Enterprise UI Configuration

The Enterprise UI service has some static configuration options that are read from /config/config-ui.yaml inside the UI container image when the system starts up. Some of these options can be superseded by environment variables, which are also documented below. When neither a configuration file option nor an environment variable is set, a built-in default value is used, if applicable. In these cases, and if the value is not read-only, it can be changed at runtime via the UI configuration page.

Note: The configuration is designed to not require any modification when using the quickstart (docker compose) or production (Helm) methods of deploying Anchore Enterprise.

Required Configuration

These settings are essential for the Anchore Enterprise UI to start and function properly.

enterprise_uri

The (required) enterprise_uri key specifies the address of the Anchore Enterprise service. The value must be a string containing a properly-formed ‘http’ or ‘https’ URI. This value can be overridden by using the ANCHORE_ENTERPRISE_URI environment variable.

Note: Password credentials provided as part of the URI will be obfuscated when displayed in the UI logs for security reasons.

enterprise_uri: 'http://api:8228/v2'

redis_uri

The (required) redis_uri key specifies the address of the Redis service. The value must be a string containing a properly-formed redis URI such as redis://ui-redis. If encryption in transit is in use with an external Redis the connection string should be rediss:// instead of redis://. Note that the default configuration uses the Redis Serialization Protocol (RESP). This value can be overridden by using the ANCHORE_REDIS_URI environment variable.

Note: Password credentials provided as part of the URI will be obfuscated when displayed in the UI logs for security reasons.

redis_uri: 'redis://ui-redis:6379'

appdb_uri

The (required) appdb_uri key specifies the location and credentials for the postgres DB endpoint used by the UI. The value must contain the host, port, DB user, DB password, and DB name. This value can be overridden by using the ANCHORE_APPDB_URI environment variable.

Note: Password credentials provided as part of the URI will be obfuscated when displayed in the UI logs for security reasons.

appdb_uri: 'postgres://<db-user>:<db-pass>@<db-host>:<db-port>/<db-name>'

Note: If your database password contains special characters (such as @, :, /, %, #, or others), these characters may need to be URL-encoded in the connection string to ensure proper parsing. For example, a password containing @ should be encoded as %40. You can use online URL encoding tools or programming language URL encoding functions to encode your password before including it in the URI. The default Helm chart provided by Anchore automatically handles this encoding for you when you provide the password via the chart values. Clients using Docker or their own deployment methods should ensure proper encoding as needed.

Security & SSL

These settings control SSL/TLS behavior, authentication modes, and proxy trust.

enable_ssl

The (optional) enable_ssl key specifies whether the application is running in an SSL/TLS-enabled environment. When set to True, the following security behaviors are enabled:

  • Secure cookies: Session cookies are marked with the Secure flag, instructing browsers to only transmit them over HTTPS connections. This prevents session hijacking via unencrypted network traffic.
  • SameSite=None: The cookie SameSite attribute is set to None, allowing the cookie to be sent in cross-site requests. This is required for certain authentication flows and embedded scenarios, but is only safe when combined with the Secure flag.
  • Upgrade insecure requests: The Content Security Policy (CSP) header includes upgrade-insecure-requests, instructing browsers to automatically upgrade HTTP requests to HTTPS.

When set to False (the default), cookies use SameSite=Lax which provides protection against cross-site request forgery (CSRF) attacks while allowing normal navigation.

Note: Only enable this property if your deployment is configured to serve traffic over HTTPS—either directly with TLS certificates or behind an SSL-terminating reverse proxy. Enabling this setting without HTTPS will prevent browsers from sending session cookies, effectively breaking authentication. This property is read-only and can only be set via the config-ui.yaml file or environment variable.

This value can be overridden by using the ANCHORE_ENABLE_SSL environment variable.

Default: False

enable_ssl: False

enable_proxy

The (optional) enable_proxy key configures the application to trust reverse proxy headers when determining connection security. When set to True, the application reads the X-Forwarded-Proto header to determine whether the original client connection was made over HTTPS.

This setting is essential for deployments where SSL/TLS termination occurs at a load balancer or reverse proxy (such as NGINX, HAProxy, or a cloud load balancer) rather than at the application itself. In these architectures:

  1. The client connects to the proxy over HTTPS
  2. The proxy terminates SSL and forwards the request to the application over HTTP
  3. The proxy sets X-Forwarded-Proto: https to indicate the original protocol
  4. The application uses this header to correctly set secure cookie attributes

Without this setting enabled in a proxied environment, the application would see only the internal HTTP connection and fail to set cookies correctly, potentially breaking authentication or reducing security.

Note: Only enable this setting if enable_ssl is also enabled and your application runs behind a trusted reverse proxy. Enabling this in an environment without a proxy could allow malicious clients to spoof the header. This property is read-only and can only be set via the config-ui.yaml file or environment variable.

This value can be overridden by using the ANCHORE_ENABLE_PROXY environment variable.

Default: False

enable_proxy: False

sso_auth_only

The (optional) sso_auth_only key disables native user authentication for all users except the admin user. When enabled, only SSO-based authentication methods (such as SAML or LDAP) will be available for non-admin users.

Note: This property is read-only and can only be set via the config-ui.yaml file or environment variable.

This value can be overridden by using the ANCHORE_SSO_AUTH_ONLY environment variable.

Default: False

sso_auth_only: False

Session Management

These settings control user session behavior, timeouts, and authentication locks.

session_timeout

The (optional) session_timeout key specifies the maximum duration (in seconds) that a user session can remain idle before it expires and the user is required to re-authenticate. The session timeout is automatically refreshed with each user request (rolling session), meaning active users will not be logged out.

The minimum value is 60 seconds and there is no maximum limit, although very large values are not recommended for security reasons. Changes to this configuration are applied immediately to all active sessions on their next request.

This value can be overridden by using the ANCHORE_SESSION_TIMEOUT environment variable. If not set via the config-ui.yaml file or environment variable, this setting can be configured via the System > Configuration view in the UI.

Default: 1209600 (seconds / 14 days)

session_timeout: 1209600

allow_shared_login

The (optional) allow_shared_login key specifies if a single set of user credentials can be used to start multiple Anchore Enterprise UI sessions; for example, by multiple users across different systems, or by a single user on a single system across multiple browsers.

When set to False, only one session per credential is permitted at a time, and logging in will invalidate any other sessions that are using the same set of credentials.

Note that setting this property to False does not prevent a single session from being viewed within multiple tabs inside the same browser. This value can be overridden by using the ANCHORE_ALLOW_SHARED_LOGIN environment variable. If unset via the config-ui.yaml file or environment variable, this setting can be configured via the System > Configuration view in the UI.

Default: True

allow_shared_login: True

authentication_lock

The (optional) authentication_lock keys specify if a user should be temporarily prevented from logging in to an account after one or more failed authentication attempts. For this feature to be enabled, both count and expires values must be whole numbers greater than 0. If only one value is set, the feature will remain disabled. They can be overridden by using the ANCHORE_AUTHENTICATION_LOCK_COUNT and ANCHORE_AUTHENTICATION_LOCK_EXPIRES environment variables respectively.

The count value represents the number of failed authentication attempts allowed to take place before a temporary lock is applied to the username. The expires value represents, in seconds, how long the lock will be applied for.

Note that, for security reasons, when this feature is enabled it will be applied to any submitted username, regardless of whether the user exists. If not set via the config-ui.yaml file or environment variable, this setting can be configured via the System > Configuration view in the UI.

Default: Not configured (feature disabled)

authentication_lock:
  count: 5
  expires: 300

Logging

These settings control application logging behavior and output.

log_level

The (optional) log_level key allows you to set the descriptive detail of the application log output. The key value must be a string selected from the following priority-ordered list (based on a subset of npm’s log levels):

  • error — Critical errors that prevent normal operation or indicate a failure condition
  • warn—Warning messages for potentially problematic situations that don’t prevent operation
  • info—General informational messages about application state and significant events
  • http—HTTP request/response logging for API calls and web traffic
  • debug—Detailed diagnostic information useful for troubleshooting issues
  • silly—Extremely verbose output including all internal operations (not recommended for production)

Once set, each level will automatically include the output for any levels above it—for example, info will include the log output for details at the warn and error levels, whereas error will only show error output.

This value can be overridden by using the ANCHORE_LOG_LEVEL environment variable. If not set via the config-ui.yaml file or environment variable, this setting can be configured via the System > Configuration view in the UI.

Default: http

log_level: 'http'

log_dir

The (optional) log_dir key allows you to set the location of the Anchore Enterprise Client log file. The key value must be a string containing a valid path to a writable directory.

This value can be overridden by using the ANCHORE_LOG_DIR environment variable. If not set via the config-ui.yaml file or environment variable, this setting can be configured via the System > Configuration view in the UI.

Default: /var/log/anchore

log_dir: '/var/log/anchore'

log_dir_retry_interval

The (optional) log_dir_retry_interval key specifies the interval in milliseconds for monitoring log directory availability. If set, the application will periodically check the log directory health and automatically enable file logging when it becomes available or disable it when it becomes unavailable.

The minimum value is 60000 milliseconds (60 seconds). This value can be overridden by using the ANCHORE_LOG_DIR_RETRY_INTERVAL environment variable. If not set via the config-ui.yaml file or environment variable, this setting can be configured via the System > Configuration view in the UI.

Default: 60000 (milliseconds / 60 seconds)

log_dir_retry_interval: 60000

Caching & Performance

These settings control data caching and performance-related options.

cache_expiry

The (optional) cache_expiry key specifies whether the Anchore Enterprise Client should employ data caching on service routes that support it. When set with a positive whole number, this value is used to specify the time-to-live for the cached data in seconds. Set to 0 or false to disable caching entirely.

This value can be overridden by using the ANCHORE_CACHE_EXPIRY environment variable. If not set via the config-ui.yaml file or environment variable, this setting can be configured via the System > Configuration view in the UI.

Default: 600 (seconds / 10 minutes)

cache_expiry: 600

enrich_inventory_view

The (optional) enrich_inventory_view key allows you to set whether the Kubernetes feature should aggregate and include compliance and vulnerability data from the reports service. Setting this key to False can increase performance on high-volume systems.

This value can be overridden by using the ANCHORE_ENRICH_INVENTORY_VIEW environment variable. If not set via the config-ui.yaml file or environment variable, this setting can be configured via the System > Configuration view in the UI.

Default: True

enrich_inventory_view: True

Customization

These settings allow you to customize the appearance and add custom content to the UI.

The (optional) custom_links key allows a list of up to 10 external links to be provided (additional items will be excluded). The top-level title key provides the label for the menu (if present, otherwise the string “Custom External Links” will be used instead).

Each link entry must have a title of at least 1 character and a valid URI. The URI must be either a relative path (starting with /) or an absolute URL with http:// or https:// protocol. If either item is invalid, a validation error will be shown and the configuration cannot be saved. If not set via the config-ui.yaml file, this setting can be configured via the System > Configuration view in the UI.

Default: Not configured (feature disabled)

custom_links:
  title: Custom External Links
  links:
  - title: Example Link 1
    uri: https://example.com
  - title: Example Link 2
    uri: https://example.com
  - title: Example Link 3
    uri: https://example.com
  - title: Example Link 4
    uri: https://example.com
  - title: Example Link 5
    uri: https://example.com
  - title: Example Link 6
    uri: https://example.com
  - title: Example Link 7
    uri: https://example.com
  - title: Example Link 8
    uri: https://example.com
  - title: Example Link 9
    uri: https://example.com
  - title: Example Link 10
    uri: https://example.com

custom_message

The (optional) custom_message key allows you to provide a message that will be displayed on the application login page below the Username and Password fields. The key value must be an object that contains:

  • A title key, whose string value provides a title for the message—which can be up to 250 characters
  • A message key, whose string value is the message itself—which can be up to 10000 characters
custom_message:
  title:
    "Title goes here..."
  message:
    "Message goes here..."

Note: Both title and message values must be present and contain at least 1 character for the message box to be displayed. If either value exceeds the character limit, a validation error will be shown and the configuration cannot be saved.

Default: Not configured (feature disabled)

Important: The ability to add custom messages via the UI configuration page is currently disabled but will be provided in a forthcoming release.

banners

The (optional) banners key allows you to provide messages that will be displayed as a banner at the top and/or bottom of the application or only the login page. You can set either or both banners. Each banner is defined by a key that contains an object with the following properties:

  • text (string): The message to be displayed in the banner. This can be up to 2000 characters long.
  • text_color (string): The color of the text in the banner.
  • background_color (string): The background color of the banner.
  • display (string): The display condition for the banner. This can be set to always or login-only. If not specified, the default is always. The login-only option will only display the banner on the login page.
banners:
  top:
    text: "Custom message for the top banner..."
    text_color: ""
    background_color: ""
    display: "always"
  bottom:
    text: "Custom message for the bottom banner..."
    text_color: ""
    background_color: ""
    display: "login-only"

Note:

  • The text value must be present and contain at least 1 character for the banner to be displayed. If text is provided, display must also be set. Conversely, if display or color settings are provided, text must also be set. If the text exceeds the character limit, a validation error will be shown and the configuration cannot be saved. When displayed, long text may be truncated with an ellipsis, with the full text available on hover.
  • The text_color and background_color values can be any valid CSS color format, including hex codes (e.g., #FF5733), RGB (e.g., rgb(255, 87, 51)), or color names (e.g., red).

If not set via the config-ui.yaml file, this setting can be configured via the System > Configuration view in the UI. Because of the level of detail that can be provided, this configuration (and other complex configs) are managed via a dedicated editor modal:

Complex config editor

Default: Not configured (feature disabled)

Database Configuration

These settings control database connections and pool configuration.

appdb_config

The (optional) appdb_config key allows you to configure advanced database connection pool settings for the Anchore Enterprise Client application database. This configuration is useful for performance tuning in high-scale deployments.

Note: This property is read-only and can only be set via the config-ui.yaml file. It cannot be modified through the UI configuration page to prevent accidental misconfiguration that could result in connectivity issues.

The key value must be an object containing the following properties:

  • native (boolean): Enables the use of the pg-native library for improved performance. Defaults to true.
  • pool (object): Connection pool configuration with the following properties:
    • min (integer): Minimum number of connections in the pool. Defaults to 0.
    • max (integer): Maximum number of connections in the pool. Defaults to 10.
    • acquire (integer): Maximum time (in milliseconds) that the pool will try to get a connection before throwing an error. Defaults to 30000.
    • idle (integer): Maximum time (in milliseconds) that a connection can be idle before being released. Defaults to 10000.

For more information about these settings, see the Sequelize connection pool documentation.

appdb_config:
  native: true
  pool:
    min: 0
    max: 10
    acquire: 30000
    idle: 10000

Redis Configuration

These settings control Redis connection and cluster behavior.

redis_cluster_enabled

The (optional) redis_cluster_enabled key enables Redis cluster mode for distributed deployments. When enabled, the application will connect to Redis using cluster mode instead of standalone mode. This is essential for high-availability deployments that require Redis clustering.

Note: This property is read-only and can only be set via the config-ui.yaml file or environment variable.

This value can be overridden by using the ANCHORE_REDIS_CLUSTER_ENABLED environment variable.

Default: False

redis_cluster_enabled: False

redis_flushdb

The (optional) redis_flushdb key specifies if the Redis datastore containing user session keys and data is emptied on application startup. If the datastore is flushed, any users with active sessions will be required to re-authenticate.

DEPRECATED: This configuration property is deprecated and will be removed in a forthcoming release.

This value can be overridden by using the ANCHORE_REDIS_FLUSHDB environment variable.

Default: True

redis_flushdb: True

Network & Service

These settings control network ports, WebSocket behavior, and metrics.

port

The (optional) port key specifies the port number to use for the Anchore Enterprise Client web service. The value must be a whole number between 1 and 65535.

Note: This property is read-only and can only be set via the config-ui.yaml file or environment variable.

This value can be overridden by using the PORT environment variable.

Default: 3000

port: 3000

force_websocket

The (optional) force_websocket key specifies if the WebSocket protocol must be used for socket message communications. By default, long-polling is initially used to establish the handshake between client and web service, followed by a switch to WS if the WebSocket protocol is supported.

Note: This property is read-only and can only be set via the config-ui.yaml file or environment variable.

This value can be overridden by using the ANCHORE_FORCE_WEBSOCKET environment variable.

Default: False

force_websocket: False

enable_prometheus_metrics

The (optional) enable_prometheus_metrics key enables exporting monitoring metrics to Prometheus. When enabled, the metrics are made available on the /metrics endpoint.

This value can be overridden by using the ANCHORE_ENABLE_METRICS environment variable. If not set via the config-ui.yaml file or environment variable, this setting can be configured via the System > Configuration view in the UI.

Default: False

enable_prometheus_metrics: False

reports_uri

The (optional) reports_uri key specifies the address of the Reports service. The value must be a string containing a properly-formed ‘http’ or ‘https’ URI and can be overridden by using the ANCHORE_REPORTS_URI environment variable.

reports_uri: 'http://reports:8228/v2'

Licensing

license_path

The (optional) license_path key specifies the location of the local system folder containing the license.yaml license file used by the Anchore Enterprise UI web service for product activation. Although this setting is optional as a path default is provided, if a custom configuration is specified it must be correct to allow the full functionality of the application.

Default: /license.yaml

license_path: '/license.yaml'

LDAP Configuration

These settings control LDAP authentication timeouts.

ldap_timeout

The (optional) ldap_timeout key specifies the time (in milliseconds) the LDAP client should let operations stay alive before timing out. The value must be a whole number greater than 0.

This value can be overridden by using the ANCHORE_LDAP_AUTH_TIMEOUT environment variable. If not set via the config-ui.yaml file or environment variable, this setting can be configured via the System > Configuration view in the UI.

Default: 6000 (milliseconds)

ldap_timeout: 6000

ldap_connect_timeout

The (optional) ldap_connect_timeout key specifies the time (in milliseconds) the LDAP client should wait before timing out on TCP connections. The value must be a whole number greater than 0.

This value can be overridden by using the ANCHORE_LDAP_AUTH_CONNECT_TIMEOUT environment variable. If not set via the config-ui.yaml file or environment variable, this setting can be configured via the System > Configuration view in the UI.

Default: 6000 (milliseconds)

ldap_connect_timeout: 6000

Feature Flags

These settings control optional features and capabilities.

enable_add_repositories

The (optional) enable_add_repositories key specifies if repositories can be added via the application interface by either administrative users or standard users. When disabled, this property also suppresses the availability of the Watch Repository toggle associated with any repository entries displayed in the Artifact Analysis view.

Note that in the absence of one or all of the properties, each defaults to True. Thus, this key, and a child key corresponding to an account type (that is itself explicitly set to False) must be set for the feature to be disabled for that account. If not set via the config-ui.yaml file, this setting can be configured via the System > Configuration view in the UI.

Default: The admin and standard keys are both set to True

enable_add_repositories:
  admin: True
  standard: True

Managing Configuration in the UI

Sections of the UI configuration settings can now be found from within the UI. Navigate to the System heading in the sidebar and then select Configuration. Here you will see some of the exposed configuration options:

UI Configuration Page

A configuration is changeable if it is not already set via an environment variable or config file, and is not designated as read-only. Read-only settings can only be changed by modifying the configuration file directly or setting an environment variable, and these typically fall into the category of settings that are critical to application functionality or security where runtime changes could lead to instability or interfere with the current operation of the system.

NOTE: The latest default UI configuration file can always be extracted from the Enterprise UI container to review the latest options, environment overrides and descriptions of each option using the following process:

docker login
docker pull docker.io/anchore/enterprise-ui:latest
docker create --name aui docker.io/anchore/enterprise-ui:latest
docker cp aui:/config/config-ui.yaml /tmp/my-config-ui.yaml
docker rm aui
cat /tmp/my-config-ui.yaml
...
...
Last modified December 12, 2025