fix(security): bump golang.org/x deps and add container CVE scan gate

- Bump golang.org/x/{net,crypto,sys,text,term} to latest patches to clear GHSA module advisories flagged by Docker Scout. - Add Docker Scout CVE gate to the release workflow (fails only on FIXABLE critical/high; unfixed upstream ffmpeg codec CVEs are accepted and documented in SECURITY.md). - Add weekly + manual docker-rebuild workflow so newly fixed base/ ffmpeg/Go patches land on :latest between tagged releases. - Document container image vuln-scanning policy and hardening in SECURITY.md.
2026-05-21 16:53:23 +02:00 · 2026-05-21 16:53:23 +02:00 · 283eb54a74
commit 283eb54a74
parent fb44f3711e
5 changed files with 128 additions and 19 deletions
--- a/.github/workflows/docker-rebuild.yml
+++ b/.github/workflows/docker-rebuild.yml
@ -0,0 +1,52 @@
+# Rebuilds and re-pushes the `latest` image without a version bump so newly
+# *fixed* Alpine / ffmpeg / Go patches land between tagged releases. Versioned
+# tags are immutable and never touched here. Runs weekly and on demand.
+name: Docker rebuild
+
+on:
+  schedule:
+    # Mondays 04:17 UTC (off the hour to avoid the scheduler rush)
+    - cron: "17 4 * * 1"
+  workflow_dispatch:
+
+jobs:
+  rebuild:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 0
+
+      # Stamp the binary with the most recent release tag (not "dev").
+      - name: Resolve version
+        id: ver
+        run: echo "version=$(git describe --tags --abbrev=0 2>/dev/null || echo dev)" >> "$GITHUB_OUTPUT"
+
+      - uses: docker/setup-qemu-action@v4
+      - uses: docker/setup-buildx-action@v4
+
+      - uses: docker/login-action@v4
+        with:
+          username: ${{ secrets.DOCKERHUB_USERNAME }}
+          password: ${{ secrets.DOCKERHUB_TOKEN }}
+
+      - uses: docker/build-push-action@v7
+        with:
+          context: .
+          push: true
+          platforms: linux/amd64,linux/arm64
+          # Refresh the floating tag only — never overwrite a versioned release.
+          tags: torrentclaw/unarr:latest
+          build-args: |
+            VERSION=${{ steps.ver.outputs.version }}
+          # Force a fresh base pull so apk upgrade picks up new patches.
+          no-cache: true
+
+      - name: Scan image for fixable CVEs (gate)
+        uses: docker/scout-action@v1
+        with:
+          command: cves
+          image: torrentclaw/unarr:latest
+          only-severities: critical,high
+          only-fixed: true
+          exit-code: true