In an effort to improve our rate of dependency bumps and CVE fixes, we would like more visibility into our scan results on each PR to the k3s project. This will likely involve a new GHA or something to that effect to expose the results of our CVE scans (right now we use Trivy) for each PR. That way we can evaluate what needs to be done on a release to release basis to mitigate CVEs.
In an effort to improve our rate of dependency bumps and CVE fixes, we would like more visibility into our scan results on each PR to the k3s project. This will likely involve a new GHA or something to that effect to expose the results of our CVE scans (right now we use Trivy) for each PR. That way we can evaluate what needs to be done on a release to release basis to mitigate CVEs.