Security check

Container vulnerabilities: know which CVEs can actually be exploited

A container image inherits every vulnerability in its base layer and packages. We scan your images, rank the CVEs by real exploitability and show which are worth fixing first.

Run a free domain scan All checks β†’
Relates to: NIS2 Β· art. 21 β€” vulnerability handling ISO 27001 Β· A.8.8 technical vulnerabilities SOC 2 Β· CC7.1 CIS Β· Docker/Kubernetes Benchmark

What we check

We scan your container images against multiple vulnerability databases (OS packages and application dependencies) with Trivy and surface the most serious. Exploitability prioritisation with CISA KEV and EPSS is provided via our Threat Radar module (optional).

Why it matters

Most images lag on an old base layer full of CVEs, but the vast majority are noise. The value is separating the few that are actively exploited or have high exploit probability β€” and our Threat Radar module adds that KEV/EPSS signal on top of the Trivy findings.

How Security Guru tests it

Common mistakes

  • Treating 'zero CVEs' as the goal and drowning in noise instead of prioritising
  • Running on a base layer not updated in months
  • Fixating on a CVSS 9.8 that is never reachable in your deployment
  • No automatic rebuild when the base layer gets a fix

What you get in the report

  • CVEs per image, ranked by severity (KEV/EPSS via Threat Radar)
  • Prioritised by severity, not just the CVSS number
  • Recommended base-image upgrade with the biggest impact
  • Mapping to NIS2 vulnerability handling / ISO A.8.8

FAQ

How do you separate dangerous CVEs from noise?

We rank against CISA KEV and EPSS via our Threat Radar engine β€” actively exploited and high-probability first, the rest deprioritised.

Do we have to give you our images?

No β€” scanning can run self-hosted in your pipeline; only the result needs sharing.

Do you cover both OS and app dependencies?

Yes β€” both system packages in the base layer and language dependencies (npm, pip, Go, etc.).

Want to know your status?

Run a free scan or order a full Security Assessment β€” prioritised, not noise.

Run a free domain scan