The post An Introduction to the Anchore Enterprise API appeared first on Anchore.

Through the Looking Glass: Down the Rabbit Hole

The UI in Anchore Enterprise gives you a fast, intuitive way to explore scan results, review vulnerabilities, manage policies, and understand the security posture of your container fleet. Think of it as the polished side of the looking glass. But for teams that want to go further — building custom workflows, feeding scan data into other systems, or reacting to security events automatically — the more interesting world is on the other side. That’s where the Anchore Enterprise API comes in.

The API gives you programmatic access to everything the platform knows about your container images: full software bills of materials, vulnerability findings, policy evaluations, and a real-time event stream. That’s the door to integrations and automations uniquely tailored to how your organization works — blocking a deployment the moment a Critical CVE lands in a base image, opening a Jira ticket against the team that owns each affected service, or pinging Slack the instant a fix becomes available for a vulnerability you’ve been tracking.

This post kicks off a seven-part series on what the Anchore Enterprise API makes possible for container security teams. By the end you should be able to look at almost any container security workflow in your organization and see how the API can help you build it.

The Road Ahead

Here’s where the series goes from here. Each post borrows its subtitle from a chapter of Alice in Wonderland:

• A Caucus-Race and a Long Tale — Working with SBOM Data: Retrieving full package inventories across every ecosystem Anchore understands, and building custom cross-image reports with Python.
• A Mad Tea-Party — Event-Driven Workflows with Anchore Notifications: Configuring webhooks to fire on security events and building receivers that connect Anchore to the rest of your toolchain.
• Humpty Dumpty — Custom Reporting and GraphQL: Going beyond REST with Anchore’s embedded GraphQL subsystem to query exactly the data you need in exactly the shape you want.
• Who Stole the Tarts? — Chasing the Cheshire Cat Through Zero-Day Vulnerabilities: Using the /query/vulnerabilities and /query/images/by-package endpoints to rapidly assess blast radius when a new CVE drops.
• Tweedledee and Tweedledum — Comparing Vulnerabilities Across Image Versions: Diffing vulnerability findings between image versions to understand exactly what was fixed — and what wasn’t.
• Queen Alice — Automating Administrative Tasks: Scripting user creation, account management, and permission grants to bring the same automation mindset to platform operations.

Each post stands on its own, so feel free to jump to whichever topic is most relevant to your work. If you’re new to the Anchore API entirely, reading in order will give you a solid foundation before the later posts get into more advanced territory. With the map in hand, let’s get started.

Finding Your Way Around

Before writing a single line of code, it helps to know what’s available. Wonderland is famously short on signposts; Anchore Enterprise comes with one built in. Every deployment serves its own OpenAPI schema at:

https://wonderland.example.com/v2/openapi.json

https://wonderland.example.com/v2/openapi.json

This machine-readable schema is the authoritative reference for every endpoint, request body, and response shape in your specific deployment. You can import it directly into tools like Postman or Insomnia for interactive exploration, or use it to generate a typed client library in your language of choice. It’s also a useful sanity check — if you’re ever unsure whether a field name or path is correct, the schema is the source of truth.

The official Anchore documentation covers the API in depth alongside the rest of the platform, and is a great companion to the hands-on examples in this series.

Authenticating with the API

Alice’s first obstacle in Wonderland was a locked door without a key. Yours is similar. Anchore Enterprise supports both standard username/password authentication and API key authentication. API keys are the recommended approach for any programmatic or production use — they can be rotated and revoked independently of user credentials, making them safer to embed in scripts and automation.

Generating an API Key

API keys can be generated through the UI or via the API. The Anchore documentation covers the UI workflow. To generate one via the API, POST to the API key management endpoint for your account and username:

curl -s -u alice:password \
  -X POST "https://wonderland.example.com/v2/accounts/mad-hatter-team/users/alice/api-keys" \
  -H "Content-Type: application/json" \
  -d '{
    "name": "cheshire-cat",
    "description": "Pipeline automation key"
  }'

Important: API key credentials cannot be used to generate another API key. You must authenticate with your username and password when creating, listing, or deleting API keys.

Keys can also be revoked without deleting them using the PATCH endpoint, which is useful if you suspect a key has been compromised but want to preserve the audit trail:

curl -s -u alice:password \
  -X PATCH "https://wonderland.example.com/v2/accounts/mad-hatter-team/users/alice/api-keys/cheshire-cat" \
  -H "Content-Type: application/json" \
  -d '{"status": "revoked"}'

API Key Limitations

API keys inherit the permissions and roles of the user they were generated for, but there are two categories of operations that cannot be performed using an API key regardless of which user generated it:

• User and credential management — creating, editing, or removing users and their credentials must use username/password authentication.
• API key management — creating, editing, or revoking API keys (including the call to generate a new key shown above) must also use username/password authentication.

For any script or integration that needs to perform these operations, use a dedicated service account with username/password credentials scoped appropriately, and keep those credentials out of your codebase using environment variables or a secrets manager.

Using an API Key

Once you have a key, pass it using standard HTTP basic authentication with the literal string _api_key as the username and your token as the password:

curl -s -u _api_key:<your-api-key> \
  "https://wonderland.example.com/v2/images"

In Python, the same pattern applies:

import requests

AUTH = ("_api_key", "<your-api-key>")

resp = requests.get("https://wonderland.example.com/v2/images", auth=AUTH)

The API as a Platform

What makes the Anchore Enterprise API genuinely powerful isn’t any single endpoint — it’s the fact that it gives you a coherent, queryable representation of your entire container security posture that you can build against. Once you’ve stepped through, there are more rooms here than this series will cover. Here’s a taste of what’s behind the other doors.

Reason about a release, not a pile of images. If you ship a product made up of multiple containers, this is how you answer “what is the security posture of version 2.4 of our platform?” as a single question. The applications API lets you group images into versioned application definitions and retrieve a combined SBOM and unified vulnerability view across every artifact in a given version.

Tell which vulnerable images are actually running in production. It’s the difference between “is this image vulnerable?” and “is this vulnerable image running in production right now?” Anchore Enterprise ingests runtime inventory from Kubernetes and Amazon ECS, giving you API access to a live picture of which container images are deployed in which namespaces and pods across your entire infrastructure — and a way to correlate that with vulnerability data.

Extend the same security workflows to source code. Use one set of policies, queries, and triage workflows across both images and the repositories they’re built from — no new toolchain, no separate concept model. The sources API brings the same SBOM and vulnerability analysis Anchore applies to container images to your source code repositories, with support for Syft-generated SBOMs as an import path.

Get vulnerability findings without leaving an analysis record behind. Ideal for lightweight integrations, throwaway checks, and pre-merge gates where a persistent analysis would be more noise than signal. The /vulnerability-scan endpoint accepts an SBOM and returns vulnerability findings immediately, with nothing stored in the system.

Deliver compliance artifacts on demand, in the format the asker needs. When a customer, auditor, or downstream system asks for a machine-readable SBOM or VEX document, you can generate and deliver it programmatically. Vulnerability findings, SBOMs, and VEX documents all export in industry-standard formats — CycloneDX JSON and XML, SPDX JSON, and OpenVEX — directly from the API.

Push triage decisions and false-positive fixes back into Anchore automatically. When your team accepts a risk, records a remediation, or determines a finding is a CPE-collision false positive, those decisions belong back in Anchore — not stuck in your ticketing system. The API lets you attach annotations to specific vulnerabilities on an image and submit CPE corrections, so the round trip closes without manual UI work.

Whether you’re a security engineer building executive dashboards, a platform team automating promotion gates, or a developer integrating vulnerability data directly into your ticketing system, the API meets you where you are.

Up Next

Next in the series: A Caucus-Race and a Long Tale — Working with SBOM Data. The cleanest way into the API for most teams is the thing Anchore does best — giving you a complete, queryable view of every package across every image you’ve scanned. We’ll walk through retrieving SBOMs, querying across ecosystems, and stitching the results into custom cross-image reports with a small amount of Python.

If you’re an Anchore Enterprise customer looking to build with the API, the Customer Success team is the fastest way to get unblocked — reach out through the Anchore Support Portal. If you’re not a customer yet but want to see what any of this looks like against your own images, request a demo and we’ll walk you through it.

*** This is a Security Bloggers Network syndicated blog from Anchore authored by Ben Lang. Read the original post at: https://anchore.com/blog/an-introduction-to-the-anchore-enterprise-api/