Hello,
I have identified vulnerabilities in the "oryd/keto:latest" image for the linux/amd64 architecture. I am aware that the standard procedure for reporting such vulnerabilities is to contact
security@ory.sh, as outlined in the following link:
https://github.com/ory/keto/security/policy.
While I have no issues following this reporting process, I believe it may impose an additional burden on the team by requiring manual checks upon request, which is a typical flow for addressing security fixes.
Instead, I am interested in adopting a more DevSecOps-oriented approach. This approach involves conducting automated vulnerability checks before pushing the image, thereby preventing its publication if it fails to meet the guidelines specified in this link:
https://github.com/ory/keto/security/policy#supported-versions. Furthermore, I propose implementing a scheduled GitHub Action to examine the supported versions, to identify any vulnerabilities. If vulnerabilities are detected, corresponding GitHub Issues should be opened to address them.
Given this context, I believe it would be prudent to open a feature request outlining the proposed DevSecOps approach. This will allow us to engage in a discussion before proceeding with its implementation.
Please let me know if I can create this feature request, you have any questions or require further clarification.