fix(security): bump golang.org/x deps and add container CVE scan gate
- Bump golang.org/x/{net,crypto,sys,text,term} to latest patches to
clear GHSA module advisories flagged by Docker Scout.
- Add Docker Scout CVE gate to the release workflow (fails only on
FIXABLE critical/high; unfixed upstream ffmpeg codec CVEs are accepted
and documented in SECURITY.md).
- Add weekly + manual docker-rebuild workflow so newly fixed base/
ffmpeg/Go patches land on :latest between tagged releases.
- Document container image vuln-scanning policy and hardening in
SECURITY.md.
This commit is contained in:
Deivid Soto
parent
fb44f3711e
commit
283eb54a74
5 changed files with 128 additions and 19 deletions
10
go.mod
10
go.mod
|
|
@ -16,7 +16,7 @@ require (
|
|||
github.com/pion/webrtc/v4 v4.2.11
|
||||
github.com/spf13/cobra v1.10.2
|
||||
github.com/torrentclaw/go-client v0.2.0
|
||||
golang.org/x/term v0.41.0
|
||||
golang.org/x/term v0.43.0
|
||||
golang.org/x/time v0.15.0
|
||||
golang.zx2c4.com/wireguard v0.0.0-20250521234502-f333402bd9cb
|
||||
)
|
||||
|
|
@ -122,12 +122,12 @@ require (
|
|||
go.opentelemetry.io/otel v1.42.0 // indirect
|
||||
go.opentelemetry.io/otel/metric v1.42.0 // indirect
|
||||
go.opentelemetry.io/otel/trace v1.42.0 // indirect
|
||||
golang.org/x/crypto v0.49.0 // indirect
|
||||
golang.org/x/crypto v0.51.0 // indirect
|
||||
golang.org/x/exp v0.0.0-20260312153236-7ab1446f8b90 // indirect
|
||||
golang.org/x/net v0.52.0 // indirect
|
||||
golang.org/x/net v0.54.0 // indirect
|
||||
golang.org/x/sync v0.20.0 // indirect
|
||||
golang.org/x/sys v0.42.0 // indirect
|
||||
golang.org/x/text v0.35.0 // indirect
|
||||
golang.org/x/sys v0.44.0 // indirect
|
||||
golang.org/x/text v0.37.0 // indirect
|
||||
golang.zx2c4.com/wintun v0.0.0-20230126152724-0fa3db229ce2 // indirect
|
||||
gvisor.dev/gvisor v0.0.0-20250503011706-39ed1f5ac29c // indirect
|
||||
lukechampine.com/blake3 v1.4.1 // indirect
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue