This project uses automated security scanning as part of our CI/CD pipeline to ensure container images are free from known vulnerabilities.
- Trivy: Primary vulnerability scanner for container images
- SBOM Generation: Software Bill of Materials for supply chain transparency
- GitHub Security: Integration with GitHub's security features
Our CI pipeline implements the following security gates:
| Severity | Action |
|---|---|
| CRITICAL | ❌ Block deployment - Build fails immediately |
| HIGH | |
| MEDIUM/LOW | ✅ Allow - Logged for monitoring |
Each build generates:
- SARIF Report - Uploaded to GitHub Security tab
- Human-readable Report - Stored as build artifact
- SBOM (SPDX) - Software Bill of Materials
- Vulnerability Database - Updated regularly
To modify security gates, update the CI workflow:
# Example: Block on 3+ HIGH vulnerabilities instead of 5
- name: Security gate - Warn on HIGH vulnerabilities
if: steps.vuln-check.outputs.high-count > 3- Critical/High Issues: Must be addressed before deployment
- Medium Issues: Addressed in next sprint
- Low Issues: Monitored and addressed during maintenance windows
If you discover a security vulnerability, please report it to:
- Email: [email protected]
- Create a private security advisory on GitHub
- Vulnerability database updated daily
- Security policies reviewed quarterly
- SBOM generated for every release
Every container image includes:
- All installed packages and versions
- Dependency relationships
- License information
- Source repositories
Consider implementing image signing for production deployments:
# Example with Cosign
cosign sign --key cosign.key $IMAGE_TAG- Use minimal base images (python:3.11-slim)
- Regular base image updates
- Non-root container execution
- Read-only root filesystem when possible