Container AI Analysis

After a container scan, Vygl runs a one-shot AI analysis that produces a markdown summary: overall risk posture, the few CVEs worth fixing first, and a base-image swap suggestion when one would materially reduce inherited vulnerabilities. The result is cached per image digest, so re-scanning the same image returns the cached analysis instantly.

What the summary covers

A typical Container AI Analysis has four sections:

Section	Content
Overall risk	A short paragraph framing the image’s posture — high/medium/low risk and why.
Priorities	The 3–5 specific CVEs or packages that should be addressed first, with reasoning.
Base image recommendation	If detection succeeded and a clearly-safer base exists, a concrete suggestion (e.g. “Upgrade from debian:11.6 to debian:12.5 to clear N CVEs”).
Remediation steps	Practical next steps — base-image upgrade, package upgrade, removal of unused packages, layer reordering.

Caching

The analysis is keyed on a fingerprint that combines the image digest with the top findings. Re-scanning the same image (same digest) returns the cached sections blob — no LLM call. Pushing a new tag with a new digest triggers re-analysis automatically.

Streaming endpoint

If you’d rather see the analysis token-by-token (in the AI Consultation chat or programmatically), the streaming endpoint is at:

GET /containers/images/ai-analysis/stream?image_ref=...

Returns a Server-Sent Events stream with each section as it generates.

How prioritization is computed

Before calling Claude, Vygl pre-aggregates findings into a structured summary — severity counts, fixable counts, top vulnerable packages, OS vs application split, trend delta from the previous scan. Claude works from this summary plus a per-image fingerprint of the worst findings, not from a raw 200-finding table. This keeps the input small enough to fit in token budgets while still giving the model the data it needs to prioritize.

Base-image recommendations are advisory

Detection succeeds about 70–80% of the time, and is hardest on distroless and scratch-based images. When detection is wrong, the recommendation may not make sense — always validate that an upgraded base image actually maintains compatibility with your application before swapping. The recommendation is a starting point, not a verdict.

Source correlation isn't yet wired into the analysis

The analysis does not yet weight findings by source ↔ container correlation. A CVE that’s clearly reachable from your code is treated the same as one in an unused base-image package. This is on the roadmap.