Hey everyone, been running into a headache with our security posture on k8s. Our current SAST/SCA tools scan images fine during CI, but we’re blind to what’s actually vulnerable in runtime. The issue: We have tons of init containers, sidecar proxies, and ephemeral jobs that spin up and down. Some pull images we’ve never scanned, others run with elevated privileges we didn’t account for during static analysis. Last week we had a vulnerability in a logging sidecar that our pre-deployment scans missed entirely because it was injected by our service mesh. How are you folks getting visibility into the actual attack surface of running pods vs just what you scanned in CI? Thanks in advance