Trivy is an excellent local tool for scanning vulnerabilities in your OCI images. It checks for OS vulnerabilities and all sorts of dependencies.
Ofc keep in mind CVE is a flawed system, think Zero Trust not just CVE fixing
Here's an example with my Mastodon image
Just a single-user instance, nothing fancy here. I won't bite, I promise.