Skip to content

Container AI Analysis

After a container scan, Vygl runs a one-shot AI analysis that produces a markdown summary: overall risk posture, the few CVEs worth fixing first, and base-image guidance when an upgrade would materially reduce inherited vulnerabilities. The result is cached against the image’s open-finding state, so re-scanning the same image with the same findings returns the cached analysis instantly.

A typical Container AI Analysis has four sections:

SectionContent
Overall riskA short paragraph framing the image’s posture — high/medium/low risk and why.
PrioritiesThe 3–5 specific CVEs or packages that should be addressed first, with reasoning.
Base image guidanceWhen the base layer carries a meaningful share of the image’s CVEs, a callout describing the impact of upgrading. The summary names the impact, not a specific target image — confirm a concrete upgrade target before swapping.
Remediation stepsPractical next steps — base-image upgrade, package upgrade, removal of unused packages, layer reordering.

The analysis is keyed on a hash over the image’s open-finding fingerprints. Re-scanning the same image returns the cached sections blob — no LLM call. New findings (or a digest change that brings new findings) invalidate the cache and trigger re-analysis.

If you’d rather see the analysis token-by-token (in the AI Consultation chat or programmatically):

GET /containers/images/ai-analysis/stream?image_ref=...&force=false

Returns a Server-Sent Events stream with each section as it generates. Pass force=true to bypass the cache and re-run the LLM unconditionally.

Before calling the LLM, Vygl pre-aggregates findings into a structured summary — severity counts, fixable counts, top vulnerable packages, OS vs application split, trend delta from the previous scan. The model works from this summary plus a fingerprint of the worst findings, not from a raw 200-finding table. This keeps the input small enough to fit in token budgets while still giving the model the data it needs to prioritize.