Merge pull request #15 from jski/bugfix/remove-security-scan-step

Bugfix/remove security scan step

Author: jski

.github/workflows/build.yml

@@ -183,11 +183,11 @@ jobs:
   promote:
     name: Promote to Production
     runs-on: ubuntu-latest
-    needs: [build, test, security-scan]
+    needs: [build, test]
     # Promote on:
     #   1. Normal merge to main (not force push)
     #   2. Manual workflow dispatch with promote flag enabled
-    # CRITICAL: Only runs if build, test, AND security-scan all succeed
+    # CRITICAL: Only runs if build AND test all succeed
     if: |
       (github.event_name == 'push' && github.ref == 'refs/heads/main' && !github.event.forced) ||
       (github.event_name == 'workflow_dispatch' && inputs.promote == true)
@@ -241,36 +241,6 @@ jobs:
 
           echo "✅ Successfully promoted latest tag"
 
-  security-scan:
-    name: Security Scan
-    runs-on: ubuntu-latest
-    needs: build
-    permissions:
-      contents: read
-      security-events: write
-    steps:
-      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
-        with:
-          image-ref: ghcr.io/${{ github.repository_owner }}/python-container-builder:3.14-${{ github.sha }}
-          format: 'sarif'
-          output: 'trivy-results.sarif'
-          severity: 'CRITICAL,HIGH'
-
-      - name: Upload Trivy results to GitHub Security
-        uses: github/codeql-action/upload-sarif@v4
-        if: always()
-        with:
-          sarif_file: 'trivy-results.sarif'
-
-      - name: Print Trivy results summary
-        uses: aquasecurity/trivy-action@master
-        if: always()
-        with:
-          image-ref: ghcr.io/${{ github.repository_owner }}/python-container-builder:3.14-${{ github.sha }}
-          format: 'table'
-          severity: 'CRITICAL,HIGH'
-
   test:
     name: Test Images
     runs-on: ubuntu-latest

README.md

@@ -60,11 +60,11 @@ This approach gives you the reliability of official Python builds while maintain
 
 ### Security
 
-This project includes automated security measures:
-- 🔒 **Nightly Vulnerability Scanning**: All images scanned with [Trivy](https://github.com/aquasecurity/trivy) for CRITICAL and HIGH severity vulnerabilities
-- 🔄 **Automated Dependency Updates**: [Dependabot](https://github.com/dependabot) monitors base images and GitHub Actions for security updates
-- 📊 **Transparent Results**: Scan results available in the [Security tab](https://github.com/jski/python-container-builder/security/code-scanning)
+This project prioritizes security through:
 - 🏗️ **Official Base Images**: Built from official Python and Debian Docker images, ensuring timely security patches
+- 🔄 **Automated Dependency Updates**: [Dependabot](https://github.com/dependabot) monitors base images and GitHub Actions for security updates
+- 🔒 **Distroless Runtime**: The recommended pattern copies only the Python virtualenv to a distroless runtime, minimizing attack surface
+- 📦 **Isolated Dependencies**: Virtual environment isolation ensures clean dependency management
 
 ## Goals
 This project seeks to: