Commit Graph

5 Commits

Author SHA1 Message Date
Steffen Skui 2ff4e703c4 cve: exclude the collector's own container from the scan (+ SOC_EXCLUDE_IMAGES)
Build and push soc-collector / build (push) Successful in 5s
2026-06-25 10:31:40 +02:00
Steffen Skui 9277db02a5 collector: tag CVEs yours/upstream/update + stop flagging the edge
Build and push soc-collector / build (push) Successful in 7s
cve: each image now carries an UPDATE STATUS in its title — [yours] (git.skui.io image,
fix in its repo), [update] (third-party, a NEWER image is published -> pull it), or
[upstream] (already running the latest published image -> clears only when the maintainer
rebuilds). 'Fixable' just means a patched package exists, not that you can apply it; the
status makes that explicit, and actionable findings now sort above the can't-touch ones.

config: the designated edge (SOC_EDGE, default 'traefik') is allowed to own 0.0.0.0:80/443
-- that is its job -- so it's reported as good rather than a false-positive finding.
2026-06-24 21:46:24 +02:00
Steffen Skui 67eaf409b9 collector: emit ONE consolidated report per run (SOC_SLUG), not one per source
Build and push soc-collector / build (push) Successful in 6s
All enabled sources merge into a single report keyed by SOC_SLUG, criticals first.
One server = one report; run per server with a distinct SOC_SLUG. Avoids the
4-reports-per-host explosion when scanning several servers. README updated.
2026-06-24 18:42:38 +02:00
Steffen Skui 800bda12cb cve: report only fixable CVEs, grouped by package with the version to bump
Build and push soc-collector / build (push) Successful in 6s
--ignore-unfixed so unpatchable base-OS CVEs don't drown the actionable ones.
Each finding now lists packages (installed -> fixed) and how many CVEs each bump
clears, criticals first, plus a 'N of M images clean' line — a to-do list, not a
wall of CVE IDs.
2026-06-24 18:37:15 +02:00
Steffen Skui 7336b17f79 soc-collector: run-anywhere scanner that pushes reports to SOC Center
Build and push soc-collector / build (push) Successful in 31s
A single Docker image, configured entirely by env vars (SOC_URL + SOC_TOKEN +
targets). Runs once and exits; schedule with cron. Four self-skipping sources:
  - surface     nmap open-port/service scan (SOC_TARGETS)
  - cve         Trivy HIGH/CRITICAL scan of running images (Docker socket)
  - tls         cert-expiry / weak-TLS / missing-headers (SOC_DOMAINS)
  - config      0.0.0.0 binds, --privileged, rw docker-socket mounts (Docker socket)
Stable slugs per source so SOC Center versions/diffs/alerts. Pure stdlib;
image adds nmap + trivy. MIT, intended as a public Ethica repo.
2026-06-24 18:17:39 +02:00