I usually build the image and push it to Docker hub then use snyk.io to scan all the code base and dependencies for vulnerabilities. For example here is a scan of an image I build on Wappler a year and a half ago.
…
Compare to another Image I build 6 months ago. As you can see the with each Wappler Version updates the code base is improving on patches.
…
These images have not been updated since with the patches because I just use them as tracking tool to see what is really getting patch with each Wappler version updates. So far I can say a lot of patches has been done with each new Wappler Updates.
My next image that I plan to scan is the Wappler Dashboard that I am building out over here.
But all and all, that just scanning image code base and its dependencies for vulnerabilities and I am not sure of the level of hacking vulnerabilities you are trying to pin point.