Anchore Enterprise

Anchore Integration with DefectDojo

If your team is scanning container images with Anchore — whether through Anchore Enterprise or the open-source Grype scanner — you're producing detailed vulnerability data that's only as useful as what you do with it after the scan. Dumping JSON to a file or failing a CI build without context is a dead end. Feeding Anchore findings into DefectDojo changes that equation: you get a durable, deduplicated record of container vulnerabilities tied to specific images and tags, with full lifecycle tracking from initial detection through remediation or accepted risk.

Why Anchore Matters

Container and software supply chain security has moved from a nice-to-have to an audit requirement for most regulated environments. Anchore sits in that space by combining SBOM generation (via Syft) with deep vulnerability matching (via Grype) against multiple upstream advisory feeds — NVD, GitHub Advisories, OS vendor advisories, and language ecosystem databases.

• Anchore produces findings at the package level, not just the image level — you know exactly which library within an image is vulnerable, not just that the image "has issues"
• It handles OS packages (rpm, deb, apk) and language ecosystems (Python, Go, Java, Node, Ruby) in the same scan
• Findings include fix version data when available, which is critical for triaging what's actually actionable today
• Anchore Enterprise adds policy evaluation on top of raw vulnerability data, letting teams enforce gates based on severity thresholds, CVE allowlists, and package-level rules
• The scanner is designed to run in CI/CD pipelines, registries, and as a continuous background process — meaning you can get findings at commit time, merge time, and in production

Advantages of This Integration

Running Anchore without a vulnerability management platform means your findings live in scan artifacts, not in a workflow. The DefectDojo integration addresses that directly.

• Deduplication across image tags: The same CVE appearing in five versions of your base image gets consolidated rather than creating five separate findings. You work the problem once.
• Trend tracking over time: DefectDojo retains scan history, so you can answer questions like "how long has CVE-2024-XXXX been present in this image?" or "did this vulnerability get re-introduced after a base image update?" without digging through CI logs.
• SLA enforcement at the finding level: Once findings are in DefectDojo, you can apply SLA policies by severity. Critical CVEs get a 7-day remediation target; high severity gets 30 days. DefectDojo tracks breach dates and surfaces them in dashboards — something raw Anchore output can't do.
• Cross-team assignment: Container vulnerabilities frequently sit at the intersection of platform engineering, app teams, and security. DefectDojo lets you assign findings to the right owner and track status without email chains.
• Ticketing integration: For findings that require remediation work, DefectDojo's Jira, GitHub Issues, and ServiceNow integrations mean you can push a validated, triaged finding directly into an engineer's backlog.
• Risk acceptance with audit trail: When a CVE has no fix available or the exploitability is sufficiently low, DefectDojo's risk acceptance workflow captures the justification, the approver, and the expiration date — all auditable.

How This Integration Works

Anchore (via Grype or Anchore Enterprise) produces JSON output that DefectDojo's Anchore parser is built to consume. The typical flow looks like this:

Step 1 — Run the scan and capture output

Using Grype directly:

grype <image>:<tag> -o json > anchore-results.json

Using Anchore Enterprise CLI:

anchorectl image vulnerabilities <image>:<tag> -o json > anchore-results.json

Step 2 — Import into DefectDojo

You can import via the DefectDojo UI or API. For CI/CD pipelines, the API approach is standard:

curl -X POST https://<defectdojo-host>/api/v2/import-scan/ \

-H "Authorization: Token <your-api-token>" \

-F "scan_type=Anchore Grype" \

-F "file=@anchore-results.json" \

-F "engagement=<engagement-id>" \

-F "product=<product-id>" \

-F "active=true" \

-F "verified=false"

Use scan_type=Anchore Engine for Anchore Enterprise output and scan_type=Anchore Grype for Grype output — DefectDojo has separate parsers for each.

Step 3 — Triage and manage findings

Once imported, findings appear in the engagement with severity, package metadata, fix version data, and CVE references pre-populated. Deduplication runs automatically if the same CVE was previously imported for that product.

For ongoing scanning, use DefectDojo's reimport endpoint (/api/v2/reimport-scan/) to update existing findings rather than create duplicates:

curl -X POST https://<defectdojo-host>/api/v2/reimport-scan/ \

-H "Authorization: Token <your-api-token>" \

-F "scan_type=Anchore Grype" \

-F "file=@anchore-results.json" \

-F "test=<test-id>"

Data Granularity: What Gets Imported

Use Cases

In a CI/CD pipeline: Anchore scans run on every image build. Results are imported into DefectDojo via the API at the end of the pipeline stage. If the scan introduces a new Critical finding not previously accepted, an alert fires and the build is flagged in DefectDojo for triage — but the pipeline isn't necessarily blocked, giving the security team visibility without creating developer friction on every run.

During a base image rotation: When platform teams update a shared base image (e.g., moving from Ubuntu 20.04 to 22.04), a re-scan of all dependent images in DefectDojo shows which CVEs were resolved by the update and which new ones were introduced. The reimport workflow surfaces regressions immediately rather than requiring manual diff comparisons.

For quarterly security reviews: DefectDojo's reporting gives a point-in-time view of container vulnerability posture across all products. You can filter by severity, by age, and by SLA status — making it straightforward to prepare findings for a board-level or audit report without manually querying scanner outputs.

When managing accepted risk on unfixable CVEs: Many container CVEs have no upstream fix for weeks or months. Rather than leaving them as noisy open findings, teams use DefectDojo's risk acceptance workflow to document the accepted risk with an expiration date. When a fix eventually ships and Anchore detects it, the reimport surfaces the finding as newly actionable.

Operational Tips

• Tag engagements by image tag or digest: Using the image digest (rather than a mutable tag like latest) in the DefectDojo engagement name gives you a precise audit trail of which exact image version was scanned.
• Use reimport, not import, for recurring scans: The reimport endpoint keeps a single test record per image per engagement, updating finding status rather than stacking duplicate tests. This keeps your engagement history clean.
• Configure deduplication on CVE ID + package name: DefectDojo's deduplication hash can be tuned. For Anchore findings, combining CVE ID and package name gives you the right granularity — the same CVE in two different packages should remain as separate findings.
• Separate OS and language ecosystem findings into different engagements if needed: OS-level vulnerabilities are typically owned by platform/infra teams; language ecosystem vulnerabilities are often the app team's responsibility. Splitting these into separate engagements makes assignment and SLA tracking cleaner.
• Set Negligible findings to inactive on import: Anchore reports Negligible severity findings that are rarely actionable. Use DefectDojo's import parameters to mark these inactive by default, keeping your active finding queue focused on real risk.
• Leverage SBOM data upstream: If you're using Syft to generate SBOMs and Grype to scan them, the Syft SBOM can be stored as a DefectDojo artifact alongside the scan, giving you a full inventory record for compliance purposes.