Source ↔ Container Correlation
When the same project scans both as source code (SCA) and as a container image, Vygl links findings that share a CVE. If a lodash CVE is flagged on both your source package-lock.json and inside /app/node_modules of your container, Vygl ties the two findings — a high-confidence signal that the CVE is actually deployed, not just theoretical.
How matches are computed
Section titled “How matches are computed”Vygl matches on two facts:
- Package name — exact equality between the SCA finding’s
package_nameand the container finding’spackage_name. - At least one shared CVE ID — non-empty intersection between the two findings’
cve_ids.
When both line up, the SCA and container findings are linked. They remain separate rows (each has its own triage state and AI verdict) — the link is metadata. Ecosystem and package version are not part of the match today, so the linkage is “this package is named the same in both worlds and they share at least one advisory” rather than “the exact same artifact.”
Where to find correlations
Section titled “Where to find correlations”Image detail. The image detail page has a Source Correlations section listing every match for that image, grouped by source project.
API. GET /containers/correlations/{project_id} returns correlations from the project side; this isn’t surfaced as a panel on the project detail page yet, but AI assistants can call it via MCP (get_container_correlations).
Why correlation matters
Section titled “Why correlation matters”Container scans tend to be noisy: a base image might have 200 CVEs, of which only a handful are in packages your code actually uses. Source ↔ container correlation surfaces the subset that’s both in your code and deployed in your image — the highest-priority subset for triage.
A few practical use cases:
- “Which CVEs are reachable in production?” — start with the correlations.
- “Is this base-image CVE actually a problem for us?” — if it doesn’t correlate to a source dep with a shared CVE, your code isn’t using a vulnerable version of that package.
- “Did my npm upgrade actually ship?” — re-scan the container; if the prior correlation drops off, the upgrade landed in the image.