For non-automated builds just pull to a local machine and use something like portainer to have a look around.
And then review what it `FROM`s. And then review the core OS build that relies on.
It's a lot of work. It is doable, but it is a lot of work.
I just wanted to make the point that I don't think it's impossible :)