Add Trivy CVE scan, container registry docs, and update diagrams

- Add Trivy vulnerability scan step to CI (HIGH/CRITICAL, warn-only) - Add Container Registry section to README with pull examples - Update architecture doc and HLD with crane + Trivy details Co-authored-by: Cursor <cursoragent@cursor.com>
2026-02-19 21:38:05 +00:00
parent bd723dbd05
commit 8e99fe7614
4 changed files with 40 additions and 4 deletions
@@ -144,6 +144,25 @@ For production, configure proper TLS and a stable DNS name for agents.
 1. **Basic CI pipeline** — Gitea Actions lint on push, release on tag (see [.github/workflows/release.yaml](.github/workflows/release.yaml))
 2. **Exposed Fleet UI** — `make port-forward` on port 8585 (+ ingress `fleet.localhost`)
 3. **`fleet prepare db`** — Handled by `autoApplySQLMigrations: true` in the Fleet Helm chart
+4. **Container image mirroring** — CI mirrors the upstream `fleetdm/fleet` image to the [Gitea OCI registry](https://git.produktor.io/eSlider/-/packages) using `crane` (daemonless)
+5. **Trivy vulnerability scan** — Each release scans the mirrored image for HIGH/CRITICAL CVEs
+
+## Container Registry
+
+The CI pipeline mirrors the FleetDM image to the Gitea container registry on every release.
+
+```bash
+# Pull the latest mirrored image
+docker pull git.produktor.io/eslider/flamingo-tech-test:latest
+
+# Pull a specific app version
+docker pull git.produktor.io/eslider/flamingo-tech-test:4.80.1
+
+# Pull by chart release tag
+docker pull git.produktor.io/eslider/flamingo-tech-test:v0.0.10
+```
+
+Browse all available tags at [git.produktor.io/eSlider/-/packages/container/flamingo-tech-test/latest](https://git.produktor.io/eSlider/-/packages/container/flamingo-tech-test/latest).

 ## Project Structure