> The cool part about FROM scratch images is that you'll never have to update your base image to address CVEs. Only your software and its (compiled) dependencies.

What's the benefit really, though? If you still need to be able to rapidly deploy a new image in response to a dependency CVE, what have you gained?

▲

OptionOfT an hour ago | parent | next [-]

If the base image I use is based on Debian, it comes with more than 15 binaries that I don't use.

But when Docker scans my image and notices that there is a CVE in one of those binaries, my image is currently out of compliance.

FROM scratch just reduces the surface.

	▲	xmodem an hour ago \| parent [-]
		> FROM scratch just reduces the surface. The actual attack surface of your application? Or the attack surface of you and your team's attention from a busybody security org. It's important not to confuse the two.

▲

regularfry 2 hours ago | parent | prev [-]

You've gained that happening much less frequently. The tradeoff is making every other problem harder to diagnose.