- Syft analyses container images and filesystems to create a Software Bill of Materials (SBOM)
- Grype scans container images and filesystems for known vulnerabilities, matching contents against Anchore Feed Service data compiled from multiple public data sources
Anchore has unveiled a collection of new open source tools for automating DevSecOps pipeline security and analysis named Syft and Grype. It said that Syft and Grype are the first in a collection of tools designed for integration and performance. The tools analyze and scan container images and filesystems. This allows developers to enhance best practices within existing workflows and systems claimed the company.
Anchore CTO Daniel Nurmi said, “Our mission at Anchore is to give developers the tools they need to build security into their everyday tasksThat means they need to work seamlessly with a large collection of other tools and systems, providing instant results so developers can act immediately. Syft and Grype were designed for exactly that purpose, and are the first of many tools to come.”
Scans container images and filesystems for known vulnerabilities
Syft analyses container images and filesystems to create a Software Bill of Materials (SBOM). It is a comprehensive record of operating system packages and language artifacts. Using Syft, developers can inspect the contents of new software components before deciding to use them and maintain a comprehensive record of the third-party software included in their projects.
Grype scans container images and filesystems for known vulnerabilities, matching contents against Anchore Feed Service data compiled from multiple public data sources. Developers can use Grype to discover vulnerable components quickly inside projects as they are created and take the appropriate steps for remediation.
The company said that the Visual Studio Code extension for Grype brings vulnerability scanning directly into the developer’s environment, rescanning projects regularly to watch for emerging vulnerabilities. Developers can easily trigger a Grype vulnerability scan of GitHub projects using the Anchore Container Scan GitHub Action.
Anchore VP of product management Neil Levine said, “As an open source company, we do research and development in the openIn recent surveys, customers and community members agreed that security scanning can never be too fast and integration can never be too easy. We are looking forward to seeing how developers and DevOps teams use the tools while we focus on enhancing them with the policy features of our continuous compliance platform, Anchore Enterprise.”