v0.1.2
Changed
- Switched the Docker base image from
python:3.12-slim-bookworm(Debian) to a distroless Chainguard/Wolfi Python base (cgr.dev/chainguard/python). The Debian base carried 4 CRITICAL + 17 HIGH OS-package CVEs with no upstream fix available (perl, zlib, sqlite, util-linux, ncurses); the Wolfi image ships those packages away entirely and scans 0 vulnerabilities at every severity. The venv is built on the matching-devimage so its interpreter resolves at runtime; the runtime is smaller (231 MB vs 341 MB) and still runs as a non-root user. The previousapt-get upgradeanduseraddsteps are gone (no package manager / already non-root). make scannow fails on fixable CRITICAL/HIGH vulnerabilities (--severity CRITICAL,HIGH --ignore-unfixed --exit-code 1), matching the CI gate for local parity.
Security
- Automated container image vulnerability scanning with Trivy. The new
image-scanworkflow builds the image and fails the build on fixable CRITICAL/HIGH vulnerabilities on every pull request and push tomain, and thepublish/publish-dockerhubworkflows run the same gate before pushing so a vulnerable image can't reach GHCR or Docker Hub. - Added a
scan-scheduledworkflow that re-scans the published:latestimage daily and uploads results (all severities, including unfixed) to the GitHub Security tab, catching CVEs disclosed after build time. - Added a Dependabot config (
.github/dependabot.yml) opening weekly update PRs for the Docker base image, GitHub Actions, and Python dependencies, and enabled Dependabot alerts + security updates on the repository.
Full changelog: v0.1.1...v0.1.2