Abstract: Provided is a process for determining threat scores for container images or distributed applications that consider the results of a multitude of different scanners and other factors such as context information which may include information about a given execution environment for the container image. Scanner results, or scanner properties, are determined for a container image or container images in a multi-container distributed application by various vulnerability scanners. The scanner properties determined by each vulnerability scanner are adjusted responsive to properties of the context and normalized to determine component threat scores for the container image. Then the component threat scores for the container image are combined to generate a combined threat score for the container image within the context of the execution environment.

Abstract: Provided is a process that includes obtaining a container image; for each of a plurality of the constituent images of the container image, determining, with one or more processors, whether the respective constituent image contains a vulnerability by: selecting a respective subset of scanners from among a set of a plurality of scanners by comparing respective scanner criteria to at least part of the respective constituent image, causing at least part of the respective constituent image to be scanned with the selected respective subset of scanners, and identifying potential vulnerabilities in the respective constituent image based on output of the scanning; and storing results based on at least some identified potential vulnerabilities in memory.

Abstract: Provided is a process that includes: obtaining a source code text document having commands that specify a container image with layers; for each command, determining whether the respective command corresponds to a layer of the container image subject to a security vulnerability; and causing a user interface to be displayed that presents commands in visual association with respective indications that respective commands are subject to the respective security vulnerabilities.