> Critical and high CVEs in base images dropped to near zero. Our vulnerability scanners became quieter, with fewer false positives and less noise.
Are there vulnerability scanners that attempt to look for what is actually used, instead of just what is present?
dschofie•2h ago
Definitely! A lot of this falls under the "reachability" umbrella. It's just a little harder to say if something is actually used vs just installed. For example, in your app you could exec a script which can be harder for tools to detect with accuracy and there are just quite a few edge cases to handle
lysace•2h ago
I guess the scanner would need to be provided with runtime data, somehow. I.e. two phases of scanning, before and after deployment. Suddenly it's getting quite complex, especially if you include the security aspects of that scanner running in prod.
lysace•2h ago
> Critical and high CVEs in base images dropped to near zero. Our vulnerability scanners became quieter, with fewer false positives and less noise.
Are there vulnerability scanners that attempt to look for what is actually used, instead of just what is present?
dschofie•2h ago
lysace•2h ago