SubImage agents prioritize vulnerable images that matter, generate repo-aware fix plans, and track remediation until the risk is gone.
Is the vulnerable package in a running container? Is that container internet-exposed? Is there a path from it to sensitive data? If not, the agent drops its priority.
Agents inspect the repo, Dockerfile, dependency graph, and base image lineage to produce the fewest actions that fix the most risk. Each step includes the file to change, current value, target value, and confidence.
Each action item ties back to CVEs, packages, impacted images, running workloads, and rationale, so security and engineering teams can agree on what should be fixed first.
Known exploited vulnerabilities and EPSS probability are built into triage, so active exploitation signal is visible before teams spend time on lower-risk backlog.
