Container Scanning
Catch vulnerable layers before they reach your registry.
Runtimekindle scans Dockerfile layers and base images for CVEs at build time — integrating with ECR, GCR, and Docker Hub without adding measurable pipeline latency.
Scanning Pipeline
Layer-by-layer analysis with severity triage
Dockerfile layer attribution
CVEs are attributed to the specific Dockerfile layer where the vulnerable package was installed. Developers see exactly which RUN apt-get install or COPY instruction introduced the vulnerability — actionable remediation without manual hunting.
Base image CVE tracking
Monitors base image CVEs continuously. When a new vulnerability affects ubuntu:22.04 or node:20-alpine, all images derived from that base are flagged — even if those images haven't been rebuilt yet.
Registry integration
Integrates with ECR (AWS), GCR (Google), and Docker Hub via webhook or registry scanning API. Scans happen at push time — images with critical CVEs can be blocked from deployment via K8s admission policy before they reach production.
Severity triage with reachability
Container scan findings are cross-referenced with the runtime reachability data from the eBPF agent. A Critical CVE in a package that is never loaded in any running pod is deprioritized automatically — engineers fix what's exploitable, not what's theoretical.
Scan your first image in under 10 minutes.
Connect your registry and get a layer-by-layer CVE breakdown before your next deploy.