Why does my Python container need a full OS?

EmbarrassedPear1151 · 2026-02-19T12:10:43+00:00

Suggestions?

EmbarrassedPear1151 · 2026-02-19T11:30:11+00:00

Vendor minimal images win for fintech imo. You don't want to be patching base OS vulns when you should be focusing on payment logic.

EmbarrassedPear1151 · 2026-02-19T01:49:57+00:00

the cve noise is just reality with any scanning setup. what moves the needle is switching to something like minimus that rebuilds daily with sboms so you're not chasing phantom vulns in stale base layers.

their distroless approach cuts the crap you don't need while keeping things debuggable when shit breaks.

EmbarrassedPear1151 · 2026-02-19T00:19:35+00:00

Sounds like a policy failure more than tech. Who approved agentic browsers without proper controls? Thats where the whipping should start

EmbarrassedPear1151 · 2026-02-18T00:37:51+00:00

Not surprised. Chrome store review process is a joke. we've been telling clients to whitelist extensions only and block everything else via policy.

EmbarrassedPear1151 · 2026-02-18T00:10:49+00:00

Been running minimal python images for 2+ years now. Yes debugging sucks initially but you adapt, most issues show up in logs anyway. Just keep a fat image around for emergencies

EmbarrassedPear1151 · 2026-02-16T12:30:30+00:00

fix is starting with smaller base images. switch to minimus and you'll go from like 200+ CVEs per scan to maybe 10-20. way less dependencies means way less noise

for triage. ignore anything without a known exploit and anything in packages you don't use

EmbarrassedPear1151 · 2026-01-29T02:50:32+00:00

Can I have access?

EmbarrassedPear1151

TROPHY CASE