[Info] Automating container vulnerability scanning in CI/CD

[igor-soldev]

Hi SORMAS maintainers,

I'm reaching out because our team recently open-sourced an infrastructure and container auditing tool called InfraScan, and we used the SORMAS-Project repository to test its capabilities against real-world, large-scale projects.

Since we packaged InfraScan as a standalone Docker image, you can easily integrate it into your GitHub Actions workflow to block PRs that introduce high or critical CVEs, and automatically generate an HTML report for the team to review.

Here is a quick snippet you can use or adapt for your .github/workflows/:

name: Security Audit
on: [push, pull_request]
jobs:
  infrascan:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4

      - name: Run InfraScan (Containers & IaC)
        run: |
          docker run --rm \
            -v ${{ github.workspace }}:/scan \
            soldevelo/infrascan:latest \
            --scanner comprehensive \
            --format html \
            --out /scan/security-report.html \
            --fail-on high_critical

      - name: Upload HTML Report
        uses: actions/upload-artifact@v4
        if: always()
        with:
          name: security-report
          path: security-report.html