Skip to content

feat(scanner-container): exposed-port surface as new sub-scanner#149

Merged
eFAILution merged 2 commits into
feat/argus-portabilityfrom
feat/scanner-container-expose-ports
May 13, 2026
Merged

feat(scanner-container): exposed-port surface as new sub-scanner#149
eFAILution merged 2 commits into
feat/argus-portabilityfrom
feat/scanner-container-expose-ports

Conversation

@eFAILution
Copy link
Copy Markdown
Collaborator

@eFAILution eFAILution commented May 13, 2026

Description

Implements the Container image exposed ports item from docs/developer/SDK-ROADMAP.md → "Attack Surface Visibility — Port & Service Exposure". Reports what network endpoints a container image declares via Dockerfile EXPOSE — separate from whether those endpoints have known CVEs. "Image exposes 6379/tcp" is a different question from "image has a vulnerable Redis package" and most security reviewers want both.

Changes Made

  • Added new scanner/workflow
  • Modified existing scanner/workflow
  • Updated documentation
  • Fixed bug
  • Other (please specify): new exposure sub-scanner inside the existing container scanner

Details

No new scanner module — extends argus/scanners/container.py's sub-scanner orchestration alongside trivy/grype/syft. The data is free: <runtime> image inspect <ref> returns Config.ExposedPorts and the container scanner already pulls every image it scans, so the inspect is a fast cache hit.

Default sub-scanner set becomes "trivy,grype,syft,exposure". Opt out by dropping exposure from scanners.container.scanners.

Output shape — one Finding per declared port:

INFO   EXPOSE-8080-tcp    Port 8080/tcp declared exposed
MEDIUM EXPOSE-22-tcp      Port 22/tcp (SSH) declared exposed
MEDIUM EXPOSE-3306-tcp    Port 3306/tcp (MySQL) declared exposed

Findings flow through the existing reporter pipeline (terminal, markdown, sarif, json, github, gitlab, junit), --severity-threshold filtering, audit trail, and the view-terminal / view-browser UIs without per-reporter custom code.

Built-in RISKY_PORTS watchlist (MEDIUM severity by default):

Port Service Rationale (from scanner docstring)
21/tcp FTP Cleartext — CIS Docker Benchmark §5.8
22/tcp SSH Recurring image-inheritance leak from base images
23/tcp Telnet Cleartext — CIS Docker Benchmark §5.8
25/tcp, 110/tcp, 143/tcp SMTP, POP3, IMAP Cleartext auth by default
161/udp SNMP Default community strings (public) — CVE-1999-0517
389/tcp LDAP Cleartext bind (LDAPS 636/tcp is not warned)
445/tcp SMB Never appropriate from a containerized workload
3306/tcp, 5432/tcp, 6379/tcp, 9200/tcp, 11211/tcp, 27017/tcp MySQL, PostgreSQL, Redis, Elasticsearch, Memcached, MongoDB Default no-auth configs — Shodan unauthorized-database-access reports
3389/tcp RDP Auth-bypass CVE history

Each entry cites a "why" in the scanner docstring so future contributors don't tune the list blindly. Adding a new entry requires the same.

Config knobs (in argus.yml):

scanners:
  container:
    image_ref: "myapp:latest"
    # Replace the built-in WARN list. Pass [] to demote every
    # declared port to INFO.
    expose_warn_ports:
      - 22/tcp
      - 3306/tcp
      - 8080/tcp        # promote this app port to WARN
    # Suppress findings entirely for ports the team has accepted
    expose_ignore_ports:
      - 443/tcp
      - 9090/tcp

Both lists accept "PORT/PROTO" strings (bare "PORT" defaults to tcp; protocol case-insensitive). Schema validator errors on malformed entries at config-load time.

Testing

  • Unit tests added/updated
  • Integration tests added/updated
  • Manual testing performed
  • Tested with different scanner combinations

Test Results

29 new tests:

Class Tests Covers
TestParsePortProto 4 Canonical form, bare-port-defaults-tcp, case/whitespace tolerated, 9-case invalid parametrize
TestScanExposedPorts 12 INFO/MEDIUM classification, multi-port sort, ignore-list, warn-override (replace + empty), no-ports, no-Config, empty-inspect, no-runtime, pull-failure, unparseable-port-logged-and-skipped (subprocess + container_runtime mocked)
TestExposureSchemaValidation 5 Valid lists accepted, non-list errors, malformed entries error, non-string entries error, exposure valid in container sub-scanner list

Full suite: 3155 passed (+29 new), 2 skipped, 7 deselected.

Security Considerations

  • No security impact
  • Security enhancement
  • Potential security implications (explain below)

Security Details

Closes a real attack-surface visibility gap. Today argus reports vulnerabilities (Trivy/Grype find CVEs in installed packages) and SBOM components (Syft) but doesn't surface what network endpoints an image declares. A reviewer auditing a base image for the first time wants to know "does this expose anything I didn't expect?" — the new sub-scanner answers that without requiring users to read docker inspect JSON by hand.

The classification is conservative: only well-known risky-defaults get MEDIUM (the watchlist is small and cited); ordinary application ports stay INFO. False-positive rate is low because the data is the image's own declared intent.

AI Context Updates (.ai/)

  • .ai/architecture.yaml updated — scanners/ description in both SDK blocks updated to mention the four sub-scanners and the RISKY_PORTS watchlist.
  • .ai/workflows.yaml updated
  • .ai/decisions.yaml updated — implementation of an already-decided roadmap item; no new ADR.
  • .ai/errors.yaml updated
  • N/A

Checklist

  • Code follows project style guidelines
  • Documentation updated
  • Changelog updated (if applicable)
  • All tests pass
  • Reviewed by at least one maintainer
  • Reviewed CONTRIBUTING.md guidelines

Related Issues

Closes the Container image exposed ports item in docs/developer/SDK-ROADMAP.md → "Attack Surface Visibility — Port & Service Exposure". The companion OS-image research item remains queued.

Out of scope (deferred): runtime port enumeration (actually start the container, probe with nmap/ss). Static EXPOSE data is the bulk of the value at a fraction of the operational cost. A runtime variant becomes a separate roadmap item if consumer demand surfaces.

Screenshots/Logs (if applicable)

============================== 3155 passed, 2 skipped, 7 deselected, 20 warnings in 23.76s ==============================

Diff: 7 files, +638 / -88.

eFAILution added 2 commits May 13, 2026 11:07
@eFAILution
feat(scanner-container): exposed-port surface as new sub-scanner
5e51556 
Implements the "Container image exposed ports" item from
docs/developer/SDK-ROADMAP.md → "Attack Surface Visibility — Port
& Service Exposure". Reports what network endpoints a container
image declares via Dockerfile EXPOSE — separate from whether those
endpoints have known CVEs. "Image exposes 6379/tcp" is a different
question from "image has a vulnerable Redis package" and most
security reviewers want both.

No new scanner module; extends the existing container scanner's
sub-scanner orchestration alongside trivy/grype/syft. Default
sub-scanner list becomes "trivy,grype,syft,exposure" — opt out by
dropping the name from scanners.container.scanners.

How it works:
- _scan_exposed_ports(image_ref, config) ensures the image is
  present locally (via container_runtime.pull_image with
  if-not-present, which is a fast cache hit when trivy/grype/syft
  already pulled it), runs <runtime> image inspect <ref>, parses
  Config.ExposedPorts, and emits one Finding per port.
- Severity defaults to INFO for ordinary application ports and
  MEDIUM for ports on the built-in RISKY_PORTS dict:
  21/tcp (FTP), 22/tcp (SSH), 23/tcp (Telnet), 25/tcp (SMTP),
  110/tcp (POP3), 143/tcp (IMAP), 161/udp (SNMP), 389/tcp (LDAP),
  445/tcp (SMB), 3306/tcp (MySQL), 3389/tcp (RDP),
  5432/tcp (PostgreSQL), 6379/tcp (Redis), 9200/tcp (Elasticsearch),
  11211/tcp (Memcached), 27017/tcp (MongoDB). Each entry cites a
  "why" in the scanner module docstring (CIS Docker Benchmark §5.8,
  Shodan unauthorized-database-access reports, CVE-1999-0517 for
  SNMPv1/v2 community strings, etc.) so future contributors don't
  tune the list blindly.

Config knobs (argus.yml):
- scanners.container.expose_warn_ports: list[str] — replaces the
  built-in WARN list. Empty list demotes every declared port to
  INFO.
- scanners.container.expose_ignore_ports: list[str] — suppress
  findings entirely. Use for ports the team has explicitly
  accepted (the app's known 8080/tcp, etc.).
Both lists accept "PORT/PROTO" strings; bare "PORT" defaults to
tcp; protocol is case-insensitive. Validator rejects malformed
entries at config-load time so authoring mistakes surface during
argus validate, not at scan time.

Finding shape — flows through the existing reporter pipeline
(terminal, markdown, sarif, json, github, gitlab, junit), --
severity-threshold filtering, audit trail, and the view-terminal /
view-browser UIs without per-reporter custom code:
  id:       EXPOSE-<port>-<proto>
  severity: INFO or MEDIUM
  metadata: {port, protocol, common_service, risky, image_ref}

Test coverage (29 new tests):
- TestParsePortProto: canonical form, bare-port-defaults-tcp,
  case+whitespace tolerated, 9-case invalid parametrize.
- TestScanExposedPorts: single non-risky → INFO, single risky →
  MEDIUM with service name, multi-port sort+classification,
  ignore-list suppresses, warn-override replaces defaults,
  empty-warn-override demotes all to INFO, no exposed ports,
  no Config block, empty inspect array, no runtime → skipped
  metadata, pull failure → error metadata, unparseable port
  logged + skipped (subprocess + container_runtime mocked).
- TestExposureSchemaValidation: valid lists accepted, non-list
  errors, malformed entries error, non-string entries error,
  "exposure" valid in container sub-scanner list.

Out of scope (deferred):
- Runtime port enumeration (actually start the container, probe
  with nmap/ss). Static EXPOSE data is the bulk of the value at
  a fraction of the operational cost. A runtime variant becomes
  a separate roadmap item if demand surfaces.

Docs + .ai/:
- docs/config-reference.md: container scanner description,
  scanner-specific properties table (new rows for expose_warn_ports
  and expose_ignore_ports), worked example for attack-surface
  tuning.
- argus.example.yml: commented example showing default sub-scanner
  set + the two new knobs.
- .ai/architecture.yaml: scanners/ description in both SDK blocks
  updated to mention the four sub-scanners and the RISKY_PORTS
  watchlist.
- docs/developer/SDK-ROADMAP.md: roadmap entry flipped from
  actionable to shipped with implementation summary.

Full suite: 3155 passed (+29 new), 2 skipped.
@eFAILution
style: codespell unparseable -> unparsable
c8914b8
@codecov
Copy link
Copy Markdown

codecov Bot commented May 13, 2026

Codecov Report

❌ Patch coverage is 96.59574% with 8 lines in your changes missing coverage. Please review.

Files with missing lines Patch % Lines
argus/scanners/container.py 87.69% 8 Missing ⚠️

📢 Thoughts on this report? Let us know!

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented May 13, 2026

🔒 Argus Container Security Scan

Branch: feat/scanner-container-expose-ports
Commit: f049ad2

📊 Combined Findings Summary

🚨 Critical ⚠️ High 🟡 Medium 🔵 Low 📦 Total 🔢 Unique
1 55 86 64 206 206

Scanned: 4 containers | Build Failures: 0

📦 Container Breakdown

Container Image 🚨 Crit ⚠️ High 🟡 Med 🔵 Low Total Unique Status
cli ghcr.io/huntridge-labs/argus/cli:f049ad2288fb67e72e3ace632c7165e55624fd02 1 39 32 1 73 73
scanner-bandit ghcr.io/huntridge-labs/argus/scanner-bandit:f049ad2288fb67e72e3ace632c7165e55624fd02 0 0 2 0 2 2
scanner-opengrep ghcr.io/huntridge-labs/argus/scanner-opengrep:f049ad2288fb67e72e3ace632c7165e55624fd02 0 7 44 63 114 114
scanner-supply-chain ghcr.io/huntridge-labs/argus/scanner-supply-chain:f049ad2288fb67e72e3ace632c7165e55624fd02 0 9 8 0 17 17

🔍 Detailed Findings by Container

🚨 cli - 73 vulnerabilities (33 unique)

Image: ghcr.io/huntridge-labs/argus/cli:f049ad2288fb67e72e3ace632c7165e55624fd02

Combined (Deduplicated)

🚨 Critical ⚠️ High 🟡 Medium 🔵 Low Total Unique
1 39 32 1 73 33
🔷 Trivy Scanner (73 findings, 33 unique)
CVE Severity Package Version Fixed
CVE-2025-68121 🚨 CRITICAL stdlib v1.24.11 1.24.13, 1.25.7, 1.26.0-rc.3
CVE-2026-32280 ⚠️ HIGH stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-32281 ⚠️ HIGH stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-32283 ⚠️ HIGH stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-33810 ⚠️ HIGH stdlib v1.26.1 1.26.2
CVE-2026-33811 ⚠️ HIGH stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-33814 ⚠️ HIGH stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-39820 ⚠️ HIGH stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-39836 ⚠️ HIGH stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-42499 ⚠️ HIGH stdlib v1.26.1 1.25.10, 1.26.3
CVE-2025-61726 ⚠️ HIGH stdlib v1.24.11 1.24.12, 1.25.6
CVE-2025-61728 ⚠️ HIGH stdlib v1.24.11 1.24.12, 1.25.6
CVE-2026-25679 ⚠️ HIGH stdlib v1.24.11 1.25.8, 1.26.1
CVE-2026-32280 ⚠️ HIGH stdlib v1.24.11 1.25.9, 1.26.2
CVE-2026-32281 ⚠️ HIGH stdlib v1.24.11 1.25.9, 1.26.2
CVE-2026-32283 ⚠️ HIGH stdlib v1.24.11 1.25.9, 1.26.2
CVE-2026-33811 ⚠️ HIGH stdlib v1.24.11 1.25.10, 1.26.3
CVE-2026-33814 ⚠️ HIGH stdlib v1.24.11 1.25.10, 1.26.3
CVE-2026-39820 ⚠️ HIGH stdlib v1.24.11 1.25.10, 1.26.3
CVE-2026-39836 ⚠️ HIGH stdlib v1.24.11 1.25.10, 1.26.3
CVE-2026-42499 ⚠️ HIGH stdlib v1.24.11 1.25.10, 1.26.3
CVE-2026-34040 ⚠️ HIGH github.com/docker/docker v28.5.2+incompatible 29.3.1
CVE-2026-45022 ⚠️ HIGH github.com/go-git/go-git/v5 v5.18.0 5.19.0
CVE-2026-33811 ⚠️ HIGH stdlib v1.26.2 1.25.10, 1.26.3
CVE-2026-33814 ⚠️ HIGH stdlib v1.26.2 1.25.10, 1.26.3
CVE-2026-39820 ⚠️ HIGH stdlib v1.26.2 1.25.10, 1.26.3
CVE-2026-39836 ⚠️ HIGH stdlib v1.26.2 1.25.10, 1.26.3
CVE-2026-42499 ⚠️ HIGH stdlib v1.26.2 1.25.10, 1.26.3
CVE-2026-45022 ⚠️ HIGH github.com/go-git/go-git/v5 v5.18.0 5.19.0
CVE-2026-33811 ⚠️ HIGH stdlib v1.26.2 1.25.10, 1.26.3
CVE-2026-33814 ⚠️ HIGH stdlib v1.26.2 1.25.10, 1.26.3
CVE-2026-39820 ⚠️ HIGH stdlib v1.26.2 1.25.10, 1.26.3
CVE-2026-39836 ⚠️ HIGH stdlib v1.26.2 1.25.10, 1.26.3
CVE-2026-42499 ⚠️ HIGH stdlib v1.26.2 1.25.10, 1.26.3
CVE-2026-45022 ⚠️ HIGH github.com/go-git/go-git/v5 v5.17.2 5.19.0
CVE-2026-33811 ⚠️ HIGH stdlib v1.25.9 1.25.10, 1.26.3
CVE-2026-33814 ⚠️ HIGH stdlib v1.25.9 1.25.10, 1.26.3
CVE-2026-39820 ⚠️ HIGH stdlib v1.25.9 1.25.10, 1.26.3
CVE-2026-39836 ⚠️ HIGH stdlib v1.25.9 1.25.10, 1.26.3
CVE-2026-42499 ⚠️ HIGH stdlib v1.25.9 1.25.10, 1.26.3
CVE-2026-3219 🟡 MEDIUM pip 26.0.1 N/A
CVE-2026-6357 🟡 MEDIUM pip 26.0.1 26.1
CVE-2026-32282 🟡 MEDIUM stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-32288 🟡 MEDIUM stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-32289 🟡 MEDIUM stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-39823 🟡 MEDIUM stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-39825 🟡 MEDIUM stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-39826 🟡 MEDIUM stdlib v1.26.1 1.25.10, 1.26.3
CVE-2025-11579 🟡 MEDIUM github.com/nwaples/rardecode/v2 v2.1.0 2.2.0
CVE-2025-58058 🟡 MEDIUM github.com/ulikunitz/xz v0.5.12 0.5.15

...and 23 more

⚓ Grype Scanner (0 findings, 0 unique)

✅ No vulnerabilities detected by Grype

🟡 scanner-bandit - 2 vulnerabilities (2 unique)

Image: ghcr.io/huntridge-labs/argus/scanner-bandit:f049ad2288fb67e72e3ace632c7165e55624fd02

Combined (Deduplicated)

🚨 Critical ⚠️ High 🟡 Medium 🔵 Low Total Unique
0 0 2 0 2 2
🔷 Trivy Scanner (2 findings, 2 unique)
CVE Severity Package Version Fixed
CVE-2026-3219 🟡 MEDIUM pip 26.0.1 N/A
CVE-2026-6357 🟡 MEDIUM pip 26.0.1 26.1
⚓ Grype Scanner (0 findings, 0 unique)

✅ No vulnerabilities detected by Grype

⚠️ scanner-opengrep - 114 vulnerabilities (50 unique)

Image: ghcr.io/huntridge-labs/argus/scanner-opengrep:f049ad2288fb67e72e3ace632c7165e55624fd02

Combined (Deduplicated)

🚨 Critical ⚠️ High 🟡 Medium 🔵 Low Total Unique
0 7 44 63 114 50
🔷 Trivy Scanner (114 findings, 49 unique)
CVE Severity Package Version Fixed
CVE-2026-4878 ⚠️ HIGH libcap2 1:2.75-10+b8 N/A
CVE-2025-69720 ⚠️ HIGH libncursesw6 6.5+20250216-2 N/A
CVE-2026-29111 ⚠️ HIGH libsystemd0 257.9-1~deb13u1 N/A
CVE-2025-69720 ⚠️ HIGH libtinfo6 6.5+20250216-2 N/A
CVE-2026-29111 ⚠️ HIGH libudev1 257.9-1~deb13u1 N/A
CVE-2025-69720 ⚠️ HIGH ncurses-base 6.5+20250216-2 N/A
CVE-2025-69720 ⚠️ HIGH ncurses-bin 6.5+20250216-2 N/A
CVE-2026-27456 🟡 MEDIUM bsdutils 1:2.41-5 N/A
CVE-2026-3184 🟡 MEDIUM bsdutils 1:2.41-5 N/A
CVE-2026-27456 🟡 MEDIUM libblkid1 2.41-5 N/A
CVE-2026-3184 🟡 MEDIUM libblkid1 2.41-5 N/A
CVE-2026-4046 🟡 MEDIUM libc-bin 2.41-12+deb13u2 N/A
CVE-2026-4437 🟡 MEDIUM libc-bin 2.41-12+deb13u2 N/A
CVE-2026-4438 🟡 MEDIUM libc-bin 2.41-12+deb13u2 N/A
CVE-2026-5435 🟡 MEDIUM libc-bin 2.41-12+deb13u2 N/A
CVE-2026-5450 🟡 MEDIUM libc-bin 2.41-12+deb13u2 N/A
CVE-2026-5928 🟡 MEDIUM libc-bin 2.41-12+deb13u2 N/A
CVE-2026-6238 🟡 MEDIUM libc-bin 2.41-12+deb13u2 N/A
CVE-2026-4046 🟡 MEDIUM libc6 2.41-12+deb13u2 N/A
CVE-2026-4437 🟡 MEDIUM libc6 2.41-12+deb13u2 N/A
CVE-2026-4438 🟡 MEDIUM libc6 2.41-12+deb13u2 N/A
CVE-2026-5435 🟡 MEDIUM libc6 2.41-12+deb13u2 N/A
CVE-2026-5450 🟡 MEDIUM libc6 2.41-12+deb13u2 N/A
CVE-2026-5928 🟡 MEDIUM libc6 2.41-12+deb13u2 N/A
CVE-2026-6238 🟡 MEDIUM libc6 2.41-12+deb13u2 N/A
CVE-2026-27456 🟡 MEDIUM liblastlog2-2 2.41-5 N/A
CVE-2026-3184 🟡 MEDIUM liblastlog2-2 2.41-5 N/A
CVE-2026-34743 🟡 MEDIUM liblzma5 5.8.1-1 N/A
CVE-2026-27456 🟡 MEDIUM libmount1 2.41-5 N/A
CVE-2026-3184 🟡 MEDIUM libmount1 2.41-5 N/A
CVE-2026-27456 🟡 MEDIUM libsmartcols1 2.41-5 N/A
CVE-2026-3184 🟡 MEDIUM libsmartcols1 2.41-5 N/A
CVE-2026-40225 🟡 MEDIUM libsystemd0 257.9-1~deb13u1 N/A
CVE-2026-40226 🟡 MEDIUM libsystemd0 257.9-1~deb13u1 N/A
CVE-2026-4105 🟡 MEDIUM libsystemd0 257.9-1~deb13u1 N/A
CVE-2026-40225 🟡 MEDIUM libudev1 257.9-1~deb13u1 N/A
CVE-2026-40226 🟡 MEDIUM libudev1 257.9-1~deb13u1 N/A
CVE-2026-4105 🟡 MEDIUM libudev1 257.9-1~deb13u1 N/A
CVE-2026-27456 🟡 MEDIUM libuuid1 2.41-5 N/A
CVE-2026-3184 🟡 MEDIUM libuuid1 2.41-5 N/A
CVE-2026-27456 🟡 MEDIUM login 1:4.16.0-2+really2.41-5 N/A
CVE-2026-3184 🟡 MEDIUM login 1:4.16.0-2+really2.41-5 N/A
CVE-2026-27456 🟡 MEDIUM mount 2.41-5 N/A
CVE-2026-3184 🟡 MEDIUM mount 2.41-5 N/A
CVE-2026-5958 🟡 MEDIUM sed 4.9-2 N/A
CVE-2026-5704 🟡 MEDIUM tar 1.35+dfsg-3.1 N/A
CVE-2026-27456 🟡 MEDIUM util-linux 2.41-5 N/A
CVE-2026-3184 🟡 MEDIUM util-linux 2.41-5 N/A
CVE-2026-27171 🟡 MEDIUM zlib1g 1:1.3.dfsg+really1.3.1-1+b1 N/A
CVE-2026-3219 🟡 MEDIUM pip 26.0.1 N/A

...and 64 more

⚓ Grype Scanner (0 findings, 0 unique)

✅ No vulnerabilities detected by Grype

⚠️ scanner-supply-chain - 17 vulnerabilities (17 unique)

Image: ghcr.io/huntridge-labs/argus/scanner-supply-chain:f049ad2288fb67e72e3ace632c7165e55624fd02

Combined (Deduplicated)

🚨 Critical ⚠️ High 🟡 Medium 🔵 Low Total Unique
0 9 8 0 17 17
🔷 Trivy Scanner (17 findings, 17 unique)
CVE Severity Package Version Fixed
CVE-2026-32280 ⚠️ HIGH stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-32281 ⚠️ HIGH stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-32283 ⚠️ HIGH stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-33810 ⚠️ HIGH stdlib v1.26.1 1.26.2
CVE-2026-33811 ⚠️ HIGH stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-33814 ⚠️ HIGH stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-39820 ⚠️ HIGH stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-39836 ⚠️ HIGH stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-42499 ⚠️ HIGH stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-3219 🟡 MEDIUM pip 26.0.1 N/A
CVE-2026-6357 🟡 MEDIUM pip 26.0.1 26.1
CVE-2026-32282 🟡 MEDIUM stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-32288 🟡 MEDIUM stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-32289 🟡 MEDIUM stdlib v1.26.1 1.25.9, 1.26.2
CVE-2026-39823 🟡 MEDIUM stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-39825 🟡 MEDIUM stdlib v1.26.1 1.25.10, 1.26.3
CVE-2026-39826 🟡 MEDIUM stdlib v1.26.1 1.25.10, 1.26.3
⚓ Grype Scanner (0 findings, 0 unique)

✅ No vulnerabilities detected by Grype

Generated by Argus

@eFAILution eFAILution merged commit 7837c6e into feat/argus-portability May 13, 2026
22 checks passed
@eFAILution eFAILution deleted the feat/scanner-container-expose-ports branch May 13, 2026 15:30
@github-actions github-actions Bot mentioned this pull request May 13, 2026
Draft
23 tasks
@eFAILution eFAILution mentioned this pull request May 13, 2026
Merged
20 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@eFAILution