fix(security): bump golang.org/x deps and add container CVE scan gate
- Bump golang.org/x/{net,crypto,sys,text,term} to latest patches to
clear GHSA module advisories flagged by Docker Scout.
- Add Docker Scout CVE gate to the release workflow (fails only on
FIXABLE critical/high; unfixed upstream ffmpeg codec CVEs are accepted
and documented in SECURITY.md).
- Add weekly + manual docker-rebuild workflow so newly fixed base/
ffmpeg/Go patches land on :latest between tagged releases.
- Document container image vuln-scanning policy and hardening in
SECURITY.md.
This commit is contained in:
Deivid Soto
parent
fb44f3711e
commit
283eb54a74
5 changed files with 128 additions and 19 deletions
13
.github/workflows/release.yml
vendored
13
.github/workflows/release.yml
vendored
|
|
@ -84,6 +84,19 @@ jobs:
|
|||
build-args: |
|
||||
VERSION=${{ github.ref_name }}
|
||||
|
||||
# CVE gate. Fails the release on FIXABLE critical/high only — unfixed
|
||||
# upstream ffmpeg codec CVEs are accepted (see SECURITY.md), so the
|
||||
# codec noise does not block. Runs post-push (image already published);
|
||||
# a failure here flags that a fixable CVE slipped through.
|
||||
- name: Scan image for fixable CVEs (gate)
|
||||
uses: docker/scout-action@v1
|
||||
with:
|
||||
command: cves
|
||||
image: torrentclaw/unarr:latest
|
||||
only-severities: critical,high
|
||||
only-fixed: true
|
||||
exit-code: true
|
||||
|
||||
# Sync the Docker Hub repo description from DOCKERHUB.md. Non-fatal: a
|
||||
# description-API auth hiccup must not undo a successful image push.
|
||||
- name: Update Docker Hub description
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue