Base Images rule defines which registry images your organization considers foundational base images and maps derived images to them. This association provides image lineage visibility, helping you trace vulnerabilities to their source and apply remediation at the base image level.
A Base Images rule associates registry images (for example, ubuntu:22.04) as designated base images. When a rule is applied, it creates a BASE_REFERENCE relation between images, enabling bidirectional tracing so you can:
Identify the base image for any given image
View all dependent images derived from a specific base image
By creating Base Images rule, you can:
Identify approved base images across your organization
Map Registry and Runtime images to base images for full lineage visibility
Identify affected base images during vulnerability investigations
Identify all dependent images impacted by a vulnerable base image
Use base image associations in policies, queries, and filters
Prerequisites
Before creating a rule, ensure:
container registries are onboarded and actively scanned in your environment.
you have View/Edit permission for Compute Policies or the Instance Administrator role to create or manage a Base Images Rule.
Create a Base Images Rule
You can create a Base Images rule from either Rules & Policies or a Registry Image Asset Card.
To create a Base Images rule from Rules & Policies:
Navigate to → → → .
Select + Create Rule.
Enter a Name and optional Description for the rule.
Define the filter conditions, such as:
Registry URL (for example, https://docker.io)
Repository name.
(Optional) Refine the filter conditions by adding additional conditions, such as:
Image Name
Image Tag (for example, latest).
You can use supported operators such as Equals, Not Equals, Contains, Not Contains, starts with, and ends with to specify the conditions.
Select Run Preview to view matching images.
Select Create to add the rule.
The rule is automatically applied to all existing and future images that match the defined criteria. After you create or modify a Base Images rule, it can take up to 6 hours for the system to apply the changes and update the relationships across your assets.
Create a Base Image Rule from a Registry Image Asset Card
Navigate to → → → → .
Filter Asset Type = Registry Image.
Select a registry image row to open the details pane
Select the More options (⋮) menu.
Choose Add base image rule. The Base Image Rules page opens with conditions pre-populated based on the selected image.
Modify the conditions if required.
Select Run Preview to view matching images.
Select Create to add the rule.
The rule is automatically applied to all existing and future images that match the defined criteria. After you create or modify a Base Images rule, it can take up to 6 hours for the system to apply the changes and update the relationships across your assets.
Next Steps
Container image assets include Base Image details that identify the foundational registry image they are derived from. If an asset is a base image, a Base Image property is displayed in the asset side panel.
When a Base Images Rule is created, a base image tag is assigned to matching container image assets. You can use this tag to create an Asset Group ( → → ) by filtering on the Image Is Base Image. This allows you to group all base images and use the asset group for policies and issue management.
Find the Base Image for an Asset
Navigate to → → → → .
Open a container image asset (Registry Image or Runtime Image).
In the Overview tab, under the Properties section, locate Base Image details to view the linked foundational registry image.
View the Relationships section to explore upstream and downstream image lineage.
Manage a Base Images rule
To manage a Rule, follow these steps:
Navigate to → → → → .
Find the Base Images from the list of rules, or use the filter to search.
Select the rule row to open the details pane
Select the More options (⋮) menu.
Actions
Instructions
Edit
Modify the existing Base Images rule.
Save as new
Create a new rule using the existing Base Images rule as a template.
Delete
Remove the Base Images rule.