Container Security Scan Analyzer

Image reference:

Use the exact image tag or digest from the scan job when available.

Gate profile:

Choose release blocking, base-image refresh, or triage language for the exported brief.

Critical limit:

Use 0 for a zero-critical policy.

critical

High limit:

Set the number of high-severity findings tolerated before the release gate blocks.

high

Parser preference:

Leave on Auto for mixed CI artifacts; choose a scanner when the same source could be read multiple ways.

Runtime package patterns:

Add runtime-critical package context such as openssl, glibc, libssl, curl, java, or log4j.

Scan output:

Paste one scan result or load a local report file; the analyzer keeps the work in the browser.

Review scan input

{{ error }}

Queue rows:

Show the highest-pressure findings first.

rows

Gate only fixable findings:

Use this when policy blocks only findings with a listed remediation path.

{{ header }}	Copy
{{ cell }}
{{ emptyTableTitle(tab.key) }} {{ emptyTableNote(tab.key) }}

No fixability pressure to chart

Paste scan output with vulnerability rows or load the sample report to render the severity chart.

Embed:

Customize

Include current inputs

Size

Advanced

Width

Height

Aspect ratio

Max height

Collapsible embed

Allow fullscreen

Referrer policy

Sandbox tokens

A container image can pass through a build system in seconds, but the security review behind that promotion depends on slower evidence: which operating-system packages and application dependencies were found, which advisories apply to those versions, and whether the scanner listed an update path. A container vulnerability report is the raw record of that evidence. It usually names the image or artifact scanned, the vulnerable package, the installed version, the advisory ID, a severity label, and sometimes a fixed version or vendor status.

The difficult part is not only counting vulnerabilities. Scanner reports can mix operating-system packages with language dependencies, repeat the same finding across targets, omit fixed versions, or use different names for the same basic fields. Trivy, Grype, Snyk, SARIF-producing scanners, and CSV exports can all describe the same risk in different shapes. A useful review turns those rows into consistent findings before comparing them with a release policy.

Advisory: The CVE, GHSA, vendor bulletin, or scanner rule that identifies the known weakness.
Package: The OS package or dependency version that the scanner matched to the advisory.
Fix state: Whether the report names a fixed version, says the issue is not fixed, marks it as unknown, or indicates that maintainers will not fix it.
Target: The image, filesystem area, manifest, or artifact location where the finding was reported.

Release gates usually focus on critical and high findings because those labels are meant to represent the most serious technical severity. That does not make every critical row equally exploitable in the running service. A vulnerable library may be present but unreachable, a package may be inherited from a base image, or a vendor may publish severity data that differs from another source. The gate is a policy checkpoint, not a complete threat model.

Container scan review flow from raw report to normalized findings, gate counts, and remediation queue.

Fixability changes the first follow-up. A high finding with a fixed package version can move into a patch branch, while an unfixed critical advisory may need a waiver, base-image replacement, vendor monitoring, or a different compensating control. Runtime context matters too. A match on openssl, glibc, curl, java, or another service-critical package usually deserves faster ownership checks than a package that is present but not used by the workload.

A clean gate does not prove that an image is safe, and a blocked gate does not prove that every listed finding is exploitable. The practical goal is a defensible triage brief: normalized findings, counted critical and high rows, clear parser evidence, and a remediation order that a security or platform team can verify against its own policy.

How to Use This Tool:

Use the report, artifact label, and gate thresholds that match the release, base-image refresh, or triage review you are documenting.

Enter the image tag, digest, artifact name, or build label in Image reference. The same label appears in Gate Snapshot so the result can be tied back to the scanned artifact.
Choose Gate profile for the review. Release gate uses promotion wording, Base image refresh frames the result around replacement work, and Triage only avoids release-blocking language.
The profile changes decision wording and recommended actions. It does not change the numeric Critical limit or High limit.
Set Critical limit and High limit to match the written policy. The gate uses those fields to build Critical gate count and High gate count.
The gate blocks only when a count is greater than its limit. A High gate count of 2 / 2 is still within the limit.
Paste the scanner report into Scan output, drop a local report file, browse for a file, or load the sample. The status badge should change from an empty source to the detected report shape and character count.
The report text is parsed in the browser. A local file above the 4 MB browser-side limit is rejected before it is loaded into Scan output.
Select Parser preference when Auto-detect does not match the report shape. Use Trivy JSON, Grype JSON, Snyk JSON, SARIF JSON, or CSV rows, then check Parser Evidence Ledger for the detected shape and warning row.
If Review scan input reports no vulnerability rows, re-export the scan as one complete JSON/SARIF report or add clear CSV headers before using the gate decision.
Add Runtime package patterns when package-name fragments such as openssl, glibc, libssl, curl, java, or log4j should push matching rows higher in Remediation Queue.
Open Advanced only when the default queue or gate policy needs to change. Queue rows changes the visible queue length, and Gate only fixable findings removes unfixed, unknown, and won't-fix rows from the critical/high gate counts while keeping them visible.
Review the summary status, Gate Snapshot, and Parser Evidence Ledger before sharing the result. The evidence is ready when the parser warning row is acceptable, the gate counts match policy, and Remediation Queue gives the next package-level actions.

Interpreting Results:

Gate decision is the first result to read, but it is only a threshold decision. Release blocked, Refresh required, and Escalate triage mean the counted critical or high findings exceeded the configured limits. Gate clear and Triage within policy mean the counts stayed within those limits, not that the image has no security risk.

Critical gate count and High gate count use a strict greater-than check. A value of 1 / 0 blocks because one critical finding is greater than a zero-critical limit. A value of 2 / 2 does not block until another high finding appears. If Gate only fixable findings is on, the gate counts can be lower than the total critical and high rows in Severity Ledger.

Severity Ledger shows the total, fixable, no-listed-fix, runtime-hit, and gate-signal view by severity.
Remediation Queue sorts findings by severity weight, fixability, runtime package match, gate severity, and numeric severity score when available.
Parser Evidence Ledger explains the source shape, normalized row count, duplicate removals, queue cap, gate mode, and parser warnings.
Fixability Pressure Chart helps compare which severity groups have update paths versus no listed fix.

Verify the scanner source data before assigning work. High severity does not prove runtime exploitability, and a missing fixed version does not make a row harmless. Confirm package ownership, runtime use, waiver status, and rebuild impact before treating the queue as final.

Technical Details:

Container vulnerability triage begins with a report that has already been produced by a scanner. The analysis here does not pull an image, contact a vulnerability database, or run a new scan. It reads the supplied report text, converts scanner-specific records into normalized findings, removes exact duplicates, applies optional gate filtering, and builds review tables from that normalized set.

A normalized finding keeps the advisory ID, package name, installed version, fixed version, severity, target, package type, title, source, URL, numeric severity score when present, and fix state together. This makes counts and sorting comparable even when the original report came from different scanner families or from CSV.

Transformation Core

Parser selection starts with the requested source type. In auto mode, scanner-specific JSON shapes are tried before generic JSON and CSV fallback. The first shape that produces vulnerability rows becomes the detected source shape.

Supported container scan source shapes and cautions
Source shape	Evidence normalized	Common caution
Trivy JSON	Targets, vulnerability IDs, package names, installed versions, fixed versions, status, severity, titles, URLs, and CVSS-style scores.	Some optional fields can be blank even when the vulnerability row itself is valid.
Grype JSON	Vulnerability records, artifact names and versions, target labels, fix states, fixed-version lists, severity, and data-source links.	Ignored or filtered matches depend on how the original scan was exported.
Snyk JSON	Vulnerability IDs, package names, package versions, fixed-in values, severity, titles, target files or images, and CVSS-style scores.	Computed remediation can be absent when Snyk cannot safely propose a fix for the project context.
SARIF JSON	Rules, results, messages, artifact locations, vulnerability-like properties, severity hints, and package fields when scanners include them.	SARIF is a broad interchange format, so security detail depends on scanner-specific properties inside the report.
CSV rows	Finding ID, package, severity, fixed version, title, target, installed version, and package type from headers or positional columns.	Headerless CSV can be misread when the column order differs from the expected order.
Generic JSON	Arrays of vulnerability-like records or package records that contain nested vulnerability entries.	Generic parsing is useful for simple exports but gives less source-specific assurance than a recognized scanner shape.

Rule Core

The gate is based on normalized findings after duplicate removal. Duplicate findings are matched by advisory ID, package name, installed version, and target. That prevents repeated rows from inflating counts while keeping distinct targets or versions separate.

Container scan gate and normalization rules
Rule	Boundary	Effect
Severity from label	Recognized labels map to critical, high, medium, low, negligible, or unknown.	Scanner-provided labels take priority when present.
Severity from score	Numeric scores map to critical at `9.0` to `10.0`, high at `7.0` to `8.9`, medium at `4.0` to `6.9`, and low above `0`.	Missing or unfamiliar severity data remains unknown.
Fixable finding	A fixed version is listed or the source state indicates that a fix is available.	The row receives fix-oriented action wording and can count in fixable-only gate mode.
Critical gate	`Critical gate count` > `Critical limit`.	The selected profile blocks release, requires refresh, or escalates triage.
High gate	`High gate count` > `High limit`.	The same strict greater-than rule applies to high findings.
Fixable-only gate	`Gate only fixable findings` is on.	Unfixed, unknown, and won't-fix findings stay visible but do not count against critical or high limits.

Priority Score

The remediation queue uses a deterministic score to sort findings. The score is a triage aid only; it is not a substitute for reachability analysis, waiver review, or application testing.

Priority score = severity weight + fixable bonus + runtime bonus + gate-severity bonus + \min (10, numeric severity score)

Container scan priority score components
Component	Value	When it applies
Severity weight	50, 30, 12, 4, 1, or 6	Critical, high, medium, low, negligible, or unknown severity respectively.
Fixable bonus	+7	A fixed version or fixed state is present.
Runtime bonus	+8	The package name matches a runtime package pattern supplied for the review.
Gate-severity bonus	+4	The finding is critical or high severity.
Numeric score addend	0 to 10	A numeric severity score from the report is capped at 10; missing scores add 0.

Remediation queue priority bands
Priority label	Score boundary	Typical meaning
Release blocker	>= 64	Fix, waive, or replace before promotion when the row matches policy.
Patch branch	>= 42 and < 64	Prepare a focused update branch or base-image rebuild.
Security queue	>= 22 and < 42	Keep visible for scheduled remediation and owner assignment.
Maintenance	>= 10 and < 22	Fold into the next dependency or image refresh.
Track	< 10	Monitor until source data, fix state, or package context changes.

For example, a critical finding with a fixed version and a numeric score of 9.8 receives 50 + 7 + 4 + 9.8, or 70.8, before any runtime bonus. That places it in the release-blocker band. A critical finding with no fix and no numeric score receives 50 + 4, or 54, which keeps it high in the queue but signals a different follow-up: waiver, vendor status, base-image replacement, or compensating-control review.

Limitations and Privacy Notes:

The supplied scan text is parsed in the browser. Normal site assets may still load, but the pasted report or selected local file is not uploaded by the analyzer. Treat scanner reports as sensitive anyway because they can reveal image names, package versions, dependency choices, and internal build labels.

Scanner databases, vendor advisories, and fixed-version data can change after the original scan was produced.
A gate result does not verify exploitability, reachability, runtime use, or the presence of compensating controls.
Fixability does not prove that applying the update is safe for the application. Rebuild and test the image before promotion.
CSV and generic JSON parsing depend on clear field names or predictable column order. Review parser evidence before trusting those outputs.
Fixable-only gate mode should match written policy. Otherwise, critical unfixed advisories can look nonblocking by mistake.

Advanced Tips:

Pin Parser preference to the scanner that produced the report when auto-detect falls back to generic JSON or CSV. Recognized scanner shapes usually preserve package, target, fix-state, and severity evidence better.
Use Runtime package patterns as short package-name fragments, not severity filters. They add a queue priority bump to matching package names while leaving the severity counts unchanged.
Turn on Gate only fixable findings only when the policy explicitly blocks on fixable critical and high findings. The excluded rows still need waiver, vendor-status, or base-image review in Severity Ledger.
Raise Queue rows when the visible remediation table is too short for review. The exported JSON keeps the full normalized queue even when the table shows only the highest-pressure rows.
Attach Gate Snapshot and Parser Evidence Ledger together when sharing a release decision. The first shows the policy result, and the second shows whether the report shape and duplicate removal were trustworthy.
Use Fixability Pressure Chart to compare severity groups, not to assign individual package owners. Package-level assignment belongs in Remediation Queue.

Worked Examples:

These cases show how gate thresholds, fixability, parser shape, and queue ordering change the next action.

Release image with critical findings

A Trivy report for registry.example.com/orders:2.8.0 contains two critical findings, one high finding, and one medium finding. With Critical limit set to 0, High limit set to 2, and Gate only fixable findings off, Gate decision becomes Release blocked; Gate Snapshot shows Critical gate count as 2 / 0 and High gate count as 1 / 2. The fixable critical row is the first package to patch, while the no-fix critical row needs waiver, vendor-status, or base-image review.

High findings exactly at the limit

A Grype report for registry.example.com/api@sha256:abcd has zero critical findings and exactly two high findings. With High limit set to 2, Gate decision stays Gate clear because the high count has not exceeded the limit. If the next scan adds one more high finding, High gate count changes from 2 / 2 to 3 / 2, and the release profile blocks.

Fixable-only base-image policy

A base-image scan has one critical advisory with no listed fix, one high advisory fixed in a newer package, and a medium row. With Gate only fixable findings on, Critical gate count can read 0 / 0 while the high fixed row still counts. If High limit is 0, the base-image profile returns Refresh required; Severity Ledger still keeps the critical no-fix advisory visible for vendor-status or image-replacement review.

CSV report with unclear columns

A copied CSV contains package, installed version, severity, vulnerability, fixed version, and target columns, but no header row. The parser can assign values to the wrong fields because headerless CSV depends on column order. Adding a header row with vulnerability, package, severity, fixed version, target, and installed version lets Parser Evidence Ledger show a more trustworthy normalized finding count before the gate result is used.

FAQ:

Does this scan a container image?

No. It analyzes scanner output that already exists. Run your preferred scanner first, then paste or load the resulting JSON, SARIF, CSV, or text export.

Why did a high count at the limit not block?

The gate uses a strict greater-than rule. A high count of 2 with High limit set to 2 stays within policy. A count of 3 exceeds that limit.

What should I do when no vulnerability rows are found?

Confirm that the pasted text is one complete report, choose the expected Parser preference, and check Parser Evidence Ledger. For CSV, add clear headers for vulnerability, package, severity, fixed version, target, and installed version.

Does gate clear mean the image is safe?

No. It means critical and high counts are within the configured limits. Medium findings, unknown fix states, runtime exposure, stale scanner data, and accepted-risk records still need normal review.

Can private scan reports be reviewed here?

The report text is parsed in the browser, but scan output can contain sensitive image names, package versions, and internal artifact labels. Avoid sharing exported results outside the team that is allowed to see that build evidence.

Glossary:

Container image: A packaged filesystem and configuration used to run an application or service in a container runtime.
Normalized finding: A scanner row converted into a consistent advisory, package, version, severity, target, and fix-state record.
Release gate: A policy checkpoint that compares counted findings with configured thresholds before promotion.
Fixable finding: A finding with a listed fixed version or source state that indicates an update path exists.
Runtime priority hit: A finding whose package name matches one of the optional runtime package patterns.
Parser evidence: The detected source shape, normalized finding count, duplicate count, gate mode, queue cap, and warnings behind the result.

References:

Reporting, Trivy documentation.
Vulnerability scanning, Trivy documentation.
Grype command line reference, Anchore Open Source documentation.
snyk test command, Snyk User Docs.
SARIF Version 2.1.0, OASIS Open.
CVSS v3.1 specification document, FIRST.