From 60d2093c4a52828ff2b4acbb36e92e6c5d9c6543 Mon Sep 17 00:00:00 2001 From: Tung Bui Date: Mon, 13 Jul 2026 08:22:33 +0700 Subject: [PATCH] docs: reinforce version/security trust messaging in README Add an explicit statement in the Security section that any published tag - latest or a pinned vX.Y.Z release - reflects a specific, verified, vulnerability-scanned set of tool versions rather than a silently drifting image. Also tightened the "Efficient Updates" bullet in Key Features, which previously promised weekly rebuilds - not accurate today, since fixing the version-check automation (which #267 addressed) is separate from actually auto-triggering a publish. Reworded it to describe what's true now instead of a cadence that isn't guaranteed yet. --- README.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/README.md b/README.md index 4587855..52de51e 100644 --- a/README.md +++ b/README.md @@ -19,7 +19,7 @@ - **Comprehensive Toolset**: Pre-installed with tools like Git, Python, Ansible, Terraform, kubectl, Helm, GitHub CLI, AWS CLI, Azure CLI, and more. - **Easy Integration**: Use it directly or customize it with your preferred versions. -- **Efficient Updates**: Weekly updates ensure the latest versions and security patches. +- **Efficient Updates**: Tool versions are checked automatically and verified against the real installed binaries before every release, so published images track current, patched versions rather than drifting silently. - **Configuration Reusability**: Mounts host config folders for seamless reuse across sessions. ## Getting Started @@ -122,6 +122,8 @@ And more tools to be implemented... ## Security 🔒 +Whichever tag you pull — `latest` or a pinned `vX.Y.Z` release — you're getting a specific, reproducible set of tool versions, not a silently drifting image. Every version we ship is built from the exact tool versions recorded in [`toolkit_info.json`](./toolkit_info.json), verified against the real installed binaries, and scanned for vulnerabilities before it's published, so you can standardize on the toolkit without re-verifying it yourself each time. + - Every image is scanned for `CRITICAL`/`HIGH` vulnerabilities with [Trivy](https://github.com/aquasecurity/trivy) before it is merged and before it is published to Docker Hub — builds with fixable findings are blocked. - The published `latest` image is re-scanned on a recurring schedule, and all scan results are published to this repo's [Security tab](https://github.com/tungbq/devops-toolkit/security/code-scanning). - A CycloneDX SBOM is generated for every `main` and release build.