Only the most recent published image tags are supported with security fixes:
| Tag | Supported |
|---|---|
latest |
✅ |
Most recent vX.Y.Z release |
✅ |
| Older releases | ❌ |
Every image build is scanned for OS and library vulnerabilities with Trivy:
- Pull requests that touch the
Dockerfileare scanned before merge; the build fails on fixableCRITICAL/HIGHfindings. mainand release builds are scanned again before the image is pushed to Docker Hub, blocking publish on fixableCRITICAL/HIGHfindings.- The published
tungbq/devops-toolkit:latestimage is re-scanned on a recurring schedule to catch newly disclosed CVEs in already-shipped layers. - All scan results are uploaded as SARIF and published to this repository's Security tab.
- A CycloneDX SBOM is generated for every
mainand release build and attached as a workflow artifact for supply-chain verification. - A small number of CVEs are explicitly suppressed via
.trivyignorewith inline justification — currently limited to Go-module CVEs vendored inside upstream binaries (kubectl, terraform) where no release fixing them exists yet. This list is reviewed whenever those tools are version-bumped.
If you discover a vulnerability in this repository or in a published tungbq/devops-toolkit image:
- Please do not open a public issue for undisclosed vulnerabilities.
- Report it privately via GitHub Security Advisories for this repository.
- Include the affected tag/digest, the tool and version involved, and steps to reproduce if applicable.
You should expect an initial response within a few days. Confirmed vulnerabilities will be fixed and released as soon as practical, and credited in the release notes unless you request otherwise.