Image Detail & Layer Analysis
Each scanned image gets a detail page that combines raw scan output with AI-assisted analysis to help you decide what to fix first.
Anatomy of the page
Section titled “Anatomy of the page”Header. Image reference (registry/repo:tag), detected OS (e.g. debian:12), severity chips, fixable count, project name, and “scanned X ago”.
AI Analysis. A pre-computed summary of the image’s risk posture and remediation priorities, written by your configured LLM. See Container AI Analysis for details.
Layer breakdown. The image’s layers in order, each annotated with the packages it introduced and the CVEs found in those packages. Layers attributed to the base image (via osv-scanner’s base_image_index heuristic) are flagged so you can tell inherited issues from build-introduced ones.
Vulnerable packages. Two side-by-side tables — OS Packages and App Packages — each grouping CVEs per package, plus a separate flat All Vulnerabilities table at finding grain (one row per CVE).
Source correlations. When a vulnerable container package shares a CVE with a dependency in one of your source projects, Vygl links the two. Click through to see whether this is a “real” deployed vulnerability or just something present in a build artifact. See Source ↔ Container Correlation.
Reading the layer view
Section titled “Reading the layer view”Layers are displayed bottom-to-top — the base image is at the bottom, your application at the top. Use this to answer “where did this CVE come from?” without manual docker history:
- Base layers (flagged). Your base image (
debian:12,alpine:3.19, etc.). CVEs here are inherited; the fix is usually a base-image upgrade. - Middle layers. Package installs (
apt-get install,pip install,npm install). CVEs are introduced by your install steps. - Top layers. Application code. Rarely has CVEs in its own packages, but
node_modulesorvendor/might.
Base-image upgrade prompt
Section titled “Base-image upgrade prompt”When the base layer carries a meaningful share of the image’s CVEs, the detail page shows a prominent callout — “Upgrading the base image would resolve N of M vulnerabilities.” Vygl flags the impact but does not currently propose a specific upgrade target image; always validate compatibility before swapping a base, since runtime libraries and entrypoints can shift between minor versions.
Triage in the same flow
Section titled “Triage in the same flow”Each finding on the detail page has the same triage controls as a source finding — mark false_positive, ignored, or fixed, with optional reasons and AI verification. See Triage States & Lifecycle.