It is difficult not just to know what a VM or container was built with, but what has been added or removed or changed and by whom. Grafeas, originally devised by Google, is intended to make these questions easier to answer.
Grafeas is an open source project that defines a metadata API for software components. It is meant to provide a uniform metadata schema that allows VMs, containers, JAR files, and other software artifacts to describe themselves to the environments they run in and to the users that manage them. The goal is to allow processes like auditing the software used in a given environment, and auditing the changes made to that software, to be done in a consistent and reliable way.
Read more at InfoWorld