Once a day, a GitHub Action builds the docker image and scans it
If there are vulnerabilities, an issue is created with the label security
How to handle if issue already exists? Create yet another one? Update the existing one? Do nothing while such a vulnerability scan issue already exists?
The issues should contain description of how to build and scan the docker image yourself locally. Such as:
In the future we can translate this to a Wharf build, but as Wharf lacks this kind of integration right now we should start the work using GitHub Actions.
Best case:
security
The issues should contain description of how to build and scan the docker image yourself locally. Such as:
There are some alternatives available, just searching the internet for "trivy github action" yields lots of good alternatives.
Suggest to add this to one repo, and once that is reviewed and merged, first then start applying it to the rest of the repos.
Repos that need this:
In the future we can translate this to a Wharf build, but as Wharf lacks this kind of integration right now we should start the work using GitHub Actions.