Create/use tool to verify that base images include things that have been included in security patch (or contain no known vulns)

[matthchr]

For example, on 12/06/2025, we included an update to containerd in the security patch, but we didn't include that update in the base image until nearly a month later on 01/13/2026.

Ideally there would be some automated tool (as part of CI?) that helped check/prevent releases where something that had already been security-patched was not updated in the next base image.

Alternatively, a tool that checked for known vulnerabilities may accomplish the same thing (since this vuln was known at multiple base-image publish steps)

This ensures:

1. Users who aren't using security patch get CVEs fixed.
2. Users who are using security patch have secure images from time of boot, rather than time of patch (AFAIK security patch is applied after node launches, right?)