Base images (python:3.12-slim, node:22-alpine, nginx:alpine) may contain upstream OS-level issues reported by image scanners. These come from the base images, not from this application.

Do not commit .env. It is in .gitignore. Use it only for local or preview runs. In production, use a secrets manager or deployment environment for PPLX_API_KEY and database URLs.

For production deployments consider replacing base images with distroless or minimal alternatives, running Trivy or Snyk in CI, and restricting access to the API and dashboards.