Search

Search answers questions that span more than one image in your catalog: “Which images have a Critical finding with a known KEV?”, “Which images contain a vulnerable version of a specific package?”, “Which images failed a policy evaluation in the last week?”

Coming soon: Applications search capability in the GUI and API.

Current search and reporting capability operates on the image catalog only — the Query API and Reports view below cover image-scoped questions.

Anchore Enterprise exposes two search surfaces over the image catalog. They draw from the same underlying vulnerability and package data — the choice is about who is running the query and what they want back.

Surface	Best for	Output
Reports view (GUI)	Interactive triage, saved reports, scheduled runs, CSV downloads	Tabular report, downloadable as CSV
Query API	Programmatic integrations, dashboards, custom tooling	Paginated JSON

For producing formal documents — VEX, VDR, SBOMs, vulnerability data exports — see Evidence. Evidence exports are available at both image and app-version scopes today.

Search via the Reports View

The Reports tab in the Anchore Enterprise GUI is the interactive search surface. Reports are built from templates that define which filters appear on the report form and which columns appear in the result, and from executions that capture the result of running a configured report at a point in time.

New Report

The New Report tab is where reports are composed and executed. Pick a template, set the filter values, and run the report once for an immediate result, or save it for re-use.

Saved Reports

Saved reports retain their template, filter selections, and execution history. From the Saved Reports tab you can:

Run a saved report on demand — Generate Now.
Schedule the report to run on a recurring cadence and notify subscribers when results are ready.
Browse past executions, download their CSVs, or drill into the on-screen results.

Templates

Templates define the shape of a report: which filters are presented to the user, with what defaults, and which columns appear in the result.

Anchore Enterprise ships a set of system templates as starting points — for example, “Images Affected by Vulnerability”, “Images Failing Policy Evaluation”, and “Tags by Vulnerability”. System templates cannot be modified, but you can copy any of them into a user template and tailor the filter and column set to your team’s needs.

Templates and reports are both account-scoped. Templates created by other users in the same account are visible and can be used as a starting point for further customization.

The reporting data cycle is configurable on the deployment, and results in the Reports view may lag analysis output. See Reporting Service configuration for the cycle frequency and tuning options.

Search via the API

The Query API is the programmatic surface for zero-day investigation and tooling integrations. Two endpoints cover the common patterns: look up a vulnerability by ID, or find images containing a specific package version.

The Query API operates on container images only, matching the current scope of search and reporting in Anchore Enterprise. For known app versions, use anchorectl app version vuln list or the per-version API endpoints documented in Scan an App Version directly.

Find Images by Package

When the vulnerability record is incomplete — common in the first hours after disclosure — search by the affected package version directly. The classic example: locate every image with a vulnerable version of k8s.io/ingress-nginx.

curl -X GET \
  '{anchore-url}/v2/query/images/by-package?name=k8s.io%2Fingress-nginx&package_type=go&version=v1.11.0' \
  -H 'accept: application/json'

The response is a paginated PaginatedImageList — each entry names the image digest, the tag history that points at it, and the package records that match the filter:

{
  "images": [
    {
      "image": {
        "image_digest": "sha256:4db2297322e827ae13892be1480800471ec83726edea921bd45af0f8ed35e094",
        "tag_history": [
          {
            "full_tag": "registry.k8s.io/ingress-nginx/controller:v1.11.0"
          }
        ]
      },
      "packages": [
        { "name": "k8s.io/ingress-nginx", "version": "v1.11.0", "type": "go" }
      ]
    }
  ],
  "total_count": 1
}

For the full zero-day investigation pattern — including how to escalate from a package match to remediation — see the Find Zero-day Vulnerabilities quickstart.

Look Up a Vulnerability by ID

When the vulnerability ID is known, GET /v2/query/vulnerabilities returns the underlying record and the packages it affects:

curl -X GET \
  '{anchore-url}/v2/query/vulnerabilities?id=CVE-2024-3094' \
  -H 'accept: application/json'

Useful as a quick “does Anchore Enterprise know about this yet?” check before kicking off a broader hunt.

The full request and response schemas for both endpoints are in the API browser under the Query tag.

Where to Go Next

Evidence — produce formal documents from search results: VEX, VDR, vulnerability data exports.
Annotations — record VEX dispositions on findings; annotations feed the VEX evidence exports and will be filterable through the future app-version search surface.
Reporting Service configuration — tune the data-refresh cadence that drives the Reports view.

Last modified June 16, 2026