Emphere
HomeReachabilityPricing

Up to 95% of your container vulnerabilities don't matter.

Because your entrypoint can never reach them.

temporalio/auto-setup:latestExplore
101CVEs·17reachable·83%noise
1 / 17

Same OS. Different stack.
Different vulnerability profile.

Two images built on debian:bookworm with identical base packages. What you add on top changes which CVEs are actually reachable.

Python + Flaskdebian:bookworm
18reachable out of 1,061|6 OS·12 app
98% noise
Reachable pathClick to see Dockerfile
APPgunicorn
calls
PIPflask3.0.0CVE-2026-272054.4
calls
PIPrequests2.31.0CVE-2024-351955.6
loads
EXT_ssl.cpython-311.so
links to
LIBlibssl33.0.11
owned by
OSlibc62.36CVE-2026-08618.4
Python + Flaskdebian:bookworm
18reachable out of 1,061|6 OS·12 app
98% noise
Click to see reachability
# shared base image
1FROM debian:bookworm
3RUN apt-get update && apt-get install -y \
# python runtime + tooling
4+ python3 python3-pip python3-venv \
5 libpq5 ca-certificates curl
7WORKDIR /app
8+COPY requirements.txt .
# installs flask, requests, gunicorn...
9+RUN pip install -r requirements.txt
10+COPY app.py .
# app entrypoint
12+CMD ["gunicorn", "-b", "0.0.0.0:8080", "app:app"]
+Lines unique to this runtime
Node + Expressdebian:bookworm
12reachable out of 1,191|2 OS·10 app
99% noise
Reachable pathClick to see Dockerfile
APPserver.js
imports
NPMjsonwebtoken9.0.0
depends on
NPMsemver7.3.5CVE-2022-258837.5
no path
LIBlibssl33.0.11
no path
OSlibc62.36CVE-2026-0861safe
Node + Expressdebian:bookworm
12reachable out of 1,191|2 OS·10 app
99% noise
Click to see reachability
# shared base image
1FROM debian:bookworm
3RUN apt-get update && apt-get install -y \
# node runtime + npm
4+ nodejs npm \
5 libpq5 ca-certificates curl
7WORKDIR /app
8+COPY package.json .
# installs express, pg, jsonwebtoken...
9+RUN npm install --production
10+COPY server.js .
# app entrypoint
12+CMD ["node", "server.js"]
+Lines unique to this runtime

Scanners list packages.
We trace the path to every CVE.

Five layers deep. Through native extensions, shared libraries, and OS packages that nobody else touches. If there's no code path from your entrypoint to a vulnerability, it's noise.

L5OS Packages
Where the CVE actually lives.
L4Shared Libraries
Shared libraries, resolved at the symbol level.
L3Native Extensions
Native boundary. Where managed code meets system memory.
L2Language Packages
What your package manager pulled in.
L1Application Code
Entrypoint to call graph. Every handler, import, subprocess.
ENTRYPOINT · app.py
Depth
25 layers
Full container tomography, from entrypoint to OS packages.
CVE noise reduction
−87%
Median backlog shrink after reachability filtering on first scan.
Trace time
≈ 4.2s
Per image, symbol-level linkage across all five depths.

Don't take our word for it. See it for yourself.

Image
Reported → Reachable
Reduction
Jenkins
jenkins/jenkins:lts
221
37
83%
noise
NGINX
nginx:latest
202
34
83%
noise
PostgreSQL
postgres:latest
188
0
100%
noise
GitLab CE
gitlab/gitlab-ce:latest
199
76
62%
noise
Redis
redis:latest
104
34
67%
noise
OpenClaw
ghcr.io/openclaw/openclaw:latest
2,347
15
99%
noise
Temporal
temporalio/auto-setup:latest
101
17
83%
noise
HashiCorp Vault
hashicorp/vault:latest
28
10
64%
noise
Grafana
grafana/grafana:latest
54
15
72%
noise
Prometheus
prom/prometheus:latest
5
5
0%
noise

Click any row to explore the full dependency graph

Now fix what matters. Directly in your Dockerfile.

Reachability maps which code paths are live. That graph is what tells Emphere exactly what to patch in the Dockerfile, from our secure supply chain, built from source.

Dockerfile+3−2
@@ base image @@
1- FROM ubuntu:22.04
1+ FROM emphere/ubuntu:22.04
22  
@@ system packages → rebuilt from source @@
3- RUN apt-get update && apt-get install -y \
4- openssl=3.0.11 python3=3.11.2 curl
3+ COPY --from=emphere/openssl:3.2.5 / /pkgs/
4+ COPY --from=emphere/python:3.11.14 / /pkgs/
5+ COPY --from=emphere/curl:8.11.0 / /pkgs/
56  
@@ your application (untouched) @@
67  WORKDIR /app
78  COPY requirements.txt .
89  RUN pip install -r requirements.txt
910  COPY . .
1011  CMD ["python", "app.py"]
Same behavior. Drop-in replacements with the same ABI, interfaces, and runtime.
Same workflow. Update the Dockerfile, rebuild, and ship. Nothing else changes.
Patched at the source. Rebuilt from upstream, without waiting on vendor images.

Know what matters.
Fix what matters.

Bring one noisy image. We'll show which CVEs are actually reachable, trace them back to the container layers, and show how the Dockerfile fix ships.

20-minute call · Bring your noisiest image · See reachability live