Choosing the Best Container Security Tool for Kubernetes

Big yes for Minimus! With daily builds, keeping your base images tiny is a smart strategy—less is more for sure. Patch early and treat scanners as validators. I did try Wiz for a similar setup, and the alert overload was overwhelming. Lacework’s nice for runtime if you’re willing to invest time in tuning your setup.

Considering your budget, Minimus really stands out. It allows for effective shift-left security without breaking your bank. Wiz might be a bit too enterprise-heavy, and while Orca's agentless features are beneficial, they are primarily reactive. A combination of Minimus for build-time hygiene and a small runtime compliance tool should get you where you need to be.

I think a combo approach could work really well for you. Start with hardened images to minimize CVEs and alerts. Then, consider using a lightweight CNAPP like Orca or Wiz to cover attack paths. This will help balance prevention and visibility without overwhelming you with noise.

If late CVEs and alert fatigue are your biggest issues, keep in mind that CNAPPs like Wiz, Orca, and Lacework focus on after-the-fact visibility. For fast CI/CD, focusing on build-time prevention with minimal base images can help keep your CVE surface quiet and your pipeline quick. It's more about being proactive than reactive.

You're spot on about the challenges of balancing build-time prevention and CI/CD speed. If shift-left is key for you, Minimus seems like the best fit, as it cuts down unnecessary packages at build time. This lowers your attack surface before anything reaches production. Lacework can be a good companion for runtime policy enforcement, but remember that reactive scanning from tools like Wiz or Orca could lag behind your pace.