--ignore-unfixed so unpatchable base-OS CVEs don't drown the actionable ones.
Each finding now lists packages (installed -> fixed) and how many CVEs each bump
clears, criticals first, plus a 'N of M images clean' line — a to-do list, not a
wall of CVE IDs.
A single Docker image, configured entirely by env vars (SOC_URL + SOC_TOKEN +
targets). Runs once and exits; schedule with cron. Four self-skipping sources:
- surface nmap open-port/service scan (SOC_TARGETS)
- cve Trivy HIGH/CRITICAL scan of running images (Docker socket)
- tls cert-expiry / weak-TLS / missing-headers (SOC_DOMAINS)
- config 0.0.0.0 binds, --privileged, rw docker-socket mounts (Docker socket)
Stable slugs per source so SOC Center versions/diffs/alerts. Pure stdlib;
image adds nmap + trivy. MIT, intended as a public Ethica repo.