Scans

A vulnerability scan in Anchore Enterprise is the result of matching an artifact’s SBOM against the vulnerability data provided by the Anchore Data Service. See How It Works for the underlying matching pipeline that produces every finding.

Anchore Enterprise exposes scan results in two distinct scopes. Pick the one that matches how your team organizes software.

Staying current: App-version-scoped results refresh automatically: findings are re-evaluated whenever the vulnerability database is updated from the Anchore Data Service, and whenever an asset is added to the version. No subscription or manual refresh is required. Image-scoped results refresh when you retrieve them, and can also be kept current automatically with subscriptions. For example, vuln_update re-scans an image and notifies you when its set of vulnerabilities changes.

Two Scan Scopes

The two scopes differ in what the scan runs against and how findings are aggregated. Both draw from the same vulnerability data and share the same matching engine.

Scope	What is scanned	Result shape
App-version-scoped	Every asset attached to an app version: container images, analyzed filesystems, and externally supplied SBOMs (see Asset Types), deduplicated across the version	Aggregated list across all assets in the version, with Anchore Score prioritization for vulnerabilities
Image-scoped	A single analyzed container image, identified by digest	Per-image list of findings with vulnerability attributes and fix details

The app-version-scoped surface is the v6-native path. An app version can hold any mix of asset types (not just container images, but also analyzed filesystems and externally supplied SBOMs), so this scope gives you a single, deduplicated vulnerability view across an entire app version regardless of how each part was analyzed. It also surfaces the Anchore Score as a vulnerability prioritization field.

The image-scoped surface is the long-standing v5 path; it remains the right choice for ad-hoc checks of a single image, image-stage CI gates, and any workflow that has not yet adopted the apps, versions, and assets model.

What’s Shared and What Differs Between Scopes

Both scopes draw from the same vulnerability data: NVD, vendor-specific feeds, GHSA, MSRC, and Anchore’s enrichment dataset all flow through both scopes equally.

The matching engine is shared as well: both scopes run the same matcher, so CPE matching configuration and namespace handling apply identically regardless of scope. One matching behavior is scope-specific:

Synthetic-CPE fallback for packages without an ecosystem PURL applies only to app-version-scoped (asset) scans. It has no effect on image-scoped scans.

The primary difference between the scopes is aggregation: an image-scoped scan returns one list for one image, while an app-version-scoped scan deduplicates across every asset in the version and aggregates the findings into a single list at the version level.

Where to Go Next

Scan an App Version: GUI / CLI / API walkthrough for the app-version-scoped path
Scan a Container Image: GUI / CLI / API walkthrough for the image-scoped path, plus registry-watching via repositories

For finding vulnerabilities across multiple assets at once (saved reports, custom report templates, and the query API), see Search.

Last modified June 16, 2026