Observe an App Version
Once an app version contains one or more assets, Anchore Enterprise aggregates packages and vulnerabilities across every asset in the version and exposes them through a consistent set of queries — so questions like “which images in this release contain openssl 3.0.13?” can be answered with one call.
This page covers those queries: the list endpoints that span a version, the pivot endpoints that link packages and vulnerabilities back to the assets that contain them, and the CLI verbs that surface the same data on the command line. For the GUI walkthrough of the same data, see Version Detail Page. For policy evaluation and status queries against an app version, see Evaluate Policy Against an App Version.
What the Version Aggregates
Two categories of data are aggregated across a version’s assets:
- Packages — every package discovered in any asset, deduplicated by
(name, version, type, namespace). The same package present in multiple assets appears once in the aggregate list. - Vulnerabilities — every vulnerability matched against any asset, deduplicated using the same logic Anchore Enterprise applies elsewhere. Related CVEs are merged, and higher-priority sources (distro advisories) win over lower-priority ones (NVD).
Each category supports both a flat list and one or more pivot queries that locate the underlying data within specific assets.
Observe a Version with AnchoreCTL
AnchoreCTL exposes the read surface under anchorectl app version. Each command requires the parent app via --app and accepts either the version name or its UUID.
List Packages in a Version
List every package across every asset in the version, deduplicated by name, version, type, and namespace:
anchorectl app version package list 1.4.0 --app my-service
Use -o json for the structured record.
List Vulnerabilities in a Version
List every vulnerability matched against any asset in the version, deduplicated across overlapping sources:
anchorectl app version vuln list 1.4.0 --app my-service
Output includes the CVE identifier, severity, the Anchore Score, fix availability, and the packages affected. Use -o json for the full record including provenance, EPSS, and CISA KEV flags.
Observe a Version with the API
The API exposes the same data plus the pivot queries that link findings back to the assets that contain them.
Aggregate List Endpoints
| Method | Path | Purpose |
|---|---|---|
GET | /apps/{app_id}/versions/{version_id}/packages | Every package across every asset in the version |
GET | /apps/{app_id}/versions/{version_id}/vulnerabilities | Every vulnerability across every asset, deduplicated |
The vulnerabilities endpoint accepts an optional asset_id query parameter to narrow the result to a single asset rather than the aggregated view.
Pivot Endpoints
The pivot endpoints answer the cross-asset questions that motivate grouping in the first place — locating where a package lives or which assets carry a given vulnerability.
| Method | Path | Purpose |
|---|---|---|
GET | /apps/{app_id}/versions/{version_id}/assets-by-package | List assets that contain a specific package (filter by name and version, optionally narrowing by type or namespace) |
GET | /apps/{app_id}/versions/{version_id}/packages-by-vulnerability | List packages affected by a specific vulnerability |
GET | /apps/{app_id}/versions/{version_id}/asset-locations-by-package | List the specific filesystem locations across all assets where a package appears |
The full request and response schemas for both the aggregate and pivot endpoints are in the API browser; search for the App Version Packages and App Version Vulnerabilities tags.
A few conventions worth knowing as you call these endpoints:
- All list and pivot endpoints return paginated responses — see Pagination.
- Vulnerability deduplication respects each asset’s distro context for filtering, then merges related CVEs across sources. The deduplication logic matches what is applied elsewhere in Anchore Enterprise.
- Cross-account requests are scoped via the
x-anchore-accountheader or, from AnchoreCTL, theANCHORECTL_ACCOUNTenvironment variable. See Account Scoping for the full mechanism.