|
|
|
|
|
|
by hsin003
92 days ago
|
|
|
I agree CI should catch as much as possible — image scanning and dependency checks at build time are table stakes. But in practice, CI is only a point-in-time guarantee. A build can pass all checks and still become vulnerable later as new CVEs are disclosed. So the goal isn’t to rely on runtime to “catch mistakes”, but to add a second layer of defense — continuous monitoring and probing for already-deployed services. If anything, this incident showed us that CI alone isn’t sufficient once systems are long-lived. |
|
|