Problem
Right now Arcane hardcodes the Trivy scanner image (ghcr.io/aquasecurity/trivy:latest). This became a real issue when the default image was compromised via a malicious release in March 2026 (see #2118) — users had no way to override it without patching the deployment manually.
Proposed solution
Add a Vulnerability Scanner section in Settings where users can specify:
- Image: custom registry/image path (e.g. a self-hosted mirror or air-gapped registry)
- Tag/version: pin to a specific release instead of
latest
A sensible default would be a pinned stable release, with the option to reset to default.
Why it matters
No breaking changes — just expose what's currently hardcoded as a configurable field.
Problem
Right now Arcane hardcodes the Trivy scanner image (
ghcr.io/aquasecurity/trivy:latest). This became a real issue when the default image was compromised via a malicious release in March 2026 (see #2118) — users had no way to override it without patching the deployment manually.Proposed solution
Add a Vulnerability Scanner section in Settings where users can specify:
latestA sensible default would be a pinned stable release, with the option to reset to default.
Why it matters
No breaking changes — just expose what's currently hardcoded as a configurable field.