Container image policy and scanning

## Pre-1.0 security item (ADR-0021)

Define base image policy and set up vulnerability scanning for container images.

### Covers two related items
1. **Base image policy**: distroless/minimal, pinned by digest
2. **Image scanning**: Trivy/Grype in CI before publishing

### When to action
When aces-provider-docker exists and builds container images.

### What the spec needs to cover
- Approved base images and update cadence
- Scanning tool choice and CI integration
- Exemption process for intentionally vulnerable aces-stdlib images
- No-secrets-in-images enforcement

### References
- STANDARDS.md §10.8
- ADR-0021 Layer 4 (Runtime and Container Security)

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Container image policy and scanning #7

Pre-1.0 security item (ADR-0021)

Covers two related items

When to action

What the spec needs to cover

References

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Container image policy and scanning #7

Description

Pre-1.0 security item (ADR-0021)

Covers two related items

When to action

What the spec needs to cover

References

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions