{"id":15669937,"url":"https://github.com/alexgustafsson/cupdate","last_synced_at":"2026-04-18T13:07:33.297Z","repository":{"id":256225998,"uuid":"854659462","full_name":"AlexGustafsson/cupdate","owner":"AlexGustafsson","description":"A service to keep container images secure and up-to-date. Made for Kubernetes and Docker.","archived":false,"fork":false,"pushed_at":"2026-04-11T12:50:29.000Z","size":20886,"stargazers_count":308,"open_issues_count":33,"forks_count":5,"subscribers_count":1,"default_branch":"main","last_synced_at":"2026-04-11T14:24:08.052Z","etag":null,"topics":["docker","k8s","kubernetes","self-hosted","update"],"latest_commit_sha":null,"homepage":"https://alexgustafsson.github.io/cupdate/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"mit","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/AlexGustafsson.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE.md","code_of_conduct":null,"threat_model":null,"audit":null,"citation":null,"codeowners":".github/CODEOWNERS","security":"SECURITY.md","support":null,"governance":null,"roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":null,"copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2024-09-09T15:01:23.000Z","updated_at":"2026-04-11T12:50:35.000Z","dependencies_parsed_at":"2026-03-14T20:00:50.779Z","dependency_job_id":null,"html_url":"https://github.com/AlexGustafsson/cupdate","commit_stats":{"total_commits":149,"total_committers":1,"mean_commits":149.0,"dds":0.0,"last_synced_commit":"f0dff886497e51853dcc9fab8e915314ea096e57"},"previous_names":["alexgustafsson/cupdate"],"tags_count":53,"template":false,"template_full_name":null,"purl":"pkg:github/AlexGustafsson/cupdate","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AlexGustafsson%2Fcupdate","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AlexGustafsson%2Fcupdate/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AlexGustafsson%2Fcupdate/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AlexGustafsson%2Fcupdate/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/AlexGustafsson","download_url":"https://codeload.github.com/AlexGustafsson/cupdate/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/AlexGustafsson%2Fcupdate/sbom","scorecard":{"id":159574,"data":{"date":"2025-08-16T10:46:28Z","repo":{"name":"github.com/AlexGustafsson/cupdate","commit":"c1342677f376d8554040944c154e44141119e793"},"scorecard":{"version":"v5.2.1","commit":"ab2f6e92482462fe66246d9e32f642855a691dc1"},"score":8.2,"checks":[{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#security-policy"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dependency-update-tool"}},{"name":"Maintained","score":10,"reason":"30 commit(s) and 7 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#maintained"}},{"name":"Code-Review","score":0,"reason":"Found 0/12 approved changesets -- score normalized to 0","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#code-review"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#binary-artifacts"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dangerous-workflow"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: jobLevel 'packages' permission set to 'read': .github/workflows/demo.yaml:28","Info: jobLevel 'contents' permission set to 'read': .github/workflows/demo.yaml:78","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/dependabot.yaml:18","Info: jobLevel 'contents' permission set to 'read': .github/workflows/docker-pr.yaml:19","Info: jobLevel 'contents' permission set to 'read': .github/workflows/docker.yaml:34","Info: jobLevel 'contents' permission set to 'read': .github/workflows/vulndb.yaml:18","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/vulndb.yaml:19","Info: topLevel 'contents' permission set to 'read': .github/workflows/build.yaml:38","Info: topLevel 'contents' permission set to 'read': .github/workflows/demo.yaml:20","Info: topLevel 'contents' permission set to 'read': .github/workflows/dependabot.yaml:10","Info: topLevel 'contents' permission set to 'read': .github/workflows/docker-pr.yaml:11","Info: topLevel 'contents' permission set to 'read': .github/workflows/docker.yaml:26","Info: topLevel permissions set to 'read-all': .github/workflows/scorecard.yaml:14","Info: topLevel 'contents' permission set to 'read': .github/workflows/vulndb.yaml:10","Info: found token with 'none' permissions: .github/workflows/zizmor.yaml:1"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#token-permissions"}},{"name":"Pinned-Dependencies","score":10,"reason":"all dependencies are pinned","details":["Info:  22 out of  22 GitHub-owned GitHubAction dependencies pinned","Info:  13 out of  13 third-party GitHubAction dependencies pinned","Info:   3 out of   3 containerImage dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#pinned-dependencies"}},{"name":"Signed-Releases","score":-1,"reason":"no releases found","details":null,"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#signed-releases"}},{"name":"CII-Best-Practices","score":0,"reason":"no effort to earn an OpenSSF best practices badge detected","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#cii-best-practices"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/docker-pr.yaml:14"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#packaging"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#fuzzing"}},{"name":"Contributors","score":-1,"reason":"internal error: Client.Repositories.ListContributors: error during contributorsHandler.setup: error during ParseFile: line 1: invalid owner format 'AlexGustafsson' at position 3","details":null,"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#contributors"}},{"name":"Branch-Protection","score":8,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Warn: 'branch protection settings apply to administrators' is disabled on branch 'main'","Info: 'stale review dismissal' is required to merge on branch 'main'","Warn: required approving review count is 1 on branch 'main'","Info: codeowner review is required on branch 'main'","Info: 'last push approval' is required to merge on branch 'main'","Info: 'up-to-date branches' is required to merge on branch 'main'","Info: status check found to merge onto on branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#branch-protection"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: all commits (22) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#sast"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE.md:0","Info: FSF or OSI recognized license: MIT License: LICENSE.md:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#license"}},{"name":"CI-Tests","score":10,"reason":"17 out of 17 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#ci-tests"}},{"name":"Vulnerabilities","score":9,"reason":"1 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-v6h2-p8h4-qcjw"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#vulnerabilities"}}]},"last_synced_at":"2025-08-16T12:57:06.847Z","repository_id":256225998,"created_at":"2025-08-16T12:57:06.847Z","updated_at":"2025-08-16T12:57:06.847Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":286080680,"owners_count":31969846,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2026-04-18T00:39:45.007Z","status":"online","status_checked_at":"2026-04-18T02:00:07.018Z","response_time":103,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["docker","k8s","kubernetes","self-hosted","update"],"created_at":"2024-10-03T14:41:45.160Z","updated_at":"2026-04-18T13:07:33.267Z","avatar_url":"https://github.com/AlexGustafsson.png","language":"Go","funding_links":[],"categories":[],"sub_categories":[],"readme":"\u003cp align=\"center\"\u003e\n  \u003cimg src=\".github/logo.png\" alt=\"Logo\"\u003e\n\u003c/p\u003e\n\n# Cupdate\n\n[Live demo](https://alexgustafsson.github.io/cupdate).\n\nCupdate is a zero-config service that helps you keep your container images\nup-to-date. It automatically identifies container images in use in your\nKubernetes cluster or on your Docker or Podman\u003csup\u003e1\u003c/sup\u003e host. Cupdate then\nidentifies the latest available version and makes this data and more available\nto you via a UI, API or through an RSS feed.\n\nCupdate is for those who like the process of keeping their services up-to-date,\nlooking through what's outdated and what features new updates bring. Cupdate\nwill not help you deploy the updates. If you deploy your services using things\nlike [flux](https://github.com/fluxcd/flux2), then there are great services that\nwill modify your manifests for you, such as Dependabot or\n[Renovate](https://github.com/renovatebot/renovate). Cupdate is not about that,\nnor will it ever be. That's not to say that Cupdate won't integrate well with\nsuch services. Cupdate can still act as a dashboard for your deployed services,\nvisualizing images in use, versions and vulnerabilities. Cupdate's APIs can also\nbe used to write such services/scripts with ease. There are example scripts for\nKubernetes and Docker in the [cookbook](docs/cookbook/README.md).\n\nFeatures:\n\n- Performant and lightweight - uses virtually zero CPU and very little RAM\n- Auto-detect container images in use by Kubernetes, Docker or\n  Podman\u003csup\u003e1\u003c/sup\u003e (one or more hosts, local or remote)\n- Auto-detect the latest available container image versions\n- Vulnerability scanning\n  - Official and participating [Docker Hub](https://hub.docker.com) images\n    through [Docker Scout](https://docs.docker.com/scout/)\n  - Participating [Quay](https://www.projectquay.io) images through\n    [Clair](https://github.com/quay/clair)\n  - Images correlated to GitHub repositories with GitHub Advisories via\n    [vulndb](#vulndb)\n  - Images with SBOMs via [osv.dev](https://osv.dev)\n- Graphs image versions' dependants explaining why they're in use\n- UI for discovering updates, release notes and more\n- Subscribe to updates via an RSS feed\n- APIs for custom integrations\n\nSupported registries:\n\n- docker.io\n- dhi.io\n- ghcr.io\n- quay.io\n- lscr.io\n- registry.k8s.io\n- k8s.gcr.io, gke.gcr.io, gcr.io\n- registry.gitlab.com\n- ... other OCI-compliant registries (Zot, Harbor, Gitea, Forgejo)\n\nSupported data sources:\n\n- Docker Hub, Docker Scout\n- GitHub, GitHub Container Registry, GitHub Advisory Database\n- GitLab\n- Quay\n- OpenSSF Scorecard reports\n- OSV\n\n\u003csup\u003e1 Podman support is in beta and subject to change. Requires the\nDocker socket compatibility mode.\u003c/sup\u003e\n\n## Getting started\n\nCupdate can be deployed using Kubernetes, Docker or Podman\u003csup\u003e1\u003c/sup\u003e. It's\ndesigned to run well with zero or very little configuration. Refer to the\nplatform-specific documentation for more information on how to get started with\nCupdate:\n\n- Running Cupdate using Kubernetes:\n  [docs/kubernetes/README.md](docs/kubernetes/README.md)\n- Running Cupdate using Docker:\n  [docs/docker/README.md](docs/docker/README.md)\n- Running Cupdate using Podman:\n  [docs/podman/README.md](docs/podman/README.md)\n- Running Cupdate with a static set of images:\n  [docs/static/README.md](docs/static/README.md)\n\nCupdate can expose metrics and traces. For more information on how to use them,\nsee [docs/observability/README.md](docs/observability/README.md).\n\nIf you want to deploy Cupdate as a container through other means, chose the\nlatest [released version](https://github.com/AlexGustafsson/cupdate/releases)\nand refer to the general config documentation in\n[docs/config.md](docs/config.md). The `latest` tag tracks the main branch and is\ntherefore **not recommended** to use unless you want to try out the latest,\npotentially unstable features.\n\nAlthough not recommended or intended, Cupdate can be run directly on host. In\nthat case, please build Cupdate and run it using the instructions in\n[CONTRIBUTING.md](CONTRIBUTING.md).\n\n\u003csup\u003e1 Podman support is in beta and subject to change. Requires the\nDocker socket compatibility mode.\u003c/sup\u003e\n\n## Screenshots\n\nTo experience an always up-to-date version of Cupdate's UI, visit the\n[live demo](https://alexgustafsson.github.io/cupdate).\n\n| Light mode                                                                                            | Dark mode                                                                                           |\n| ----------------------------------------------------------------------------------------------------- | --------------------------------------------------------------------------------------------------- |\n| ![Dashboard screenshot in light mode](./docs/screenshots/dashboard-light.png)                         | ![Dashboard screenshot in dark mode](./docs/screenshots/dashboard-dark.png)                         |\n| ![Dashboard screenshot on small screen in light mode](./docs/screenshots/dashboard-small-light.png)   | ![Dashboard screenshot on small screen in dark mode](./docs/screenshots/dashboard-small-dark.png)   |\n| ![Image page screenshot in light mode](./docs/screenshots/image-page-light.png)                       | ![Image page screenshot in dark mode](./docs/screenshots/image-page-dark.png)                       |\n| ![Image page release screenshot page in light mode](./docs/screenshots/image-page-release-light.png)  | ![Image page release screenshot in dark mode](./docs/screenshots/image-page-release-dark.png)       |\n| ![Image page graph screenshot page in light mode](./docs/screenshots/image-page-graph-light.png)      | ![Image page graph screenshot in dark mode](./docs/screenshots/image-page-graph-dark.png)           |\n| ![Vulnerable image page screenshot in light mode](./docs/screenshots/image-page-vulnerable-light.png) | ![Vulnerable image page screenshot in dark mode](./docs/screenshots/image-page-vulnerable-dark.png) |\n\n## Vulndb\n\nVulndb is a tiny sqlite file that contains information useful to statically look\nup known vulnerabilities in container images based on their source repositories.\nFor now it uses GitHub's advisory database.\n\nFor more information see [tools/vulndb/README.md](tools/vulndb/README.md).\n\nThe database is updated daily and published as an OCI artifact used by Cupdate.\nThe artifact is available here:\n\u003chttps://github.com/AlexGustafsson/cupdate/pkgs/container/cupdate%2Fvulndb\u003e.\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falexgustafsson%2Fcupdate","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Falexgustafsson%2Fcupdate","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Falexgustafsson%2Fcupdate/lists"}