u/Efficient_Team5182 — reddlx

Our vulnerability scanner has basically become the boy who cried wolf. We’re getting hundreds of alerts. The team’s starting to tune them out, which feels like the worst possible outcome from investing in security tooling.

Some findings matter, but most just create noise and slow releases while we debate risk. We suspect the root issue is container images packed with packages the workload never actually uses. But proving that, and acting on it cleanly, has been harder than expected. Has anyone found a way to get this under control?

I’m especially interested in whether runtime-aware hardening is worth it, and how you deal with it from a compliance perspective.