Vulnerability Intelligence
Software Inventory
Every package across your fleet, its license, and the CVEs that touch it.
Portal → Inventory → Packages inverts the usual image→package view: for every package across the latest version of each licensed image, it shows which images ship it, at what version, under what license, and how many CVEs touch it.
Package drill-down
Search any package (or license) and expand a row to see exactly which images ship it and where — click through to any image. This is your blast-radius view: when a package has a CVE, you immediately know which images are exposed.
Each row shows:
- Version(s) across your fleet
- CVE count touching that package
- License (see below)
OStag — base-OS packages are marked, since their licensing is handled at the distro level- Image count — how many of your images ship it
License inventory & banned-license alerts
The Base images / License strip categorizes every license into buckets:
| Bucket | Examples | Flagged? |
|---|---|---|
| Permissive | MIT, Apache-2.0, BSD, ISC | No |
| Weak copyleft | LGPL, MPL, EPL | No |
| Strong copyleft | GPL, AGPL | Yes* |
| Source-available | SSPL, BUSL, Elastic, CC-BY-NC | Yes* |
| Unknown | — | Surfaced for triage |
*The banned-license alert is ecosystem-aware: strong-copyleft / source-available licenses only trip the alert on application dependencies (npm, pypi, Go modules…). The same license on the OS baseline (bash, busybox, coreutils) is expected and never flagged — otherwise every Linux image would read as "16 banned packages" and the signal would be worthless.
Click Copyleft in app deps in the summary to filter straight to the packages that need legal review before redistribution.