A
MCP is having a moment. @josh.bressers.name wanted to know: what are we actually shipping?
9,000 vulns
263 critical findings
36K+ NPM packages
Outdated base images
Not fear-mongering—just data-driven reality. Read his analysis: https://anchore.com/blog/analyzing-the-top-mcp-docker-containers/
EU CRA requires 24-hr exploit reporting by Sept 2026. Can you locate vulnerable K8s pods that fast? Anchore CompOps automates real-time CVE tracking & SBOM generation to keep you audit-ready. Read our white paper: https://anchore.com/white-papers/making-kubernetes-continuously-audit-ready-with-compops/
How to add vulnerability scanning to developer tools?
@RepoFlow's pattern:
1. Generate SBOMs with Syft
2. Scan SBOMs with Grype
3. Parse JSON, deduplicate CVEs
4. Display in existing UI
Security without friction: https://anchore.com/blog/security-without-friction-how-repoflow-created-a-devsecops-package-manager-with-grype/
New hardened container companies are launching constantly.
The reason isn't compliance mandates—it's practical necessity.
When scanners got accurate, the vulnerability problem became impossible to ignore. Hardened images are the efficient solution.
Learn why the demand for hardened containers is rising and how they address compliance and security challenges.
Anchore (anchore.com)
The EU just made SBOMs mandatory for all software products!
Our guide breaks down the Cyber Resilience Act requirements and provides a roadmap to compliance before the 2027 deadline.
Don't wait—start building your SBOM strategy today.
Your MCP server might be the weakest link—here's the data. @josh.bressers.name scanned 161 MCP images and found 9,000 vulns / 263 criticals. Read the breakdown and fixes: https://anchore.com/blog/analyzing-the-top-mcp-docker-containers/
Container images bundle application code with underlying operating system dependencies. This introduces hidden vulnerabilities. Securing this supply chain requires granular insights and automated policy enforcement.
See how it maps to DoW RMF:
https://anchore.com/wp-content/uploads/2026/04/WP2026_The-Practitioners-Guide-Mapping-Container-Inspection-to-DoW-RMF-Controls.pdf
Point-in-time audits fail in Kubernetes because the infrastructure is ephemeral. We published a technical white paper on Compliance Operations. It covers integrating SBOM generation and continuous Cluster API polling to maintain an accurate state of running pods. https://anchore.com/blog/compliance-operations-making-kubernetes-audit-ready-by-design/
How do you secure an OS that relies on continuous rolling releases? 
Rather than using traditional molds, Anchore 5.26 features new matching logic engineered specifically to track Arch Linux updates & SecureOS configurations. https://anchore.com/blog/anchore-enterprise-5-26/
Don't let compliance checks hold up your delivery pipeline. Automate your go/no-go decisions! 
Read Anchore Solutions Architect Chadd Owen's latest post on securing the DoD software factory and automating required gates: https://anchore.com/blog/anchore-enterprise-and-the-dod-devsecops-reference-design/
"Bring Your Own SBOM" sounds simple...
Until you try to manage thousands of them 
Scale is everything 
https://anchore.com/platform/sbom/
#SoftwareSupplyChain #SBOM #CyberSecurity #Compliance #DevSecOps
Stop settling for vulnerability feeds that don't understand your specialized infrastructure. Anchore Enterprise 5.26 brings dedicated feeds for Fedora & VMware PhotonOS.
See whats new 
https://anchore.com/blog/anchore-enterprise-5-26/
We just launched our new SBOM Learning Hub, a library of resources for your dev and sec teams:
SBOM 101 & formats Automating CI/CD integration Tackling data sprawl Surviving EU CRA & SSDF
Bookmark the hub
https://go.anchore.com/introduction-to-sboms.html?utm_source=sbom-campaign&utm_medium=social&utm_campaign=2026-04
High-velocity pipelines make manual container inspection impossible, causing information overload and security gaps. To address this, we created a guide to help ISSMs & ISSOs automate compliance.
What it contains:
A breakdown of container architecture & defense 
️ Methods for automating compliance using policy-as-code 
️ A direct mapping of container inspections to NIST 800-53 controls
Compliance is no longer a paper exercise—it's a data challenge.
KubeCon EU 2026 made one thing clear: as regulations like the CRA and updated NIST frameworks tighten, the way we prove security must evolve. I recently joined two panels to dive into how we move past static spreadsheets into dynamic, automated security posture.
If you're struggling to align engineering velocity with compliance requ... https://www.youtube.com/watch?v=UilEpsFPJTw
https://www.youtube.com/watch?v=h5TCuLg35Cc
False positives killing your team's productivity? 
Anchore Secure gives you signal, not noise 
Ensure the security of software products you release or host as SaaS and provide SBOMs and assurance for your customers. Learn More>
Anchore (anchore.com)
#SoftwareSupplyChain #SBOM #CyberSecurity #Compliance #DevSecOps
Generating an SBOM is just step one. How do we move past static lists to drive actual security decisions? Join SBOM architect Allan Friedman and Anchore CTO Zach Hill on April 21 to close the gap between open-source reality and enterprise security.
https://go.anchore.com/the-challenges-of-third-party-software.html
"The format doesn't really matter... It's really about the content."
We hosted @stevespringett, Chair of the CycloneDX WG, to discuss why the industry needs to stop fighting format wars and start focusing on data utility.
Read the 4 lessons: https://anchore.com/blog/4-lessons-on-future-of-software-transparency-with-steve-springett/
@joshbressers: "If you can't search your past builds, you can't bound your blast radius. SBOMs turn a frantic morning into a simple query."
His zero-day incident response story from inside Anchore's response to the NPM supply chain attack:
https://anchore.com/blog/a-zero-day-incident-response-story-from-the-watchers-on-the-wall/
Generate