Scanners run on a schedule, so a vulnerable package can sit in an image for a full cycle before anyone notices. Here's how Ephor flags it from the SBOM in between.
Between free CLI scanners and six-figure enterprise platforms, there's nothing. I got tired of managing CVEs in spreadsheets and built what should have existed.