This (ThreatMapper) probably addresses some of the questions you left open in your great post.
It's open source (no limitations, unlike some 'open source' scanners that require a back-end vulnerability server and have limited numbers of scans)
It scans running containers and operating systems (as well as containers at rest in registries or in CI), because we all know that containers can change in the act of deployment
It ranks the vulnerabilities that it finds based on their accessibility from the attack surface, so 10.0 CVEs in airgapped systems are generally reported as lower priority than 9.0 CVEs in a workload behind a load balancer with active connections
For further actions, you may consider blocking this person and/or reporting abuse
We're a place where coders share, stay up-to-date and grow their careers.
This (ThreatMapper) probably addresses some of the questions you left open in your great post.