It would be great to scan the whole rootfs of the node (excluding common CRI directories like /var/lib/containerd).

This would scan for vulns in systemd, kubeadm, kubelet, ... and any binary locally installed.

Those vulnerabilities would go in a new CRD (nodevulnerabilityreports?).