An example method includes determining, based on a static scan, that a software container image or an intended execution environment of the software container image meets one or more first criteria required to exploit a software vulnerability. Based on the determining, runtime behavior of a software container instantiated from the software container image is monitored. The monitoring including determining whether the software container meets one or more second criteria required to exploit the software vulnerability, wherein the one or more first second criteria differs from the one or more second criteria. Based on the runtime monitoring, a risk score that indicates a magnitude of a risk the software vulnerability poses for the software container is determined, and a notification of the risk score is provided. A system for assessing software containers for vulnerabilities is also disclosed.