Let linter check against vulnerable plugin list

[6543]

host a list (json) at https://api.woodpecker-ci.org/vuln/plugins.json or so ... so we could also count the api access counts to get some estimations of server installations.

also the list should be compiled into the binary for offline/air-gapped systems and updated by the server once a day.

the list should contain:

• image name and tag
• if it's criticall or not (linter throw a warning or error (fail))
• the reason (text to be displayed) like links to an CVE etc ...

that file should be managed within the git repo like we do with our plugin list for the website ...

[6543]

PS: the url shold be able to be configured for air-gapped systems etc...

[zc-devs]

we could also get some estimations of server installations

It's a different topic #84.

[6543]

well yes we can use if for that too ... for now we dont have any infra so i would just serve what we would then have checked into your git repo ... and it is easy to disable by pointing to the github raw content of the potential file ...