Contributing

Security Policy

How to report security vulnerabilities in Anchore OSS projects

Security is a top priority for Anchore’s open source projects. We appreciate the security research community’s efforts in responsibly disclosing vulnerabilities to help keep our users safe.

Supported Versions

Security updates are applied only to the most recent release of each project. We strongly recommend staying up to date with the latest versions to ensure you have the most recent security patches and fixes.

If you’re using an older version and concerned about a security issue, please upgrade to the latest release. For questions about specific versions, reach out on Discourse.

Reporting a Vulnerability

Found a security vulnerability? Please report security issues privately by emailing security@anchore.com rather than creating a public GitHub issue. This gives us time to fix the problem and protect users before details become public.

What to Include in Your Report

To help us understand and address the issue quickly, please include as much detail as you can:

  • Description: A clear description of the vulnerability and its potential impact
  • Steps to reproduce: Detailed steps to recreate the issue
  • Affected versions: Which versions of the tool are vulnerable
  • Proof of concept: If available, a minimal example demonstrating the issue
  • Suggested mitigation: If you have ideas for how to fix or mitigate the issue
  • Urgency level: Your assessment of the severity (Critical, High, Medium, or Low)

Don’t worry if you can’t provide every detail –partial reports are still valuable and welcome. We’ll work with you to understand the issue.

What to Expect

After you submit a report:

  1. Acknowledgment: You’ll receive an initial response confirming we’ve received your report
  2. Assessment: The security team will investigate and assess the severity and impact
  3. Updates: We’ll keep you informed of our progress and any questions we have
  4. Resolution: Once a fix is developed, if necessary, we’ll coordinate disclosure timing with you
  5. Credit: With your permission, we’ll acknowledge your responsible disclosure in release notes

Disclosure Policy

Anchore follows a coordinated disclosure process:

  1. Security issues are addressed privately until a fix is available
  2. Fixes are released as quickly as possible based on severity
  3. Security advisories are published after fixes are released
  4. Credit is given to security researchers who report responsibly

Thank you for helping keep Anchore’s open source projects and their users secure.

Last modified November 26, 2025: allow local too invocation (d20d613)