Skip to content

feat(supply-chain): cosign-verify argus images + security policy doc#146

Merged
eFAILution merged 1 commit into
feat/argus-portabilityfrom
feat/supply-chain-image-verify
May 13, 2026
Merged

feat(supply-chain): cosign-verify argus images + security policy doc#146
eFAILution merged 1 commit into
feat/argus-portabilityfrom
feat/supply-chain-image-verify

Conversation

@eFAILution
Copy link
Copy Markdown
Collaborator

@eFAILution eFAILution commented May 13, 2026

Description

Closes hardening items (3) and (4) from docs/developer/SDK-ROADMAP.md → "Secret Handling & Credential Surface Hardening". Adds container image signature verification at pull time and the written security policy doc that describes argus's threat model.

Changes Made

  • Added new scanner/workflow
  • Modified existing scanner/workflow
  • Updated documentation
  • Fixed bug
  • Other (please specify): new core module argus/core/image_verify.py + engine integration; new docs/security.md policy

Details

Verification policy — three paths, one config knob.

Image source Verification Failure mode
ghcr.io/huntridge-labs/argus/* (the 4 images we cosign-sign at release) cosign verify against the publish workflow's certificate identity + GitHub Actions OIDC issuer Scanner aborts — RuntimeError before subprocess.run
Third-party with @sha256: digest pin (e.g. aquasec/trivy@sha256:abc...) Docker's pull-time content-hash check IS the verification — no extra cosign call Docker pull fails on mismatch
Third-party with tag-only pin (current state for most upstream images) None One WARNING per scan run listing the tag-pinned images with a digest-pin migration hint

Config knob: execution.verify_image_signatures: bool (default true). Opt-out for air-gapped environments where Sigstore / Rekor network access isn't available.

Why this shape (from the earlier design discussion): cosign verification only makes sense for images whose signing identity we control. Most upstream scanner publishers don't cosign-sign their images in a way we could validate — so verifying them would just produce constant false WARNINGs. Digest pins from the user's side are cryptographically equivalent to a signature check against a known-good identity, no external trust roots needed. The combined policy scales naturally: as we migrate argus/containers.py to digest pins (Renovate keeps them current), more of the surface becomes implicitly verified without changing user-facing config.

Engine integration:

_run_in_container(scanner, ...)
  ├── _pull_image(image)
  ├── verify_image(image, verify_signatures=...)
  │   ├── FAILED → raise RuntimeError  ← scanner does NOT run
  │   ├── VERIFIED_COSIGN → INFO log
  │   ├── VERIFIED_DIGEST_PIN → DEBUG log
  │   ├── SKIPPED_TAG_PIN → accumulate; warn once at end of run()
  │   └── SKIPPED_BY_CONFIG → DEBUG log
  └── subprocess.run(docker_cmd, ...)

docs/security.md lands the written policy with sections for:

  • TL;DR table (what argus does for each concern)
  • Threat model — what argus DEFENDS against (6 items) + what it DOES NOT defend against (6 items, named explicitly so users with stricter threat models can layer additional controls)
  • Credential precedence with worked examples (stdin > <field>_env > literal)
  • Container image provenance walkthrough
  • Air-gapped opt-out instructions
  • Vulnerability reporting (GitHub Security Advisories)

Testing

  • Unit tests added/updated
  • Integration tests added/updated
  • Manual testing performed
  • Tested with different scanner combinations

Test Results

27 new tests:

File Tests Covers
argus/tests/core/test_image_verify.py::TestImageClassification 7 is_argus_owned, has_digest_pin predicates with parametrized image lists
argus/tests/core/test_image_verify.py::TestVerifyImageArgusOwned 4 cosign pass / fail / stderr-truncation / missing-binary paths
argus/tests/core/test_image_verify.py::TestVerifyImageThirdParty 2 digest-pin skips cosign call; tag-only flags for warning
argus/tests/core/test_image_verify.py::TestVerifyImageDisabled 4 every path returns SKIPPED_BY_CONFIG when verification is off
argus/tests/core/test_image_verify.py::TestTagPinnedSummary 3 one warning per scan, dedup, no-warning when nothing's tag-pinned
argus/tests/test_engine.py::TestSupplyChainVerificationGate 6 end-to-end engine integration: pass-proceeds, fail-aborts-scanner, digest-pin-no-cosign, tag-only-warns-at-end, disabled-skips-all, missing-binary-fatal

Full suite: 3107 passed, 2 skipped, 7 deselected.

Security Considerations

  • No security impact
  • Security enhancement
  • Potential security implications (explain below)

Security Details

Direct implementation of hardening items (3) and (4) from the post-PR-142 audit:

  • (3) Closes the supply-chain risk that argus could be tricked into running a tampered argus-owned image by an attacker who compromised the GHCR push path or got Renovate to update to a malicious tag. Verification fails closed — failure aborts the scanner with a fatal RuntimeError.
  • (4) Makes the threat model explicit, so users know what argus defends against and what it doesn't. Important for users with stricter postures (e.g., FedRAMP, supply-chain-critical workloads) so they can layer additional controls where argus stops.

The new code adds no new attack surface: cosign is invoked via subprocess.run with an argv array (no shell expansion), the cert-identity regexp is anchored at start (no glob injection), and cosign's stderr is truncated to 500 chars before logging (no traceback dump on auth-server errors).

AI Context Updates (.ai/)

  • .ai/architecture.yaml updated — new core/image_verify.py entry in both SDK structure blocks describing classification + engine integration + the config knob.
  • .ai/workflows.yaml updated
  • .ai/decisions.yaml updated — implementation of items already decided in the roadmap; no new ADR warranted.
  • .ai/errors.yaml updated
  • N/A

Checklist

  • Code follows project style guidelines
  • Documentation updated
  • Changelog updated (if applicable)
  • All tests pass
  • Reviewed by at least one maintainer
  • Reviewed CONTRIBUTING.md guidelines

Related Issues

Closes hardening items (3) and (4) in docs/developer/SDK-ROADMAP.md → "Secret Handling & Credential Surface Hardening". Item (5) — defensive redaction pass at audit-trail write time — remains queued.

Follow-up tracked separately: migrate third-party image tags in argus/containers.py to @sha256: digest pins. Renovate already supports digest pin updates; once each image is migrated to a digest pin, it gets implicit verification through this PR's logic for free (no further code changes needed).

Screenshots/Logs (if applicable)

============================== 3107 passed, 2 skipped, 7 deselected, 20 warnings in 19.99s ==============================

Diff: 9 files (3 new, 6 modified), +1033 / -3.

@eFAILution
feat(supply-chain): cosign-verify argus images + security policy doc
9768767 
Closes hardening items (3) and (4) from "Secret Handling & Credential
Surface Hardening" in docs/developer/SDK-ROADMAP.md.

Item (3) — cosign + digest-pin verification at pull time:

- argus/core/image_verify.py: new module classifies every pulled
  image into one of four paths:
    * argus-owned (ghcr.io/huntridge-labs/argus/*): cosign keyless
      verify against the publish workflow's identity + GitHub
      Actions OIDC issuer. Failure is fatal — scanner does not run.
    * third-party with @sha256: digest pin: Docker enforces
      content-hash match at pull, no cosign call. Logged at DEBUG.
    * third-party with tag-only pin: no crypto guarantee. One
      WARNING per scan run via report_tag_pinned_summary listing
      every tag-pinned image with a migration hint.
    * verification disabled: skipped wholesale (DEBUG log).
- argus/core/engine.py: _run_in_container now calls verify_image
  right after _pull_image succeeds, accumulating results in
  self._verify_results. Fatal verification raises RuntimeError
  before subprocess.run, so the scanner subprocess never starts.
  Summary tag-pinned WARNING emitted once at end of run().
- argus/core/config.py: ExecutionConfig.verify_image_signatures
  defaults to True. Opt-out for air-gapped environments via
  execution.verify_image_signatures: false in argus.yml.
- argus/core/schema.py: new bool-typed config key with validator.
- Stdlib + cosign binary on PATH; no Python sigstore dependency.
  Fails up front with an install hint if cosign is missing.

Item (4) — written policy doc:

- docs/security.md: TL;DR table, threat model (defends-against +
  does-not-defend-against), credential precedence with worked
  examples (stdin > <field>_env > literal), container image
  provenance section walking through each verification path, the
  air-gapped opt-out, and a vulnerability-reporting pointer to
  GitHub Security Advisories.

Tests:
- argus/tests/core/test_image_verify.py: 21 tests covering image
  classification, all four verification paths, cosign output
  truncation, the tag-pinned summary dedup/no-warning behavior.
- argus/tests/test_engine.py::TestSupplyChainVerificationGate: 6
  engine-integration tests verifying the verify-then-run gate,
  cosign-fail-aborts-scanner contract, third-party digest-pin
  no-cosign-call, tag-only summary at run end, opt-out behavior,
  and missing-cosign-binary fatal handling.

.ai/ updates:
- architecture.yaml: new core/image_verify.py entry in both SDK
  structure blocks describing classification + engine integration.

Roadmap:
- Items (3) and (4) flipped to shipped with implementation summary
  and links. Items (5) — defensive audit-trail redact — remains
  queued.

Full suite: 3107 passed (+27 new), 2 skipped.

Follow-up roadmap item already noted: migrate third-party image
tags in argus/containers.py to @sha256: digest pins. Renovate can
keep them current once pinned.
@codecov
Copy link
Copy Markdown

codecov Bot commented May 13, 2026

Codecov Report

❌ Patch coverage is 97.08029% with 8 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
argus/tests/test_engine.py 95.60% 4 Missing ⚠️
argus/tests/core/test_image_verify.py 98.01% 2 Missing ⚠️
argus/core/image_verify.py 98.38% 1 Missing ⚠️
argus/core/schema.py 50.00% 1 Missing ⚠️

📢 Thoughts on this report? Let us know!

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 13, 2026

🔒 Argus Container Security Scan

Branch: feat/supply-chain-image-verify
Commit: c20c3be

📊 Combined Findings Summary

🚨 Critical ⚠️ High 🟡 Medium 🔵 Low 📦 Total 🔢 Unique
1 55 86 64 206 206

Scanned: 4 containers | Build Failures: 0

📦 Container Breakdown

Container Image 🚨 Crit ⚠️ High 🟡 Med 🔵 Low Total Unique Status
cli ghcr.io/huntridge-labs/argus/cli:c20c3be4e6710f37d3fee3a456b0946dfd4ccfd6 1 39 32 1 73 73
scanner-bandit ghcr.io/huntridge-labs/argus/scanner-bandit:c20c3be4e6710f37d3fee3a456b0946dfd4ccfd6 0 0 2 0 2 2
scanner-opengrep ghcr.io/huntridge-labs/argus/scanner-opengrep:c20c3be4e6710f37d3fee3a456b0946dfd4ccfd6 0 7 44 63 114 114
scanner-supply-chain ghcr.io/huntridge-labs/argus/scanner-supply-chain:c20c3be4e6710f37d3fee3a456b0946dfd4ccfd6 0 9 8 0 17 17

🔍 Detailed Findings by Container

🚨 cli - 73 vulnerabilities (33 unique)

Image: ghcr.io/huntridge-labs/argus/cli:c20c3be4e6710f37d3fee3a456b0946dfd4ccfd6

Combined (Deduplicated)

🚨 Critical ⚠️ High 🟡 Medium 🔵 Low Total Unique
1 39 32 1 73 33
🔷 Trivy Scanner (73 findings, 33 unique)
CVE Severity Package Version Fixed
CVE-2025-68121 🚨 CRITICAL stdlib v1.24.11 1.24.13, 1.25.7, 1.26.0-rc.3
CVE-2026-32280 ⚠️ HIGH stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-32281 ⚠️ HIGH stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-32283 ⚠️ HIGH stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-33810 ⚠️ HIGH stdlib v1.26.1 1.26.2
CVE-2026-33811 ⚠️ HIGH stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-33814 ⚠️ HIGH stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-39820 ⚠️ HIGH stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-39836 ⚠️ HIGH stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-42499 ⚠️ HIGH stdlib v1.26.1 1.25.10, 1.26.3
CVE-2025-61726 ⚠️ HIGH stdlib v1.24.11 1.24.12, 1.25.6
CVE-2025-61728 ⚠️ HIGH stdlib v1.24.11 1.24.12, 1.25.6
CVE-2026-25679 ⚠️ HIGH stdlib v1.24.11 1.25.8, 1.26.1
CVE-2026-32280 ⚠️ HIGH stdlib v1.24.11 1.25.9, 1.26.2
CVE-2026-32281 ⚠️ HIGH stdlib v1.24.11 1.25.9, 1.26.2
CVE-2026-32283 ⚠️ HIGH stdlib v1.24.11 1.25.9, 1.26.2
CVE-2026-33811 ⚠️ HIGH stdlib v1.24.11 1.25.10, 1.26.3
CVE-2026-33814 ⚠️ HIGH stdlib v1.24.11 1.25.10, 1.26.3
CVE-2026-39820 ⚠️ HIGH stdlib v1.24.11 1.25.10, 1.26.3
CVE-2026-39836 ⚠️ HIGH stdlib v1.24.11 1.25.10, 1.26.3
CVE-2026-42499 ⚠️ HIGH stdlib v1.24.11 1.25.10, 1.26.3
CVE-2026-34040 ⚠️ HIGH github.com/docker/docker v28.5.2+incompatible 29.3.1
CVE-2026-45022 ⚠️ HIGH github.com/go-git/go-git/v5 v5.18.0 5.19.0
CVE-2026-33811 ⚠️ HIGH stdlib v1.26.2 1.25.10, 1.26.3
CVE-2026-33814 ⚠️ HIGH stdlib v1.26.2 1.25.10, 1.26.3
CVE-2026-39820 ⚠️ HIGH stdlib v1.26.2 1.25.10, 1.26.3
CVE-2026-39836 ⚠️ HIGH stdlib v1.26.2 1.25.10, 1.26.3
CVE-2026-42499 ⚠️ HIGH stdlib v1.26.2 1.25.10, 1.26.3
CVE-2026-45022 ⚠️ HIGH github.com/go-git/go-git/v5 v5.18.0 5.19.0
CVE-2026-33811 ⚠️ HIGH stdlib v1.26.2 1.25.10, 1.26.3
CVE-2026-33814 ⚠️ HIGH stdlib v1.26.2 1.25.10, 1.26.3
CVE-2026-39820 ⚠️ HIGH stdlib v1.26.2 1.25.10, 1.26.3
CVE-2026-39836 ⚠️ HIGH stdlib v1.26.2 1.25.10, 1.26.3
CVE-2026-42499 ⚠️ HIGH stdlib v1.26.2 1.25.10, 1.26.3
CVE-2026-45022 ⚠️ HIGH github.com/go-git/go-git/v5 v5.17.2 5.19.0
CVE-2026-33811 ⚠️ HIGH stdlib v1.25.9 1.25.10, 1.26.3
CVE-2026-33814 ⚠️ HIGH stdlib v1.25.9 1.25.10, 1.26.3
CVE-2026-39820 ⚠️ HIGH stdlib v1.25.9 1.25.10, 1.26.3
CVE-2026-39836 ⚠️ HIGH stdlib v1.25.9 1.25.10, 1.26.3
CVE-2026-42499 ⚠️ HIGH stdlib v1.25.9 1.25.10, 1.26.3
CVE-2026-3219 🟡 MEDIUM pip 26.0.1 N/A
CVE-2026-6357 🟡 MEDIUM pip 26.0.1 26.1
CVE-2026-32282 🟡 MEDIUM stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-32288 🟡 MEDIUM stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-32289 🟡 MEDIUM stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-39823 🟡 MEDIUM stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-39825 🟡 MEDIUM stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-39826 🟡 MEDIUM stdlib v1.26.1 1.25.10, 1.26.3
CVE-2025-11579 🟡 MEDIUM github.com/nwaples/rardecode/v2 v2.1.0 2.2.0
CVE-2025-58058 🟡 MEDIUM github.com/ulikunitz/xz v0.5.12 0.5.15

...and 23 more

⚓ Grype Scanner (0 findings, 0 unique)

✅ No vulnerabilities detected by Grype

🟡 scanner-bandit - 2 vulnerabilities (2 unique)

Image: ghcr.io/huntridge-labs/argus/scanner-bandit:c20c3be4e6710f37d3fee3a456b0946dfd4ccfd6

Combined (Deduplicated)

🚨 Critical ⚠️ High 🟡 Medium 🔵 Low Total Unique
0 0 2 0 2 2
🔷 Trivy Scanner (2 findings, 2 unique)
CVE Severity Package Version Fixed
CVE-2026-3219 🟡 MEDIUM pip 26.0.1 N/A
CVE-2026-6357 🟡 MEDIUM pip 26.0.1 26.1
⚓ Grype Scanner (0 findings, 0 unique)

✅ No vulnerabilities detected by Grype

⚠️ scanner-opengrep - 114 vulnerabilities (50 unique)

Image: ghcr.io/huntridge-labs/argus/scanner-opengrep:c20c3be4e6710f37d3fee3a456b0946dfd4ccfd6

Combined (Deduplicated)

🚨 Critical ⚠️ High 🟡 Medium 🔵 Low Total Unique
0 7 44 63 114 50
🔷 Trivy Scanner (114 findings, 49 unique)
CVE Severity Package Version Fixed
CVE-2026-4878 ⚠️ HIGH libcap2 1:2.75-10+b8 N/A
CVE-2025-69720 ⚠️ HIGH libncursesw6 6.5+20250216-2 N/A
CVE-2026-29111 ⚠️ HIGH libsystemd0 257.9-1~deb13u1 N/A
CVE-2025-69720 ⚠️ HIGH libtinfo6 6.5+20250216-2 N/A
CVE-2026-29111 ⚠️ HIGH libudev1 257.9-1~deb13u1 N/A
CVE-2025-69720 ⚠️ HIGH ncurses-base 6.5+20250216-2 N/A
CVE-2025-69720 ⚠️ HIGH ncurses-bin 6.5+20250216-2 N/A
CVE-2026-27456 🟡 MEDIUM bsdutils 1:2.41-5 N/A
CVE-2026-3184 🟡 MEDIUM bsdutils 1:2.41-5 N/A
CVE-2026-27456 🟡 MEDIUM libblkid1 2.41-5 N/A
CVE-2026-3184 🟡 MEDIUM libblkid1 2.41-5 N/A
CVE-2026-4046 🟡 MEDIUM libc-bin 2.41-12+deb13u2 N/A
CVE-2026-4437 🟡 MEDIUM libc-bin 2.41-12+deb13u2 N/A
CVE-2026-4438 🟡 MEDIUM libc-bin 2.41-12+deb13u2 N/A
CVE-2026-5435 🟡 MEDIUM libc-bin 2.41-12+deb13u2 N/A
CVE-2026-5450 🟡 MEDIUM libc-bin 2.41-12+deb13u2 N/A
CVE-2026-5928 🟡 MEDIUM libc-bin 2.41-12+deb13u2 N/A
CVE-2026-6238 🟡 MEDIUM libc-bin 2.41-12+deb13u2 N/A
CVE-2026-4046 🟡 MEDIUM libc6 2.41-12+deb13u2 N/A
CVE-2026-4437 🟡 MEDIUM libc6 2.41-12+deb13u2 N/A
CVE-2026-4438 🟡 MEDIUM libc6 2.41-12+deb13u2 N/A
CVE-2026-5435 🟡 MEDIUM libc6 2.41-12+deb13u2 N/A
CVE-2026-5450 🟡 MEDIUM libc6 2.41-12+deb13u2 N/A
CVE-2026-5928 🟡 MEDIUM libc6 2.41-12+deb13u2 N/A
CVE-2026-6238 🟡 MEDIUM libc6 2.41-12+deb13u2 N/A
CVE-2026-27456 🟡 MEDIUM liblastlog2-2 2.41-5 N/A
CVE-2026-3184 🟡 MEDIUM liblastlog2-2 2.41-5 N/A
CVE-2026-34743 🟡 MEDIUM liblzma5 5.8.1-1 N/A
CVE-2026-27456 🟡 MEDIUM libmount1 2.41-5 N/A
CVE-2026-3184 🟡 MEDIUM libmount1 2.41-5 N/A
CVE-2026-27456 🟡 MEDIUM libsmartcols1 2.41-5 N/A
CVE-2026-3184 🟡 MEDIUM libsmartcols1 2.41-5 N/A
CVE-2026-40225 🟡 MEDIUM libsystemd0 257.9-1~deb13u1 N/A
CVE-2026-40226 🟡 MEDIUM libsystemd0 257.9-1~deb13u1 N/A
CVE-2026-4105 🟡 MEDIUM libsystemd0 257.9-1~deb13u1 N/A
CVE-2026-40225 🟡 MEDIUM libudev1 257.9-1~deb13u1 N/A
CVE-2026-40226 🟡 MEDIUM libudev1 257.9-1~deb13u1 N/A
CVE-2026-4105 🟡 MEDIUM libudev1 257.9-1~deb13u1 N/A
CVE-2026-27456 🟡 MEDIUM libuuid1 2.41-5 N/A
CVE-2026-3184 🟡 MEDIUM libuuid1 2.41-5 N/A
CVE-2026-27456 🟡 MEDIUM login 1:4.16.0-2+really2.41-5 N/A
CVE-2026-3184 🟡 MEDIUM login 1:4.16.0-2+really2.41-5 N/A
CVE-2026-27456 🟡 MEDIUM mount 2.41-5 N/A
CVE-2026-3184 🟡 MEDIUM mount 2.41-5 N/A
CVE-2026-5958 🟡 MEDIUM sed 4.9-2 N/A
CVE-2026-5704 🟡 MEDIUM tar 1.35+dfsg-3.1 N/A
CVE-2026-27456 🟡 MEDIUM util-linux 2.41-5 N/A
CVE-2026-3184 🟡 MEDIUM util-linux 2.41-5 N/A
CVE-2026-27171 🟡 MEDIUM zlib1g 1:1.3.dfsg+really1.3.1-1+b1 N/A
CVE-2026-3219 🟡 MEDIUM pip 26.0.1 N/A

...and 64 more

⚓ Grype Scanner (0 findings, 0 unique)

✅ No vulnerabilities detected by Grype

⚠️ scanner-supply-chain - 17 vulnerabilities (17 unique)

Image: ghcr.io/huntridge-labs/argus/scanner-supply-chain:c20c3be4e6710f37d3fee3a456b0946dfd4ccfd6

Combined (Deduplicated)

🚨 Critical ⚠️ High 🟡 Medium 🔵 Low Total Unique
0 9 8 0 17 17
🔷 Trivy Scanner (17 findings, 17 unique)
CVE Severity Package Version Fixed
CVE-2026-32280 ⚠️ HIGH stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-32281 ⚠️ HIGH stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-32283 ⚠️ HIGH stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-33810 ⚠️ HIGH stdlib v1.26.1 1.26.2
CVE-2026-33811 ⚠️ HIGH stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-33814 ⚠️ HIGH stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-39820 ⚠️ HIGH stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-39836 ⚠️ HIGH stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-42499 ⚠️ HIGH stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-3219 🟡 MEDIUM pip 26.0.1 N/A
CVE-2026-6357 🟡 MEDIUM pip 26.0.1 26.1
CVE-2026-32282 🟡 MEDIUM stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-32288 🟡 MEDIUM stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-32289 🟡 MEDIUM stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-39823 🟡 MEDIUM stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-39825 🟡 MEDIUM stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-39826 🟡 MEDIUM stdlib v1.26.1 1.25.10, 1.26.3
⚓ Grype Scanner (0 findings, 0 unique)

✅ No vulnerabilities detected by Grype

Generated by Argus

@eFAILution eFAILution merged commit 864c162 into feat/argus-portability May 13, 2026
22 checks passed
@eFAILution eFAILution deleted the feat/supply-chain-image-verify branch May 13, 2026 13:06
@github-actions github-actions Bot mentioned this pull request May 13, 2026
Draft
23 tasks
This was referenced May 13, 2026
Merged
Merged
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@eFAILution