diff --git a/Dockerfile b/Dockerfile
index 0ff4eee..a6cfded 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -57,6 +57,13 @@ exit 1
 EOF
 RUN chmod +x /usr/local/bin/apt-retry
 
+# pebble is Canonical's container init system baked into the ubuntu base image
+# as a raw binary (not tracked by dpkg, so apt-get remove fails). It is not
+# used here (CMD is make all). Remove it to eliminate Go stdlib CVEs it would
+# otherwise carry into the image (DNS, HTTP/2, and email parsing code paths
+# that are never reached by this build pipeline).
+RUN rm -f /usr/bin/pebble
+
 # Base utilities — curl used throughout (not wget) for consistency; -fsSL flags enforce
 # error detection (-f: fail on HTTP error), silent output, and redirect following.
 # --no-install-recommends: excludes optional packages not required at runtime, reducing