[andenacitelli]

Don’t Docker themselves have a tool for this, Docker Scout? Pops up with how many known vulnerabilities are in each layer when you go to the page for a specific tag on Docker Hub.

I think it’s a somewhat new product so it may not be too widespread yet, but it seems to work pretty well from my admittedly uninformed perspective.

[raesene9]

There's a number of image scanners which (IME) can produce different results from each other, although it's not always as clearly right/wrong as you might expect. Trivy (that this page is based on), Docker Scout, and Grype are three of the more common ones.

[8organicbits]

If this detects things that Docker misses, then it's a good product. Consider adding support for GitHub Actions so a PR can automatically kick off a scan. You'll see lots of repeat images, so cache appropriately. With an integration, I think you could charge a subscription for this tool.

[smitty1110]

It's just Trivy under the hood, there's already an action on the marketplace for that: https://github.com/aquasecurity/trivy-action