feat: add penetration testing system with grouped findings UI

CHANGELOG.md

@@ -7,6 +7,18 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Added
+- **Penetration testing system** — Built-in security scanner with 7 modules that scan container endpoints and dependencies:
+  - **Built-in modules**: `ports` (open port detection), `headers` (HTTP security header audit), `tls` (weak protocol/cipher/cert checks), `web` (exposed .env/.git/debug endpoints), `dns` (dangling CNAMEs, missing SPF/DMARC/DKIM)
+  - **External tool modules**: `nuclei` (template-based vulnerability scanning) and `trivy` (container filesystem CVE scanning via rootfs inspection) — auto-installable from the UI
+  - 8 gRPC/REST endpoints (`/v1/pentest/*`): trigger scans, list findings with severity/category/status filters, suppress findings, view scan history, install tools
+  - Async job queue with 5 concurrent workers, SHA-256 fingerprint-based finding deduplication, scheduled scans (default 24h), 90-day retention
+  - Proto definitions (`proto/containarium/v1/pentest.proto`), server implementation, and web UI (Security > Pentest tab)
+- **Demo page: Pentest tab** — New demo tab showcasing the pentest findings view with grouped-by-container layout and mock data.
+
+### Changed
+- **Pentest findings grouped by container** — The Security > Pentest tab now groups findings by container name instead of showing a flat list. Each group has a collapsible header showing the container name and finding count, sorted by most findings first. Container names are extracted from target strings (e.g., `voicegpt-container (usr/bin/docker)` → `voicegpt-container`, `10.0.3.136:8080 (pes-container)` → `pes-container`).
+
 ## [v0.12.0] - 2026-03-15
 
 ### Added

README.md

@@ -8,25 +8,31 @@ Built with LXC, SSH jump hosts, and cloud-native automation.
 ✅ Just fast, cheap, isolated Linux environments
 
 ### Container Management
-![Container Dashboard](docs/screenshots/dashboard-1.png)
-
-### App Hosting
-![Apps Dashboard](docs/screenshots/dashboard-2.png)
+![Container Dashboard](docs/screenshots/dashboard-container.png)
 
 ### Container List View
-![Container List](docs/screenshots/dashboard-3.png)
+![Container List](docs/screenshots/dashboard-container-listview.png)
+
+### App Hosting
+![Apps Dashboard](docs/screenshots/dashboard-app.png)
 
 ### Network Topology
-![Network Topology](docs/screenshots/dashboard-4.png)
+![Network Topology](docs/screenshots/dashboard-network.png)
 
 ### Traffic Monitoring
-![Traffic Monitor](docs/screenshots/dashboard-5.png)
+![Traffic Monitor](docs/screenshots/dashboard-traffic.png)
 
 ### Monitoring Dashboard
-![Monitoring Dashboard](docs/screenshots/dashboard-6.png)
+![Monitoring Dashboard](docs/screenshots/dashboard-monitoring.png)
+
+### Alerts
+![Alerts](docs/screenshots/dashboard-alert.png)
+
+### Audit Logs
+![Audit Logs](docs/screenshots/dashboard-audit.png)
 
 ### Security Scanning
-![Security Scanning](docs/screenshots/dashboard-7.png)
+![Security Scanning](docs/screenshots/dashboard-security.png)
 
 🌐 **Live Demo:** [https://containarium.kafeido.app/webui/demo](https://containarium.kafeido.app/webui/demo)