I have been reading about Docker container scanning tools viz. Clair by CoreOs and Anchore. Both of them deal with static analysis of the container image to create a report of CVEs. What are some vulnerabilities that might not be covered in the static analysis of just the images? Are there tools which scan running containers and generate a CVE report for the same ?