Skip to content

Add vulnerability scanning in CI #825

Open
Feature
Open
Add vulnerability scanning in CI#825
Feature
Labels
build/environmentCategorizes an issue or PR relevant to the build environment.good first issueDenotes an issue ready for a new contributorhelp wantedDenotes an issue that needs help from a contributor.kind/wishCategorizes issue or PR as a wish.

Description

@pnoltes
pnoltes
opened on Feb 7, 2026

Add vulnerability scanning to the CI pipeline based on the generated SBOM.

Scope

  • Scan SBOM build artefact for known vulnerabilities (CVE / CVSS)
  • Use OSS tooling (e.g. grype, trivy, osv-scanner)
  • Initial setup is report-only (no CI gating)
    • Bonus: add CI gating for issues with a CVSS of 9 or higher.

tool recommendations are welcome.

Expected outcome

  • CI job that performs vulnerability scanning
  • Machine-readable scan output published as a CI artifact
  • Short documentation describing:
    • which tool is used
    • what is (and is not) covered

Metadata

Metadata

Assignees

No one assigned

    Labels

    build/environmentCategorizes an issue or PR relevant to the build environment.good first issueDenotes an issue ready for a new contributorhelp wantedDenotes an issue that needs help from a contributor.kind/wishCategorizes issue or PR as a wish.

    Type

    Feature

    Fields

    No fields configured for Feature.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions