Container Image Vulnerability Scanning with AI Agents
Every container image scanned with Trivy, findings triaged by exploitability and reachability, and fix PRs opened automatically.
Trivy
Docker
Kubernetes
GitHub
JiraThe problem today
Trivy finds 800 CVEs in your base image. Your security team prioritizes by CVSS and ships a ticket to every service team. The service teams push back because 80% of the findings are for packages that aren't actually imported by their code, or for CVEs with no public exploit. The queue becomes noise, the real CVE-2024-exploited-in-the-wild gets lost in the pile, and everyone agrees the scanner is 'broken'.
How AI agents solve it
The Security Agent runs Trivy on every image, but then filters findings through exploitability signals (KEV catalog, EPSS scores, active exploitation feeds) and reachability analysis (is the vulnerable code path actually called?). What's left is the real work. The agent then opens targeted fix PRs (base image bumps, package upgrades), one per service, not one per CVE.
Who this is for: Application security teams managing container image risk across 20+ services
Manual workflow vs. Security Agent
Manual workflow
- Raw Trivy output dumped into Jira as one ticket per CVE
- Prioritization by CVSS alone, with no exploitability filter
- Service teams push back because most findings aren't reachable
- Real criticals lost in noise
- Fixes are one-ticket-per-CVE, no batching
With the Security Agent
- Findings filtered by exploitability (KEV, EPSS) and reachability
- One fix PR per service, not one ticket per CVE
- Real criticals surface because noise is gone
- Fix PRs are auto-generated: base bumps, package upgrades
- Jira tickets reserved for things that genuinely need human input
How the Security Agent runs this
- 01
Security Agent scans every image on push with Trivy
- 02
Enrich findings with KEV catalog, EPSS scores, and exploitation feeds
- 03
Run reachability analysis against the service's actual code paths
- 04
Group surviving findings by fix (base image bump, package upgrade, etc.)
- 05
Open one fix PR per service with all reachable, exploitable CVEs together
- 06
File Jira tickets only for findings that can't be auto-fixed
- 07
Orchestrator coordinates rollout across dependent services
Measurable impact
Cuts vulnerability ticket volume by 70-90% through exploitability filtering
Surfaces the 'actually matters' CVEs that get lost in raw Trivy output
Auto-generated fix PRs reduce time-to-patch from weeks to hours
Service teams stop ignoring the scanner because signal-to-noise improves
Agents involved
Governed by the AI Gateway
Every agent action in this use case is audited, policy-checked, and cost-tracked
Structura's AI Gateway sits between every agent and the underlying LLM providers. Every decision made during this use case. Every plan review, every policy check, every fix PR, is routed through guardrails, logged to an immutable audit trail, and evaluated against NIST AI RMF and AIUC-1 controls.
Learn about the AI GatewayRelated use cases
Keep automating
OPA Policy Enforcement at Deploy Time with AI
Real-time OPA policy evaluation against every deploy, with context-aware explanations instead of cryptic Rego denials.
CIS Benchmark Automation with AI Agents
Continuous CIS benchmark compliance across AWS, Azure, and GCP, with auto-remediation for low-risk controls and audit-ready evidence.
AI-Driven Cloud Compliance Gap Detection
Continuous SOC 2, ISO 27001, HIPAA, and PCI gap analysis across your cloud estate, with prioritized remediation plans.
See this use case in a live demo
We'll walk you through exactly how the Security Agent handles this in a real environment with your stack, your policies, and your constraints.