lusoris/RedFlag
GitHub: lusoris/RedFlag
基于 Trivy 和 GitHub Actions 的自动化容器漏洞扫描器,为自托管应用提供持续的 CVE 监测并通过 GitHub Issues 发出告警。
Stars: 0 | Forks: 0
# 🚩 RedFlag
[](https://github.com/lusoris/RedFlag/actions/workflows/scan.yml)
[](https://ko-fi.com/lusoris)
用于家庭实验室容器镜像的自动化 [Trivy](https://github.com/aquasecurity/trivy) 漏洞扫描器。扫描 \*arr 生态系统项目和其他自托管工具的 CRITICAL 和 HIGH 级别 CVE,然后创建包含详细结果的 GitHub Issues。
## 工作原理
1. **GitHub Actions** 按计划运行、在 `images.yaml` 变更时运行或手动运行
2. **Trivy** 扫描每个配置的容器镜像,查找 CRITICAL 和 HIGH 级别的漏洞
3. **差异引擎** 将结果与先前报告的 CVE 进行比较
4. **新发现** 将作为带有严重性标签的 GitHub Issues 发布
5. **状态** 被跟踪在提交到仓库的 `state.json` 中 —— 无需外部数据库
## 当前扫描的项目
## 快速开始
### 1. Fork 或克隆此仓库
```
git clone https://github.com/lusoris/RedFlag.git
cd RedFlag
```
### 2. 配置镜像
编辑 `images.yaml` 以添加您要扫描的容器镜像:
```
images:
- name: MyApp
image: myorg/myapp:latest
```
### 3. 运行
无需密钥 —— `GITHUB_TOKEN` 由 GitHub Actions 自动提供。
扫描会在以下情况自动触发:
- **计划任务** —— 每天 UTC 时间 06:00,每周一 UTC 时间 03:00
- **配置更改** —— 任何修改 `images.yaml` 的推送或合并 PR
- **手动** —— Actions > Trivy CVE Scan > Run workflow
### 本地试运行
```
# 需要本地安装 trivy
go build -o redflag ./cmd/redflag
./redflag --config images.yaml --state state.json --dry-run
```
## 贡献项目
想要将项目添加到扫描列表吗?欢迎提交 PR!
1. Fork 本仓库
2. 将您的镜像添加到 `images.yaml`:
- name: ProjectName
image: owner/image:tag
3. 打开一个 PR —— CI 将验证 YAML 并运行扫描
4. 合并后,该项目将包含在所有未来的扫描中
有关完整指南,请参阅 [CONTRIBUTING.md](CONTRIBUTING.md)。
## 项目结构
```
cmd/redflag/main.go CLI entrypoint
internal/
config/config.go YAML config loader
scanner/scanner.go Trivy execution + JSON parser
diff/diff.go New CVE detection (vs previously posted)
formatter/formatter.go GitHub issue markdown builder
notifier/github.go GitHub Issues API client
state/state.go State file persistence
images.yaml Images to scan
state.json Auto-managed scan state (committed by CI)
.github/workflows/scan.yml GitHub Actions workflow
```
## 支持
如果您觉得这个工具有用,可以考虑 [请我喝杯咖啡](https://ko-fi.com/lusoris) ☕
## 许可证
MIT
69 个镜像 (点击展开)
| Project | Image | |---------|-------| | FileFlows | `revenz/fileflows:latest` | | Tdarr | `haveagitgat/tdarr:latest` | | Cleanuparr | `ghcr.io/cleanuparr/cleanuparr:latest` | | Decluttarr | `ghcr.io/manimatter/decluttarr:latest` | | Swaparr | `ghcr.io/thijmengthn/swaparr:latest` | | Pulsarr | `lakker/pulsarr:latest` | | Posterizarr | `ghcr.io/fscorrupt/posterizarr:latest` | | Byparr | `ghcr.io/thephaseless/byparr:latest` | | Calendarr | `ghcr.io/jordanlambrecht/calendarr:latest` | | Trailarr | `nandyalu/trailarr:latest` | | Lingarr | `ghcr.io/lingarr-translate/lingarr:latest` | | Configarr | `ghcr.io/raydak-labs/configarr:latest` | | Soularr | `ghcr.io/mrusse/soularr:latest` | | iPlayarr | `nikorag/iplayarr:latest` | | SuggestArr | `ciuse99/suggestarr:latest` | | Managarr | `darkalex17/managarr:latest` | | Seerr | `seerr/seerr:latest` | | Homarr | `ghcr.io/homarr-labs/homarr:latest` | | Maintainerr | `ghcr.io/maintainerr/maintainerr:latest` | | Recyclarr | `ghcr.io/recyclarr/recyclarr:8` | | Autobrr | `ghcr.io/autobrr/autobrr:latest` | | Wizarr | `ghcr.io/wizarrrr/wizarr:latest` | | Autopulse | `ghcr.io/dan-online/autopulse:latest` | | Unpackerr | `ghcr.io/unpackerr/unpackerr:latest` | | StashApp | `stashapp/stash:latest` | | Sonarr | `ghcr.io/hotio/sonarr:latest` | | Radarr | `ghcr.io/hotio/radarr:latest` | | Lidarr | `ghcr.io/hotio/lidarr:latest` | | Prowlarr | `ghcr.io/hotio/prowlarr:latest` | | Bazarr | `ghcr.io/hotio/bazarr:latest` | | Whisparr | `ghcr.io/hotio/whisparr:latest` | | Plex | `ghcr.io/hotio/plex:latest` | | Jellyfin | `jellyfin/jellyfin:latest` | | Emby | `emby/embyserver:latest` | | qBittorrent | `ghcr.io/hotio/qbittorrent:latest` | | SABnzbd | `ghcr.io/hotio/sabnzbd:latest` | | NZBGet | `ghcr.io/nzbgetcom/nzbget:latest` | | Deluge | `lscr.io/linuxserver/deluge:latest` | | Transmission | `lscr.io/linuxserver/transmission:latest` | | Gluetun | `qmcgaw/gluetun:latest` | | WireGuard Easy | `ghcr.io/wg-easy/wg-easy:latest` | | Tailscale | `tailscale/tailscale:latest` | | Traefik | `traefik:latest` | | Nginx Proxy Manager | `jc21/nginx-proxy-manager:latest` | | Caddy | `caddy:latest` | | Portainer | `portainer/portainer-ce:latest` | | Homepage | `ghcr.io/gethomepage/homepage:latest` | | Dashy | `lissy93/dashy:latest` | | Organizr | `organizr/organizr:latest` | | Uptime Kuma | `louislam/uptime-kuma:latest` | | Grafana | `grafana/grafana:latest` | | Prometheus | `prom/prometheus:latest` | | Pi-hole | `pihole/pihole:latest` | | AdGuard Home | `adguard/adguardhome:latest` | | Authelia | `authelia/authelia:latest` | | Authentik | `ghcr.io/goauthentik/server:latest` | | Tautulli | `ghcr.io/tautulli/tautulli:latest` | | Audiobookshelf | `ghcr.io/advplyr/audiobookshelf:latest` | | Kavita | `jvmilazz0/kavita:latest` | | Komga | `gotson/komga:latest` | | Immich | `ghcr.io/immich-app/immich-server:v2` | | Paperless-ngx | `ghcr.io/paperless-ngx/paperless-ngx:latest` | | Vaultwarden | `vaultwarden/server:latest` | | Mealie | `ghcr.io/mealie-recipes/mealie:latest` | | Home Assistant | `homeassistant/home-assistant:stable` | | Nextcloud | `nextcloud:latest` | | Gitea | `gitea/gitea:latest` | | Actual Budget | `actualbudget/actual-server:latest` | | Syncthing | `syncthing/syncthing:latest` | | Watchtower | `containrrr/watchtower:latest` |标签:*arr生态, Claude, CVE检测, DevSecOps, Docker部署, EVTX分析, FileFlows, GitHub Actions, GitHub Issue, GPT, Homarr, Homelab, Seerr, Tdarr, Web截图, 上游代理, 周期性任务, 容器安全, 提示词注入, 日志审计, 活动识别, 漏洞管理, 状态管理, 自动化运维, 自动笔记, 自托管, 镜像扫描, 高风险漏洞