Up to 95% of your container vulnerabilities don't matter.

Name: Container Image CVE Reachability Analysis
Creator: Emphere

Because your entrypoint can never reach them.

temporalio/auto-setup:latest

101 CVEs reported·17 reachable·83% noise

Click to exploreExplore→

101 CVEs·17 reachable·83% noise

101

Total CVEs

→

Reachable

SeverityTotalReachNoise

Critical

110%

High

24579%

Medium

53689%

Low

13562%

Unknown

100100%

Click to explore the full dependency graph and trace every reachable CVE.

Same OS. Different stack.
Different vulnerability profile.

Two images built on debian:bookworm with identical base packages. What you add on top changes which CVEs are actually reachable.

Python + Flaskdebian:bookworm

18reachable out of 1,061|6 OS·12 app

98% noise

Reachable pathClick to see Dockerfile

APPgunicorn

calls

PIPflask3.0.0CVE-2026-272054.4

calls

PIPrequests2.31.0CVE-2024-351955.6

loads

EXT_ssl.cpython-311.so

links to

LIBlibssl33.0.11

owned by

OSlibc62.36CVE-2026-08618.4

Python + Flaskdebian:bookworm

18reachable out of 1,061|6 OS·12 app

98% noise

Click to see reachability

# shared base image

1FROM debian:bookworm

3RUN apt-get update && apt-get install -y \

# python runtime + tooling

4+ python3 python3-pip python3-venv \

5 libpq5 ca-certificates curl

7WORKDIR /app

8+COPY requirements.txt .

# installs flask, requests, gunicorn...

9+RUN pip install -r requirements.txt

10+COPY app.py .

# app entrypoint

12+CMD ["gunicorn", "-b", "0.0.0.0:8080", "app:app"]

+Lines unique to this runtime

Node + Expressdebian:bookworm

12reachable out of 1,191|2 OS·10 app

99% noise

Reachable pathClick to see Dockerfile

APPserver.js

imports

NPMjsonwebtoken9.0.0

depends on

NPMsemver7.3.5CVE-2022-258837.5

no path

LIBlibssl33.0.11

no path

OSlibc62.36CVE-2026-0861safe

Node + Expressdebian:bookworm

12reachable out of 1,191|2 OS·10 app

99% noise

Click to see reachability

# shared base image

1FROM debian:bookworm

3RUN apt-get update && apt-get install -y \

# node runtime + npm

4+ nodejs npm \

5 libpq5 ca-certificates curl

7WORKDIR /app

8+COPY package.json .

# installs express, pg, jsonwebtoken...

9+RUN npm install --production

10+COPY server.js .

# app entrypoint

12+CMD ["node", "server.js"]

+Lines unique to this runtime

Python + Flaskdebian:bookworm

18reachable out of 1,061|6 OS·12 app

98% noise

Reachable pathClick to see Dockerfile

APPgunicorn

calls

PIPflask3.0.0CVE-2026-272054.4

calls

PIPrequests2.31.0CVE-2024-351955.6

loads

EXT_ssl.cpython-311.so

links to

LIBlibssl33.0.11

owned by

OSlibc62.36CVE-2026-08618.4

Python + Flaskdebian:bookworm

18reachable out of 1,061|6 OS·12 app

98% noise

Click to see reachability

# shared base image

1FROM debian:bookworm

3RUN apt-get update && apt-get install -y \

# python runtime + tooling

4+ python3 python3-pip python3-venv \

5 libpq5 ca-certificates curl

7WORKDIR /app

8+COPY requirements.txt .

# installs flask, requests, gunicorn...

9+RUN pip install -r requirements.txt

10+COPY app.py .

# app entrypoint

12+CMD ["gunicorn", "-b", "0.0.0.0:8080", "app:app"]

+Lines unique to this runtime

Node + Expressdebian:bookworm

12reachable out of 1,191|2 OS·10 app

99% noise

Reachable pathClick to see Dockerfile

APPserver.js

imports

NPMjsonwebtoken9.0.0

depends on

NPMsemver7.3.5CVE-2022-258837.5

no path

LIBlibssl33.0.11

no path

OSlibc62.36CVE-2026-0861safe

Node + Expressdebian:bookworm

12reachable out of 1,191|2 OS·10 app

99% noise

Click to see reachability

# shared base image

1FROM debian:bookworm

3RUN apt-get update && apt-get install -y \

# node runtime + npm

4+ nodejs npm \

5 libpq5 ca-certificates curl

7WORKDIR /app

8+COPY package.json .

# installs express, pg, jsonwebtoken...

9+RUN npm install --production

10+COPY server.js .

# app entrypoint

12+CMD ["node", "server.js"]

+Lines unique to this runtime

Don't take our word for it. See it for yourself.

Image

Reported → Reachable

Reduction

Click any row to explore the full dependency graph

Now fix what matters.
Directly in your Dockerfile.

Reachability maps which code paths are live. That graph is what tells Emphere exactly what to patch in the Dockerfile, from our secure supply chain, built from source.

Application

Your code & dependencies

Yours

Debianbase image

libc6 2.41-12CVE-2026-0861+12

Vulnerable

OpenSSLlibssl3, ca-certs

3.5.5-1~deb13u1CVE-2026-31790+6

Vulnerable

Python

3.11.0CVE-2026-18012+2

Vulnerable

NGINX

1.24.0CVE-2025-43562+1

Vulnerable

Up to 95% of your container vulnerabilities don't matter.

Same OS. Different stack.Different vulnerability profile.

Don't take our word for it. See it for yourself.

Now fix what matters.Directly in your Dockerfile.

Same OS. Different stack.
Different vulnerability profile.

Now fix what matters.
Directly in your Dockerfile.