This article explains why vulnerability scan results may differ between your scanner and the Chainguard Console, and how to interpret those differences. In most cases, a discrepancy reflects differences in how scanners process Chainguard's advisory data rather than an unaddressed vulnerability.
How Chainguard measures vulnerabilities
Chainguard publishes security advisories in the OSV format and benchmarks results against our supported scanner list. When you view the Vulnerabilities tab in the Console, you're seeing results cross-referenced against Chainguard's own advisories.
Supported vs. unsupported scanners
Chainguard maintains a list of supported vulnerability scanners. Results from supported scanners are what Chainguard uses as its benchmark. These tools are configured to correctly handle Chainguard's image format and advisory data.
If you're using a supported scanner and seeing unexpected results, check the supported scanners page for any required configuration flags or settings. Some supported scanners require specific options to correctly scan images built on the wolfi or chainguard package namespace. Without those options, the scanner may silently skip a significant portion of OS packages and produce an inaccurate report.
If you're using a scanner not on the supported list, discrepancies are expected and stem from several common causes:
- Different advisory databases: Unsupported scanners maintain their own vulnerability databases with different update cadences. They may report CVEs that Chainguard has already patched, or miss patched CVEs because they haven't ingested Chainguard's advisory feed.
- No false positive filtering: Chainguard's advisories classify findings as fixed, false positive, or pending upstream. Unsupported scanners typically do not consume this classification data and will surface all findings regardless of their actual impact.
-
Lock file scanning: Some scanners inspect bundled lock files (e.g.,
requirements.txt,package-lock.json) rather than installed packages. This produces findings against packages that are present in a file but not actually installed or executed in the image. - Contextless file scanning: Some scanners evaluate whether a vulnerable function exists anywhere in a binary, regardless of whether the package actually calls that function. This produces false positives, particularly with statically-linked binaries.
- Stale scanner versions: Older versions of any scanner may carry stale CVE databases. Always ensure your scanner is up to date before comparing results.
Understanding advisory statuses
When you look up a CVE in Chainguard's security advisories, you'll see one of these statuses:
- Fixed: The CVE has been patched in the current image build.
- Affected: The CVE is present and Chainguard is working on a fix.
- False positive: Chainguard has determined the CVE does not apply to this image as built.
- Pending upstream: The fix depends on an upstream project releasing a patch. Chainguard will apply it once available.
A CVE marked "Pending upstream" in Chainguard's advisories may still appear as active in scanners that don't consume Chainguard's advisory feed.
What to do
- Check Chainguard's security advisories for the specific CVE and image.
- If you're using a supported scanner, verify that any required configuration has been applied per the supported scanners page.
- Re-run using a supported scanner and compare the results against Chainguard's advisories.
- If the finding still appears in the supported scanner's output and is not marked Fixed or False Positive in the advisories, contact support with the scan output and image digest.
When to open a support ticket
Open a ticket if:
- A CVE appears in a supported scanner's output and is not addressed in Chainguard's advisories
- The advisory status hasn't changed in more than 2 weeks
- You need help interpreting a specific finding for an audit
Comments
0 comments
Article is closed for comments.