The News
Anchore, a leader in cloud-native software composition analysis, announced the release of Anchore SBOM. This extension of its Anchore Enterprise platform provides comprehensive support for importing, managing, and analyzing externally generated Software Bills of Materials (SBOMs).
The new feature—Bring Your Own SBOM (BYOS)—enables organizations to ingest SBOMs from any tool that adheres to SPDX or CycloneDX standards. This update demonstrates how Anchore Enterprise is a centralized hub for software supply chain security, spanning internally developed and third-party software.
Analysis
As software supply chains grow more complex and distributed, centralized SBOM visibility is no longer optional. Anchore Enterprise’s BYOS functionality future-proofs organizations against rising compliance demands while improving resilience against supply chain attacks. This update transforms Anchore from a tool into a trusted platform for managing software trust.
Centralized SBOM Management for a Fragmented Ecosystem
Open source software (OSS) now constitutes 70–90% of a typical application, according to industry analysts, yet only 15% of organizations feel confident in their ability to manage it effectively. Anchore SBOM solves this by providing:
- Universal format support (SPDX 2.1–2.3, CycloneDX 1.0–1.6, and Syft)
- Schema validation and quality checks
- Component and vulnerability analysis
- Centralized grouping and role-based access
This visibility enables teams to make data-informed risk, licensing, and compliance decisions across the entire software portfolio.
Policy Enforcement Meets Vulnerability Intelligence
Anchore’s longstanding strength lies in embedding security into the software delivery lifecycle—scanning containers, analyzing OSS, and enforcing policy gates across CI/CD pipelines. With BYOS, Anchore now extends this policy enforcement to third-party and externally sourced software:
- Imported SBOMs are assessed for completeness and quality
- Contextual policy violations are flagged based on organizational security thresholds
- Vulnerabilities are prioritized using the Anchore Score, which incorporates:
- CVSS and severity ratings
- EPSS (Exploit Prediction Scoring System)
- CISA Known Exploited Vulnerabilities (KEV)
This dramatically improves triage efficiency, particularly in regulated industries.
Rising Urgency on Regulation and Compliance
Global regulations are rapidly mandating SBOM adoption:
- US Executive Orders, NIS2, EU Cyber Resilience Act
- Industry mandates like PCI DSS, and sectoral compliance from the FDA to the SEC
Anchore’s platform helps customers like NVIDIA, Cisco, the US Navy, and the Department of Defense manage compliance requirements with SBOM-centric workflows tailored to the highest security standards.
Enterprise Use Cases: Beyond Security Teams
Anchore’s strategic positioning is not just a developer or security tool—it’s a multi-stakeholder governance platform. With SBOMs at the core, teams across:
- Security — gain insight into vulnerabilities and policy adherence
- Engineering — track dependencies and reduce technical debt
- Legal and Procurement — validate licensing and third-party risk
This cross-functional access drives adoption beyond DevSecOps into holistic enterprise risk management.
2026 Prediction: Cost-Aware Application Development Becomes a Core Engineering Discipline
2026 Predictions: Security Operations Become an AI-Augmented Workflow
2026 Predictions: Software Supply Chain Security Shifts to Continuous Verification
2026 Predictions: Application Security Modernizes Around AI, APIs, and Behavioral Controls
2026 Predictions: Platform Engineering Centralizes Security as a Service
