| ▲ | OptionOfT 2 hours ago | |
If the base image I use is based on Debian, it comes with more than 15 binaries that I don't use. But when Docker scans my image and notices that there is a CVE in one of those binaries, my image is currently out of compliance. FROM scratch just reduces the surface. | ||
| ▲ | xmodem 2 hours ago | parent [-] | |
> FROM scratch just reduces the surface. The actual attack surface of your application? Or the attack surface of you and your team's attention from a busybody security org. It's important not to confuse the two. | ||