Initial commit

.github/workflows/update-vuln-summary.yml

@@ -0,0 +1,36 @@
+name: Update Vulnerability Summary
+
+on:
+  schedule:
+    - cron: "15 4 * * *"    # runs daily at 04:15 EST
+  workflow_dispatch:        # allow manual trigger
+
+jobs:
+  update-summary:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout repo
+        uses: actions/checkout@v4
+
+      - name: Fetch sanitized JSON
+        run: |
+          curl -sSL https://vuln.beane.me/json/trivy_sanitized.json -o trivy_sanitized.json
+
+      - name: Extract last scan summary
+        id: summary
+        run: |
+          summary=$(jq -r '"Last scan: \(.date) - Critical: \(.critical) | High: \(.high) | Medium: \(.medium) | Low: \(.low) | Total: \(.total)"' trivy_sanitized.json)
+          echo "SUMMARY=$summary" >> $GITHUB_ENV
+
+      - name: Update README
+        run: |
+          sed -i '/<!-- vuln-summary-start -->/,/<!-- vuln-summary-end -->/c\<!-- vuln-summary-start -->\n_${SUMMARY}_\n<!-- vuln-summary-end -->' README.md
+
+      - name: Commit updated summary
+        run: |
+          git config user.name "github-actions[bot]"
+          git config user.email "41898282+github-actions[bot]@users.noreply.github.com"
+          mv latest.json data/last-scan.json
+          git add data/last-scan.json
+          git commit -m "chore: update vuln summary [skip ci]" || echo "No changes to commit"
+          git push

.gitignore

@@ -0,0 +1 @@
+trivy_sanitized.json

README.md

@@ -0,0 +1,5 @@
+## 🔒 Vulnerability Summary
+
+<!-- vuln-summary-start -->
+_Last scan: pending..._
+<!-- vuln-summary-end -->