Vulnerability Reporting

SecureBuild scans images for known vulnerabilities and surfaces results by severity. This page describes how scanning works and how results are reported.

How Scanning Works

SecureBuild scans images for vulnerabilities using Grype. Scanning is SBOM-based: SecureBuild generates or retrieves an SBOM for the image, then Grype scans that SBOM against its vulnerability database.

Images built by SecureBuild use the OS identifier secureos. Grype supports secureos, so vulnerability matching works correctly for these images.

Reporting fixed CVEs

For images it builds, SecureBuild reports how many vulnerabilities were fixed compared to the upstream or alternate image. It does this by comparing Grype scan results: vulnerabilities that appear in the alternate image’s scan but not in the SecureBuild image’s scan are counted as fixed. That count is stored per image and tag (for each architecture) and shown in the dashboard as a “fixed CVEs” or “vulnerabilities fixed” value.