This report covers the community activity in Anchore Open Source Projects from July 28, 2025 to August 1, 2025.
Executive Summary
Week 31 delivered steady progress across the Anchore ecosystem with 21 issues and pull requests successfully resolved. The week was marked by infrastructure modernization efforts, including the migration to GolangCI-Lint v2 by community contributor Carlos Tadeu Panato Junior, and comprehensive install URL migrations across multiple repositories. The team addressed critical EUS (Extended Update Support) vulnerability matching issues for Red Hat Enterprise Linux environments, while community engagement remained strong with active participation in the Thursday Open Source Community Meeting.
Weekly Metrics
| Metric | Community | Staff | Total |
|---|---|---|---|
| Issues Closed | 6 | 0 | 6 |
| Pull Requests Merged | 1 | 14 | 15 |
| Bug Fixes | 4 | 4 | 8 |
| Enhancements | 2 | 2 | 4 |
| Infrastructure Updates | 1 | 8 | 9 |
| Other | 0 | 2 | 2 |
Key Achievements
1. GolangCI-Lint v2 Migration in Grype-DB
Community contributor Carlos Tadeu Panato Junior delivered PR #614 migrating the grype-db project to GolangCI-Lint v2. This modernization effort ensures the project stays current with the latest linting capabilities and maintains code quality standards as the ecosystem evolves.
2. Install URL Migration to get.anchore.io
A coordinated infrastructure improvement saw multiple repositories migrate their install URLs to the new get.anchore.io endpoint. Alex Goodman led this effort with migrations across Syft (#4095), Grant (#232), Quill (#584), and Binny (#126). This centralization improves the user experience and provides more reliable install script distribution.
3. Critical EUS Advisory Matching Fix in Grype
Keith Zantow resolved a significant issue with PR #2841 that addresses how multiple Red Hat Enterprise Linux Extended Update Support (EUS) advisories are handled when only some are fixed. This fix, addressing community-reported issue #2840, prevents unexpected vulnerabilities from appearing when EUS packages have partial fixes across different advisories.
4. Security Workflow Enhancements Using Zizmor
Will Murphy continued the security hardening initiative by implementing GitHub Actions linting using the zizmor tool across Vunnel (#832) and Yardstick (#479). This systematic approach to workflow security helps identify and resolve potential vulnerabilities in CI/CD pipelines, building on earlier security improvements across the ecosystem.
5. Enhanced RHEL Package URL Support in Vunnel
Weston Steimel addressed a critical bug in PR #836 that accounts for new RPM module Package URL (PURL) shapes in the RHEL provider. This fix ensures accurate vulnerability matching for Red Hat packages as the PURL specification continues to evolve and adapt to different packaging ecosystems.
6. Stereoscope File Reading Improvements
Keith Zantow delivered two important fixes for Stereoscope’s file reading capabilities. PR #431 corrected lazyBoundedReadCloser behavior for proper close/seek operations, while PR #433 fixed EOF handling. These improvements enhance the reliability of container image analysis, particularly for complex file systems with unusual structures.
Community Contributions
The Anchore team welcomed strong community engagement this week:
-
Carlos Tadeu Panato Junior modernized the grype-db project by migrating to GolangCI-Lint v2, demonstrating commitment to maintaining current tooling standards
-
Gabriel Rau joined the Thursday Open Source Community Meeting to discuss their ongoing Syft PR #4081 “Vcpkg cataloger” which adds support for the C++ package manager Vcpkg
-
Simeon Stoykov participated in the community meeting to discuss their Syft PR #4002 “Conda ecosystem support” for SBOM generation of conda environments
-
Community members actively reported and helped investigate false positive issues, including consul vulnerability detection and Teleport security scanning concerns
Gardening Live Stream
The team held their weekly Open Source Gardening Live Stream on YouTube. A summary of the discussions can be found here.
Note: This report is based on issues and pull requests closed during July 28 - August 1, 2025. Additional work is ongoing in open issues and pull requests not covered in this report.
Want to get involved? Visit anchore.com/opensource to learn how you can contribute to Anchore’s open source projects!