The Anchore Feed Service collects vulnerability and package data from the upstream sources and normalizes this data to be published as feeds that the Anchore Engine consumes.
The Anchore engine polls the feed service at a user defined interval, by default every six hours, and will download feed data updated since the last sync.
Anchore hosts a public service which provides access, for free, to all public feeds.
An on-premises feed service is available for commercial customers allowing the Anchore Engine to synchronize with a locally deployed feed service, without any reliance on the Anchore hosted service.
Sources and types of data are organized into feeds and groups.
Each feed can be independently configured to synchronize or not depending on what data your deployment needs. See configuration for more details.
Anchore Engine uses security vulnerability and package data from a number of sources:
vulnerabilities - security advisories from specific Linux Distribution vendors against Distribution specific packages.
packages - Software Package Repositories
nvdv2 - NIST National Vulnerability Database (NVD)
github - GitHub Advisories data retrieved by the GitHub API and used for matches against application packages
Third party feeds - additional data feeds are available for Anchore Enterprise Customers, see On-Premises Feeds Overview for more information.