Anchore Open Source Weekly Report
This report covers the community activity in Anchore Open Source Projects from June 9, 2025 to June 13, 2025.
Executive Summary
The Anchore team wrapped up a busy week with 25 issues and pull requests resolved across the ecosystem. A major highlight was the successful integration of Echo OS support across multiple projects, marking a significant expansion of vulnerability detection capabilities for this emerging Linux distribution. The team also addressed several critical container runtime issues related to nonroot user configurations, quickly responding to community feedback with fixes that maintain both security and usability.
Weekly Metrics
| Metric | Community | Staff | Total |
|---|---|---|---|
| Issues Closed | 8 | 0 | 8 |
| Pull Requests Merged | 3 | 14 | 17 |
| Bug Fixes | 8 | 5 | 13 |
| Enhancements | 3 | 3 | 6 |
| Chores | 0 | 7 | 7 |
| Other | 0 | 0 | 0 |
Key Achievements
1. Echo OS Support Successfully Integrated Across the Ecosystem
The week saw the completion of a comprehensive effort to add Echo OS support to Anchore’s vulnerability detection capabilities. Community contributor Ori (orizerah) successfully delivered three coordinated pull requests: PR #2647 adding Echo OS to Grype, PR #815 adding the Echo provider to Vunnel, and PR #572 integrating Echo OS into the vulnerability database. This coordinated effort demonstrates excellent collaboration between community contributors and the Anchore team, significantly expanding vulnerability detection coverage for users running Echo OS-based containers.
2. Nonroot Container Runtime Issues Resolved
Multiple critical issues related to Docker container runtime changes were quickly addressed this week. Issues #2721 and #2720 highlighted problems introduced when Grype’s container images were switched to nonroot users, breaking compatibility with Docker socket bindings and file output permissions. The team responded rapidly with PRs #3998 and #2723, providing separate nonroot image variants while maintaining backward compatibility for existing workflows.
3. Enhanced Enterprise Integration Support
Staff member Alex Goodman delivered important improvements for enterprise users with PRs #3997 and #3973, which enable Syft to properly decode JSON files modified by enterprise Anchorectl installations. This enhancement improves interoperability between open source and enterprise Anchore deployments, making it easier for organizations to integrate both tools in their security workflows.
4. Bitnami Provider Enabled by Default
The grype-db project saw the enablement of both Bitnami and minimOS providers by default through PR #587. This change significantly expands out-of-the-box vulnerability detection capabilities for users working with Bitnami-packaged applications, addressing community requests for better coverage of popular containerized software distributions.
5. Database and Tooling Improvements
Several important infrastructure improvements were delivered, including CVSS version fixes in vector strings (PR #591), database search enhancements with string severity support (PR #2730), and SPDX package filtering improvements (PR #3981). These changes improve the accuracy and usability of vulnerability data across the ecosystem.
6. Community Issue Resolution
The team successfully resolved several long-standing community issues, including false positive reports for CVE-2025-5702 (issue #2718), database existence errors (issues #2711 and #3969), and SBOM cataloger upstream package issues (issue #3662). The resolution of these issues demonstrates the team’s commitment to addressing community-reported problems promptly.
Note: This report is based on issues and pull requests closed during June 9-13, 2025. Additional work is ongoing in open issues and pull requests not covered in this report.
Want to get involved? Visit anchore.com/opensource to learn how you can contribute to Anchore’s open source projects!