Anchore Open Source Weekly Report
This report covers the community activity in Anchore Open Source Projects from September 14, 2025 to September 20, 2025.
Executive Summary
The Anchore Open Source team had a productive week closing 65 issues and pull requests across multiple projects. The highlight was the major v0.3.0 release of Grant with significant configuration simplification and enhanced license enforcement capabilities. Community engagement remained strong with 11 community-originated issues and PRs addressed, including CycloneDX schema validation concerns and documentation improvements across the ecosystem.
Weekly Metrics
| Metric | Community | Staff | Total |
|---|---|---|---|
| Issues Closed | 3 | 2 | 5 |
| Pull Requests Merged | 1 | 59 | 60 |
| Bug Fixes | 3 | 8 | 11 |
| Enhancements | 1 | 42 | 43 |
| Documentation Updates | 0 | 3 | 3 |
| Other | 0 | 8 | 8 |
Key Achievements
1. Grant v0.3.0 Major Release with Configuration Overhaul
The team delivered a significant overhaul of Grant’s configuration system, simplifying the license enforcement workflow while adding new capabilities. The new configuration format eliminates verbose rule patterns in favor of a simpler allow-list approach, with built-in support for denying packages without licenses. This addresses long-standing community requests for easier configuration while maintaining powerful license analysis capabilities.
2. Critical Security Updates in GitHub Actions
Christopher Angelo Phillips led efforts to update vulnerable dependencies in GitHub Actions across the ecosystem, particularly addressing critical security issues in the npm dependency chain. These updates ensure continued security and reliability of the CI/CD infrastructure supporting all Anchore open source projects.
3. Community CycloneDX Schema Validation Resolution
Community member Matthew Augier reported CycloneDX schema validation failures in Dependency Track after upgrading Syft beyond v1.30. The team identified that this was due to downstream tooling lagging behind SPDX license list updates, with Syft correctly outputting valid SPDX license IDs like “SMAIL-GPL” that weren’t yet recognized by Dependency Track’s validation schema.
4. Database and Vulnerability Provider Improvements
Alex Goodman enhanced the Grype database build process with configurable failure options for missing fix dates, while also enabling the Chainguard libraries provider. Will Murphy added Mariner first-observed fix date support to improve vulnerability timeline accuracy for Microsoft’s container base images.
5. Infrastructure Modernization and Tool Updates
The team continued modernizing the development infrastructure, with updates to Binny’s GitHub asset filtering capabilities and improved Go module handling for local builds. These improvements enhance the reliability and flexibility of the tool installation and build processes across all projects.
Community Contributions
The Anchore team continues to collaborate with community contributors on important initiatives:
-
Matthew Augier identified CycloneDX schema validation issues that helped clarify the relationship between Syft’s SPDX license output and downstream tooling compatibility
-
Max Bolotin reported Grant configuration breaking changes that led to improved migration documentation and tooling
-
Adam McClenaghan contributed performance optimization work for Grype’s ignore rule processing, though internal improvements superseded it
Note: This report is based on issues and pull requests closed during September 16-20, 2025. Additional work is ongoing in open issues and pull requests not covered in this report.
Want to get involved? Visit anchore.com/opensource to learn how you can contribute to Anchore’s open source projects!