Viewing an App Version's SBOM

Once an app version contains one or more assets, Anchore Enterprise aggregates the SBOM contents of every asset into a single package view for the version. Viewing that aggregate is how you look inside the stored SBOM: which packages a release contains and which assets carry them. Questions like “which images in this release contain openssl 3.0.13?” can be answered with a single API call.

A package that appears in more than one asset is listed once. A pivot query then shows you which assets contain it.

For the GUI walkthrough of the same data, see Version Detail Page. For the vulnerability view of the same aggregation, see Scan an App Version; for policy evaluation, see Evaluate Policy Against an App Version.

View SBOM Contents with AnchoreCTL

List every package across every asset in the version, deduplicated by name, version, type, and namespace. The command requires the parent app via --app and accepts either the version name or its UUID:

anchorectl app version package list 1.4.0 --app my-service

Use -o json for the structured record.


View SBOM Contents with the API

The API exposes the aggregate package list plus the pivot queries that link packages back to the assets that contain them.

Aggregate List Endpoint

MethodPathPurpose
GET/apps/{app_id}/versions/{version_id}/packagesEvery package across every asset in the version

Pivot Endpoint

The pivot endpoint answers the cross-asset question that motivates grouping in the first place — locating which assets carry a package.

MethodPathPurpose
GET/apps/{app_id}/versions/{version_id}/assets-by-packageList assets that contain a specific package (filter by name and version, optionally narrowing by type or namespace)

The full request and response schemas for both the aggregate and pivot endpoints are in the API browser; search for the App Version Packages tag.

A few conventions worth knowing as you call these endpoints:

  • All list and pivot endpoints return paginated responses — see Pagination.
  • Cross-account requests are scoped via the x-anchore-account header or, from AnchoreCTL, the ANCHORECTL_ACCOUNT environment variable. See Account Scoping for the full mechanism.
Last modified July 15, 2026