This is an educational / portfolio project demonstrating a secure container build pipeline. It is not intended for production use as-is.
If you find a security issue in this repo, please:
- Open a GitHub issue
Please do not include exploit details in public issues for anything sensitive — email first and I'll respond before disclosure.
- CI security gate — every build is scanned by Trivy. HIGH and CRITICAL vulnerabilities fail the build.
- Image hardening — multi-stage build, non-root runtime user, minimal final image.
- Pinned base images — base images are pinned by digest, not floating tags.
- SBOM — a Software Bill of Materials is generated with Syft.
- Second opinion — images are also scanned with Docker Scout.
- Documented exceptions — accepted base-image CVEs are listed and justified in
.trivyignore.
Only the main branch is maintained.