Anchore is a company that offers security scanning for Docker containers, Docker container registries, and Kubernetes clusters. They offer an Open Source, Enterprise, and Federal version of their products. They leverage public vulnerability feeds to scan customers’ environments for vulnerabilities and alert them so end users can take action.
Comparison to GitLab
Although Anchore does software composition analysis well, they do very little beyond that narrow scope. Comparatively, GitLab provides a superior experience for ALL types of security scanning - not only container scanning, but also SAST, DAST, Fuzz Testing, and others. This approach maximizes the kinds of vulnerabilities that can be detected while only incurring the maintenance costs of a single tool.
Anchore leverages publicly-available vulnerability feeds to identify their vulnerabilities. GitLab does this as well; however, GitLab is also a CVE Numbering Authority, which means that security researchers can work directly with GitLab on any security issues they find. GitLab’s commitment to leveraging the latest vulnerability feeds is also publicly visible to customers at advisories.gitlab.com.
Finally, GitLab provides a superior experience for developers in viewing, correcting, and responding to vulnerabilities. Because GitLab’s scanning capabilities are integrated with the rest of GitLab, the vulnerabilities appear as part of the developer’s regular workflow, inline within their MRs. This visibility is critical to be able to effectively shift security left. With Anchore, developers will need to look at an external tool to see the details about their vulnerabilities, making them much less likely to correct them before the code goes to production.
Anchore can be complementary to GitLab if users have already bought both. GitLab supports integration with tools that customers are already using and plays well with others.
Software Composition Analysis (SCA)
Strengths and Weaknesses