PodArmor docs
Vulnerability Intelligence

Base-image Lineage & Blast Radius

Group your fleet by base OS — patch once, clear many.

Portal → Inventory → Base images groups every licensed image by the base OS it derives from (e.g. alpine-3.22, debian-13-trixie-slim), sorted by blast radius.

Why it matters

When a base ships a CVE — an Alpine openssl fix, a Debian busybox patch — it propagates to every image on that base. The lineage view frames it the way a platform team plans around it:

"5 images share alpine-3.22 — patch the base once, clear all 5."

Each base group shows:

  • Image count — the blast radius
  • Shared OS packages — the common attack surface across the group
  • Footprint — total compressed size
  • Severity rollup — critical/high/medium across the group

Expand a group to see its derived images with per-image size and CVE counts, and click through to any of them.

Grouping is only as clean as the baseOs label captured at scan time. If you see both debian-12-slim and debian-12-bookworm (the same base under two names), that's a labeling drift worth normalizing.

On this page