Skip to content
docs

Image Detail & Layer Analysis

Each scanned image gets a detail page that combines raw scan output with AI-assisted analysis to help you decide what to fix first.

Anatomy of the page

Section titled “Anatomy of the page”

Header. Image reference (registry/repo:tag), digest, scan timestamp, severity counts.

AI Analysis. A pre-computed Claude summary of the image’s risk posture and remediation priorities. See Container AI Analysis for details.

Layer breakdown. The image’s layers in order, each annotated with the packages it introduced and the CVEs found in those packages. Use this to identify whether issues come from your base image or your build steps.

Vulnerable packages. A flat list of every package with at least one CVE — package@version, fixed versions (if any), severity, layer.

Source correlations. When a vulnerable container package matches a dependency in one of your source projects, Vygl links the two. Click through to see whether this is a “real” deployed vulnerability or just something present in a build artifact. See Source ↔ Container Correlation.

Reading the layer view

Section titled “Reading the layer view”

Layers are displayed bottom-to-top — the base image is at the bottom, your application at the top. Use this to answer “where did this CVE come from?” without manual docker history:

  • Bottom layer. Your base image (debian:12, alpine:3.19, etc.). CVEs here are inherited; the fix is usually a base-image upgrade.
  • Middle layers. Package installs (apt-get install, pip install, npm install). CVEs are introduced by your install steps.
  • Top layers. Application code. Rarely has CVEs in its own packages, but node_modules or vendor/ might.

Base-image recommendation

Section titled “Base-image recommendation”

When base-image detection succeeds (around 70–80% of the time, depending on how mangled the image is — distroless and scratch are hardest), Vygl suggests an upgrade target that would reduce inherited CVEs. The recommendation is advisory; always validate compatibility before upgrading a base image, since runtime libraries and entrypoints can shift between minor versions.

Triage in the same flow

Section titled “Triage in the same flow”

Each finding on the detail page has the same triage controls as a source finding — mark false_positive, ignored, or fixed, with optional comments and AI verification. See Triage States & Lifecycle.