Gitlab hero border pattern left svg Gitlab hero border pattern right svg
GitLab
vs
Anchore
Decision Kit
Decision Kit

Summary

Anchore is a company that offers security scanning for Docker containers, Docker container registries, and Kubernetes clusters. They offer an Open Source, Enterprise, and Federal version of their products. They leverage public vulnerability feeds to scan customers’ environments for vulnerabilities and alert them so end users can take action.

Comparison to GitLab

Although Anchore does software composition analysis well, they do very little beyond that narrow scope. Comparatively, GitLab provides a superior experience for ALL types of security scanning - not only container scanning, but also SAST, DAST, Fuzz Testing, and others. This approach maximizes the kinds of vulnerabilities that can be detected while only incurring the maintenance costs of a single tool.

Anchore leverages publicly-available vulnerability feeds to identify their vulnerabilities. GitLab does this as well; however, GitLab is also a CVE Numbering Authority, which means that security researchers can work directly with GitLab on any security issues they find. GitLab’s commitment to leveraging the latest vulnerability feeds is also publicly visible to customers at advisories.gitlab.com.

Finally, GitLab provides a superior experience for developers in viewing, correcting, and responding to vulnerabilities. Because GitLab’s scanning capabilities are integrated with the rest of GitLab, the vulnerabilities appear as part of the developer’s regular workflow, inline within their MRs. This visibility is critical to be able to effectively shift security left. With Anchore, developers will need to look at an external tool to see the details about their vulnerabilities, making them much less likely to correct them before the code goes to production.

Anchore can be complementary to GitLab if users have already bought both. GitLab supports integration with tools that customers are already using and plays well with others.

Software Composition Analysis (SCA)

Strengths and Weaknesses

  GitLab Anchore
Strengths   •     Integrated security as part of DevOps workflow for all developers
  •     High-quality container security by leveraging all the latest feeds for vulnerabilities
  •     Supports on-premise deployments including disconnected, offline, or air-gapped environments
  •     Security leadership by being a CVE Numbering Authority and a recognized in the Gartner AST magic quadrant
  •     End-to-end DevOps offering from SCM to CI to CD to Security and more
  •     Single-focused, purpose built container scanning product
  •     Can work with many CI/CD providers (e.g. GitHub, GitLab, BitBucket)
Weaknesses   •     Pricing requires buying all of GitLab Ultimate, not just Container Scanning   •     Narrow product offering only focused on one type of scanning
  •     It is difficult to justify the cost of maintaining an entire security tool when the tool addresses such limited scope (SCA only)

Feature Lineup

  GitLab Anchore
Vulnerability Scanning
Secrets and Passwords
Open Source & Third Party Package Audit
Air-gapped Support
Security results shown to developers as part of their daily work  
Feature Comparison
FEATURES

密钥检测

极狐GitLab 允许您在流水线中运行密钥检测,检查是否有包含未察觉的密钥和证书代码提交。检查结果将被展示在合并请求和流水线中。这一特性将作为 Auto DevOps 的一部分来提供默认安全策略。

Learn more about Secret Detection

依赖项扫描

极狐GitLab 自动检测该应用所包含的库中已知的安全问题,从而保护您的应用在动态使用依赖项时免遭漏洞影响。检测结果会显示在合并请求和流水线视图中,此特性作为 Auto DevOps 一部分来提供缺省的安全性。

Learn more about Dependency Scanning

容器扫描

在为您的应用程序构建 Docker 镜像时,极狐GitLab 可以运行安全扫描以确保它没有任何已知的代码交付环境中的漏洞。结果随后显示在合并请求和流水线视图中。此功能作为 Auto DevOps 的一部分来提供缺省的安全策略。

Learn more about container scanning