When a new zero-day vulnerability hits the wires—think Log4j, XZ, or the recent IngressNightmare disclosure—the clock starts ticking for every DevSecOps and Security team. The immediate challenge isn’t just remediation; it is visibility. You need to know, within minutes, exactly where your software supply chain is exposed across thousands of container images.
This short blog provides the “fast path” with Anchore Enterprise to conduct rapid impact assessments when a zero-day is disclosed, even before a formal CVE record is fully published.
Step 1: Check for Feeds Freshness
First things first. Make sure your vulnerability feeds are fresh!
Anchore Enterprise relies on a diverse set of vulnerability data sources to provide accurate matching. Your first move in a zero-day scenario is ensuring your deployment has the absolute latest intelligence. If you are in a connected environment, you can force a sync to pull down the newest signatures immediately:
# Force a feed sync (requires admin privileges)
anchorectl feed sync
# Verify the latest updates
anchorectl feed listFor air-gapped environments, this is the time to trigger your “sneaker-net” or cross-domain solution (CDS) process to refresh your vulnerability database (GrypeDB) using anchorectl airgap feed commands. See here for more details.
Hunt by Vulnerability ID
If you already have a vulnerability identifier—whether it’s a standard CVE or a GitHub Security Advisory (GHSA)—you can leverage Anchore Enterprise’s native reporting and API queries to sweep your entire inventory.
While the UI provides an excellent Artifacts by Vulnerability report, the API and CLI are often faster for automation-focused teams. You can use the Query API to determine if the system is aware of the specific vulnerability and which images are impacted:
# Query vulnerabilities by ID across your inventory
curl -X 'GET' "https://my-anchore.example.com/v2/query/vulnerabilities?id=CVE-2025-XXXX" -H "accept: application/json"Pivot to Package-Level Forensics
Zero-day disclosures often move faster than the databases that track them. If a CVE record hasn’t been created or updated yet, you can’t wait. You need to pivot your search to the specific package versions known to be vulnerable from early industry reports.
By searching for specific package names and versions across your stored SBOMs, you can identify exposure before the scanners even know there is a “vulnerability” to look for. For example, if you know a specific version of k8s.io/ingress-nginx is impacted:
# Search for images containing a specific package version
curl -X 'GET' "https://anchore.example.com/v2/query/images/by-package?name=k8s.io/ingress-nginx&version=v1.11.0"Scope and Reporting
When responding to a critical event, reporting is about more than just data—it’s about communication. Administrators can run these reports across all accounts to get a global view of the organization’s risk.
Once you’ve validated your results in the report preview, use the Save Report feature and select Generate immediately on save. This creates a point-in-time record of your exposure that can be shared with stakeholders or used to track remediation progress as developers push new, patched builds. You can also schedule regular follow-up reports as necessary.
Wrap-up
In a zero-day scenario, speed is your greatest differentiator. By treating your SBOMs as operational intelligence rather than just compliance artifacts, you can shift from reactive firefighting to strategic threat management in minutes, not months.To dive deeper into advanced zero-day workflows, check out our full documentation or read up on how our internal Anchore security team tackled compromised NPM packages.
Learn how SBOMs enable organizations to react to zero-day disclosures in minutes rather than days or weeks.
