Add Trivy CVE scan, container registry docs, and update diagrams
- Add Trivy vulnerability scan step to CI (HIGH/CRITICAL, warn-only) - Add Container Registry section to README with pull examples - Update architecture doc and HLD with crane + Trivy details Co-authored-by: Cursor <cursoragent@cursor.com>
This commit is contained in:
@@ -147,7 +147,7 @@ All container images are stored in **GCP Artifact Registry** in the `company-inc
|
||||
- **Image retention policy** — keep the latest 10 tagged images per service; automatically garbage-collect untagged manifests older than 30 days.
|
||||
- **Access control** — CI service account has `roles/artifactregistry.writer`; GKE node service accounts have `roles/artifactregistry.reader`. No human push access.
|
||||
|
||||
*For self-hosted Git platforms (e.g. Gitea), the built-in OCI container registry can serve the same role at zero additional cost, with Trivy added as a CI step for vulnerability scanning.*
|
||||
*For self-hosted Git platforms (e.g. Gitea), the built-in OCI container registry can serve the same role at zero additional cost. In the practical part of this project, this is demonstrated: the CI pipeline mirrors the upstream FleetDM image to the Gitea OCI registry using `crane` (a daemonless image tool), then scans it with **Trivy** for HIGH/CRITICAL CVEs before publishing the release.*
|
||||
|
||||
#### Deployment Pipelines (CI/CD Integration)
|
||||
|
||||
|
||||
Reference in New Issue
Block a user