Anchore Open Source Weekly Roundup
Right then! Here’s what’s been happening in the Anchore Open Source world from June 23rd to 27th, 2025. Spoiler alert: it’s been a pretty productive week!
The Week in Numbers
We closed 10 issues and pull requests this week, which isn’t too shabby. The big news? We finally cracked the snap package scanning nut in Syft - only took us three years! More on that delightful saga below.
| What We Did | Community | Team | Total |
|---|---|---|---|
| Issues Closed | 2 | 0 | 2 |
| Pull Requests Merged | 0 | 8 | 8 |
| Bug Fixes | 0 | 5 | 5 |
| Enhancements | 2 | 3 | 5 |
The Good Stuff
Snap Packages Finally Get Some Love in Syft
Remember that feature request from ciphernaut-rh back in 2022? Well, we’ve only gone and done it! PR #3929 adds proper snap package scanning to Syft. No more manual extraction faff - you can now scan snap packages directly as a source.
The implementation even handles those pesky region-locked snaps and gives you sensible error messages when things go wrong. It’s taken us nearly three years to get here (yes, I’m looking at you, issue #1088), but better late than never, eh?
We Fixed Some Vulnerability Detection Gotchas
Two important fixes landed this week for Grype’s vulnerability detection. PR #2755 sorted out some issues with NVD-related vulnerabilities, while PR #2756 fixed how we display relationships back to NVD for CVE IDs.
Basically, your vulnerability scans should be more accurate now. Which is always nice when you’re trying to keep the bad guys out.
Windows Packages Got Some TLC
PR #2748 fixed a rather embarrassing bug where our MSRC matcher was looking in entirely the wrong place for vulnerabilities. It was searching by distribution instead of package ecosystem - whoops!
Windows folks should see much better vulnerability matching now that we’re actually looking where we should be looking.
Yardstick Gets Some Polish
Our performance testing tool Yardstick had a bit of a spring clean this week. We squashed several bugs and improved how it handles various configurations. The highlights include better image details in gate summaries (#477), fixes for using profiles and labels together (#476), and some database query updates for the newer schema (#475).
Community Question Gets Sorted
AustinAbro321 raised a good question about how Stereoscope handles temporary directories in issue #387. Through some back-and-forth discussion, we got to the bottom of the contentCacheDir parameter usage and cleared up some confusion around OCI layer extraction. These kinds of questions often help us realise where our documentation could be clearer, so thanks for that!
Shout-Outs
Big thanks to ciphernaut-rh for the original snap package feature request that finally came to fruition this week, and to AustinAbro321 for diving into the Stereoscope internals and helping us improve the developer experience.
That’s your lot for this week! If you fancy getting involved with any of our open source projects, head over to anchore.com/opensource and see how you can help make security tooling better for everyone.
Catch you next week! 