e8">Moving beyond just patching vulnerabilities, Anchore allows you to control the universe of components that make up your image.</p><ul id="block-d92ac185-e4ca-421b-bf69-ccefcf2e39da" class="wp-block-list"> <li><strong>Denylisting:</strong> Automatically fail an image if it contains an unapproved or deprecated package, such as an old version of python2 or a specific cryptomining library that slipped past a developer.</li> </ul><figure class="wp-block-image" id="block-1c3d1162-e46e-448d-9df4-a68355455fb2"><img decoding="async" src="https://anchore.com/wp-content/uploads/2025/10/image-8.png" alt="This image has an empty alt attribute; its file name is image-8.png"></figure><ul id="block-36c9a495-ecdd-46de-9ded-6942bc46cf35" class="wp-block-list"> <li><strong>Allowlisting:</strong> Enforce that <em>only</em> packages from a specific, trusted vendor or build are permitted, ensuring that all components adhere to strict internal quality standards.</li> </ul><figure class="wp-block-image" id="block-7e49e5da-2691-432c-9229-6c1535da9d97"><img decoding="async" src="https://anchore.com/wp-content/uploads/2025/10/image-9.png" alt="This image has an empty alt attribute; its file name is image-9.png"></figure><p id="block-70fa879a-056f-4d4e-a0b9-ad5994dd1b8c">You can read more about allowlist here: <a href="https://docs.anchore.com/current/docs/compliance_management/allowlists/">Anchore Documentation — Allowlists</a></p><p id="block-982de8b9-1fa7-41ba-86a2-f491eb2cbefb">Anchore goes beyond traditional CVE scanning by giving teams precise control over what is and isn’t allowed in their container images, enabling proactive, policy-driven security that aligns with their organization’s unique compliance and quality standards.</p><h3 class="wp-block-heading" id="block-0eced70d-5a55-4374-a629-b2a70640dd3c"><strong>3. Secret and Credential Detection</strong></h3><p id="block-4cb9cb31-ad3e-4439-91c9-b83de3ceb372">Perhaps the most critical “non-CVE” check is secret and credential scanning. Anchore uses the <code>secret_scans</code> gates to scan the entire filesystem of the container image for patterns matching sensitive data.</p><p id="block-a425254b-a51b-41d6-9d0d-3392028f4a99">For example, using this gate allows you to set a rule that fails the image build if any file contains a string that looks like a high-entropy AWS Secret Key or a standard format SSH private key. This definitely goes beyond traditional CVE scanning and prevents catastrophic credential leakage <em>before</em> the image ever hits a registry.</p><figure class="wp-block-image" id="block-7ea85954-6a73-4e76-8a91-271e40640e88"><img decoding="async" src="https://anchore.com/wp-content/uploads/2025/10/image-12-1024x408.png" alt="This image has an empty alt attribute; its file name is image-12-1024x408.png"></figure><p id="block-3c074c83-ba75-40c1-a9e3-f87909b078b5">Read more about this gate here: <a href="https://docs.anchore.com/current/docs/compliance_management/policy_gates/secret_scans/">Anchore Documentation — Gate: secret_scans</a></p><h3 class="wp-block-heading" id="block-c0b3063c-13e3-4ad4-9497-b9a0934b900e"><strong>4. Licensing and Attestation</strong></h3><p id="block-3899676a-6107-4606-a24c-4a9b2e7d0965">For comprehensive software supply chain hygiene, Anchore also allows policies around component licensing, ensuring you meet legal and compliance obligations for open source usage. You can also enforce build-time attestation, ensuring the image was built by an approved CI/CD system and hasn’t been tampered with.</p><p id="block-1c15c37e-0ae6-4f60-9fcb-021e5ceb5ed8"><strong>Example: Enforcing License Denylists</strong></p><p id="block-202a153b-aa24-4839-b281-c83ee681fe65">A critical part of software supply chain policy is preventing the accidental use of components licensed under specific, undesirable terms. Anchore uses the License Gate and its corresponding License Trigger to check for the presence of any license you want to deny.</p><p id="block-1d079487-afc7-4618-ac24-5adb0bd50954">Let’s say your organization must block all strong copyleft licenses, such as the GNU General Public License v2.0-only (GPL-2.0-only), because it requires derivative works (like your final application) to also be published under the GPL.</p><p id="block-bc1b7778-9b3a-4bf3-b60f-a50338009e15"><strong>How Anchore Enforces This:</strong></p><p id="block-66f59f14-5d43-4b6e-a937-29d91b2894bf">Detection: Anchore scans the image and identifies every package and file licensed under GPL-2.0-only.</p><p id="block-2c644aab-073e-408b-aaa5-9cb242d86f6d">Policy Rule: A rule is configured in the policy to target the license trigger and set the action to <code>STOP</code> if GPL-2.0-only is detected in any installed package.</p><figure class="wp-block-image" id="block-06f291a3-58b6-49f8-996f-87648cd4d247"><img decoding="async" src="https://anchore.com/wp-content/uploads/2025/10/image-11-1024x338.png" alt="This image has an empty alt attribute; its file name is image-11-1024x338.png"></figure><h2 class="wp-block-heading" id="block-2e300a2f-2baf-413a-a29f-bf3a5f199788"><strong>Conclusion: Dive Deep with Anchore Enterprise</strong></h2><p id="block-0d3dd5bc-2dc5-496d-9234-efc9fa1b1a6a">As cybersecurity professionals, we must champion the shift from reactive vulnerability management to proactive policy enforcement.</p><p id="block-a388c70e-a434-4a68-88eb-9f6192ac4878">A CVE score tells you about known weaknesses. Deep container analysis with Anchore Enterprise tells you whether the image <em>adheres to your organization’s definition of secure and compliant</em>.</p><p id="block-50db852c-4ada-4646-ac28-ebda8ddbcd63">The software supply chain is where the next major cybersecurity battles will be fought. By implementing deep inspection policies now, we can move beyond the CVE and build a truly resilient, defensible container infrastructure. We simply can’t afford to do less.</p><p>The post <a href="https://anchore.com/blog/beyond-the-cve-deep-container-analysis-with-anchore/">Beyond The CVE: Deep Container Analysis with Anchore</a> appeared first on <a href="https://anchore.com/">Anchore</a>.</p><div class="spu-placeholder" style="display:none"></div><div class="addtoany_share_save_container addtoany_content addtoany_content_bottom"><div class="a2a_kit a2a_kit_size_20 addtoany_list" data-a2a-url="https://securityboulevard.com/2025/10/beyond-the-cve-deep-container-analysis-with-anchore/" data-a2a-title="Beyond The CVE: Deep Container Analysis with Anchore"><a class="a2a_button_twitter" href="https://www.addtoany.com/add_to/twitter?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fbeyond-the-cve-deep-container-analysis-with-anchore%2F&linkname=Beyond%20The%20CVE%3A%20Deep%20Container%20Analysis%20with%20Anchore" title="Twitter" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_linkedin" href="https://www.addtoany.com/add_to/linkedin?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fbeyond-the-cve-deep-container-analysis-with-anchore%2F&linkname=Beyond%20The%20CVE%3A%20Deep%20Container%20Analysis%20with%20Anchore" title="LinkedIn" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_facebook" href="https://www.addtoany.com/add_to/facebook?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fbeyond-the-cve-deep-container-analysis-with-anchore%2F&linkname=Beyond%20The%20CVE%3A%20Deep%20Container%20Analysis%20with%20Anchore" title="Facebook" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_reddit" href="https://www.addtoany.com/add_to/reddit?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fbeyond-the-cve-deep-container-analysis-with-anchore%2F&linkname=Beyond%20The%20CVE%3A%20Deep%20Container%20Analysis%20with%20Anchore" title="Reddit" rel="nofollow noopener" target="_blank"></a><a class="a2a_button_email" href="https://www.addtoany.com/add_to/email?linkurl=https%3A%2F%2Fsecurityboulevard.com%2F2025%2F10%2Fbeyond-the-cve-deep-container-analysis-with-anchore%2F&linkname=Beyond%20The%20CVE%3A%20Deep%20Container%20Analysis%20with%20Anchore" title="Email" rel="nofollow noopener" target="_blank"></a><a class="a2a_dd addtoany_share_save addtoany_share" href="https://www.addtoany.com/share"></a></div></div><p class="syndicated-attribution">*** This is a Security Bloggers Network syndicated blog from <a href="https://anchore.com/">Anchore</a> authored by <a href="https://securityboulevard.com/author/0/" title="Read other posts by Josh Sopuru">Josh Sopuru</a>. Read the original post at: <a href="https://anchore.com/blog/beyond-the-cve-deep-container-analysis-with-anchore/">https://anchore.com/blog/beyond-the-cve-deep-container-analysis-with-anchore/</a> </p>