Container Vulnerability Management

What problem does it solve?

It helps you systematically identify and reduce security vulnerabilities in the viral-ngs container image stack by scanning, filtering, triaging, and documenting remediation decisions.

Core Features & Use Cases

• Automated vulnerability scanning: Uses Trivy to scan multiple Docker image flavors and produces results for GitHub Security (SARIF) and artifact retention (JSON).
• Policy-driven risk filtering: Applies a Rego policy to filter architecturally inapplicable findings and supports per-CVE overrides with mandatory justification.
• Operational triage workflow: On a weekly schedule, detects new fixable HIGH/CRITICAL issues and automatically creates CVE-labeled GitHub issues after AI-assisted triage.
• Mitigation guidance for bioinformatics containers: Provides practical checks for common vulnerability sources like Python transitive dependencies, vendored libraries in uber JARs, and embedded Go binaries.

Quick Start

Ask the AI to produce a CVE triage decision for a specific Trivy finding from your weekly container scan and reference whether it should be filtered by the Rego policy or handled via a .trivyignore exception with justification.