The Snyk Container Vulnerability Agent performs comprehensive security scanning of Docker container images through the Snyk Container REST API. It analyzes both OS-level packages (apt, apk, yum) and application dependencies (npm, pip, maven) within image layers, identifying CVEs with CVSS scoring and exploit maturity data. The agent recommends specific base image upgrades by comparing vulnerability counts across tag variants (alpine, slim, distroless) and generates automated pull requests with updated Dockerfiles. It supports multi-stage build analysis, detecting vulnerabilities introduced at each build stage, and provides layer-by-layer attribution showing which Dockerfile instruction introduced each vulnerable package. Integration with Snyk webhooks enables continuous monitoring of deployed images, with Slack and PagerDuty alerting for newly disclosed CVEs affecting production containers. Includes SBOM generation in SPDX and CycloneDX formats.