Vulnerability Intelligence
Base-image Lineage & Blast Radius
Group your fleet by base OS — patch once, clear many.
Portal → Inventory → Base images groups every licensed image by the base OS it derives from (e.g. alpine-3.22, debian-13-trixie-slim), sorted by blast radius.
Why it matters
When a base ships a CVE — an Alpine openssl fix, a Debian busybox patch — it propagates to every image on that base. The lineage view frames it the way a platform team plans around it:
"5 images share
alpine-3.22— patch the base once, clear all 5."
Each base group shows:
- Image count — the blast radius
- Shared OS packages — the common attack surface across the group
- Footprint — total compressed size
- Severity rollup — critical/high/medium across the group
Expand a group to see its derived images with per-image size and CVE counts, and click through to any of them.
Grouping is only as clean as the
baseOs label captured at scan time. If you see both debian-12-slim and debian-12-bookworm (the same base under two names), that's a labeling drift worth normalizing.