{"id":13533379,"url":"https://github.com/project-copacetic/copacetic","last_synced_at":"2025-10-21T04:56:10.251Z","repository":{"id":65278063,"uuid":"587859813","full_name":"project-copacetic/copacetic","owner":"project-copacetic","description":"🧵 CLI tool for directly patching container images!","archived":false,"fork":false,"pushed_at":"2025-10-15T01:59:32.000Z","size":20220,"stargazers_count":1456,"open_issues_count":32,"forks_count":102,"subscribers_count":10,"default_branch":"main","last_synced_at":"2025-10-15T04:18:00.177Z","etag":null,"topics":["cncf","compliance","container-image","container-security","containers","devsecops","docker","hacktoberfest","patching","security","security-tools","trivy","vulnerabilities","vulnerability","vulnerability-management"],"latest_commit_sha":null,"homepage":"https://project-copacetic.github.io/copacetic/","language":"Go","has_issues":true,"has_wiki":null,"has_pages":null,"mirror_url":null,"source_name":null,"license":"apache-2.0","status":null,"scm":"git","pull_requests_enabled":true,"icon_url":"https://github.com/project-copacetic.png","metadata":{"files":{"readme":"README.md","changelog":null,"contributing":"CONTRIBUTING.md","funding":null,"license":"LICENSE","code_of_conduct":"CODE_OF_CONDUCT.md","threat_model":null,"audit":null,"citation":null,"codeowners":"CODEOWNERS","security":"SECURITY.md","support":"SUPPORT.md","governance":"GOVERNANCE.md","roadmap":null,"authors":null,"dei":null,"publiccode":null,"codemeta":null,"zenodo":null,"notice":null,"maintainers":"MAINTAINERS.md","copyright":null,"agents":null,"dco":null,"cla":null}},"created_at":"2023-01-11T18:56:42.000Z","updated_at":"2025-10-15T01:10:55.000Z","dependencies_parsed_at":"2023-09-27T20:24:19.914Z","dependency_job_id":"8e1729d3-457d-4090-9f56-feae5aa9d345","html_url":"https://github.com/project-copacetic/copacetic","commit_stats":{"total_commits":57,"total_committers":6,"mean_commits":9.5,"dds":0.4385964912280702,"last_synced_commit":"282835d96ea44f41f94728289c5068ba029d9ab7"},"previous_names":[],"tags_count":18,"template":false,"template_full_name":null,"purl":"pkg:github/project-copacetic/copacetic","repository_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/project-copacetic%2Fcopacetic","tags_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/project-copacetic%2Fcopacetic/tags","releases_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/project-copacetic%2Fcopacetic/releases","manifests_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/project-copacetic%2Fcopacetic/manifests","owner_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners/project-copacetic","download_url":"https://codeload.github.com/project-copacetic/copacetic/tar.gz/refs/heads/main","sbom_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories/project-copacetic%2Fcopacetic/sbom","scorecard":{"id":414110,"data":{"date":"2025-08-18T21:43:00Z","repo":{"name":"github.com/project-copacetic/copacetic","commit":"3b53ec45738d4d5fafeed90f3d949d56824aea0c"},"scorecard":{"version":"v5.2.1","commit":"ab2f6e92482462fe66246d9e32f642855a691dc1"},"score":8.2,"checks":[{"name":"Maintained","score":10,"reason":"30 commit(s) and 9 issue activity found in the last 90 days -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project is \"actively maintained\".","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#maintained"}},{"name":"Code-Review","score":10,"reason":"all changesets reviewed","details":null,"documentation":{"short":"Determines if the project requires human code review before pull requests (aka merge requests) are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#code-review"}},{"name":"Dangerous-Workflow","score":10,"reason":"no dangerous workflow patterns detected","details":null,"documentation":{"short":"Determines if the project's GitHub Action workflows avoid dangerous patterns.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dangerous-workflow"}},{"name":"Binary-Artifacts","score":10,"reason":"no binaries found in the repo","details":null,"documentation":{"short":"Determines if the project has generated executable (binary) artifacts in the source repository.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#binary-artifacts"}},{"name":"Token-Permissions","score":10,"reason":"GitHub workflow tokens follow principle of least privilege","details":["Info: jobLevel 'contents' permission set to 'read': .github/workflows/build.yml:68","Info: jobLevel 'actions' permission set to 'read': .github/workflows/codeql.yml:32","Info: jobLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:33","Warn: jobLevel 'packages' permission set to 'write': .github/workflows/mirror-tooling-images.yml:23","Info: jobLevel 'contents' permission set to 'read': .github/workflows/mirror-tooling-images.yml:24","Warn: jobLevel 'contents' permission set to 'write': .github/workflows/release-docs.yml:14","Info: jobLevel 'actions' permission set to 'read': .github/workflows/scorecards.yml:30","Info: jobLevel 'contents' permission set to 'read': .github/workflows/scorecards.yml:29","Warn: jobLevel 'actions' permission set to 'write': .github/workflows/stale.yml:15","Info: topLevel 'contents' permission set to 'read': .github/workflows/build.yml:31","Info: topLevel permissions set to 'read-all': .github/workflows/check-deps.yml:12","Info: topLevel 'contents' permission set to 'read': .github/workflows/codeql.yml:25","Info: topLevel 'contents' permission set to 'read': .github/workflows/dependency-review.yml:13","Info: topLevel 'contents' permission set to 'read': .github/workflows/deploy-docs.yaml:18","Info: topLevel permissions set to 'read-all': .github/workflows/golangci-lint.yml:18","Info: topLevel 'contents' permission set to 'read': .github/workflows/mirror-tooling-images.yml:17","Info: topLevel 'contents' permission set to 'read': .github/workflows/release-docs.yml:8","Info: topLevel 'contents' permission set to 'read': .github/workflows/release.yml:9","Info: topLevel permissions set to 'read-all': .github/workflows/scorecards.yml:18","Info: topLevel 'contents' permission set to 'read': .github/workflows/stale.yml:9"],"documentation":{"short":"Determines if the project's workflows follow the principle of least privilege.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#token-permissions"}},{"name":"Security-Policy","score":10,"reason":"security policy file detected","details":["Info: security policy file detected: SECURITY.md:1","Info: Found linked content: SECURITY.md:1","Info: Found disclosure, vulnerability, and/or timelines in security policy: SECURITY.md:1","Info: Found text in security policy: SECURITY.md:1"],"documentation":{"short":"Determines if the project has published a security policy.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#security-policy"}},{"name":"Dependency-Update-Tool","score":10,"reason":"update tool detected","details":["Info: detected update tool: Dependabot: .github/dependabot.yml:1"],"documentation":{"short":"Determines if the project uses a dependency update tool.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#dependency-update-tool"}},{"name":"Pinned-Dependencies","score":8,"reason":"dependency not pinned by hash detected -- score normalized to 8","details":["Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:522: update your workflow using https://app.stepsecurity.io/secureworkflow/project-copacetic/copacetic/build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:146: update your workflow using https://app.stepsecurity.io/secureworkflow/project-copacetic/copacetic/build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:193: update your workflow using https://app.stepsecurity.io/secureworkflow/project-copacetic/copacetic/build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:317: update your workflow using https://app.stepsecurity.io/secureworkflow/project-copacetic/copacetic/build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:363: update your workflow using https://app.stepsecurity.io/secureworkflow/project-copacetic/copacetic/build.yml/main?enable=pin","Warn: third-party GitHubAction not pinned by hash: .github/workflows/build.yml:448: update your workflow using https://app.stepsecurity.io/secureworkflow/project-copacetic/copacetic/build.yml/main?enable=pin","Warn: goCommand not pinned by hash: .github/workflows/scripts/download-tooling.sh:17","Warn: goCommand not pinned by hash: .github/workflows/build.yml:495","Warn: goCommand not pinned by hash: .github/workflows/build.yml:293","Info:  51 out of  51 GitHub-owned GitHubAction dependencies pinned","Info:  36 out of  42 third-party GitHubAction dependencies pinned","Info:   3 out of   3 containerImage dependencies pinned","Info:   0 out of   3 goCommand dependencies pinned"],"documentation":{"short":"Determines if the project has declared and pinned the dependencies of its build process.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#pinned-dependencies"}},{"name":"License","score":10,"reason":"license file detected","details":["Info: project has a license file: LICENSE:0","Info: FSF or OSI recognized license: Apache License 2.0: LICENSE:0"],"documentation":{"short":"Determines if the project has defined a license.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#license"}},{"name":"CII-Best-Practices","score":5,"reason":"badge detected: Passing","details":null,"documentation":{"short":"Determines if the project has an OpenSSF (formerly CII) Best Practices Badge.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#cii-best-practices"}},{"name":"Packaging","score":10,"reason":"packaging workflow detected","details":["Info: Project packages its releases by way of GitHub Actions.: .github/workflows/build.yml:368"],"documentation":{"short":"Determines if the project is published as a package that others can easily download, install, easily update, and uninstall.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#packaging"}},{"name":"Fuzzing","score":0,"reason":"project is not fuzzed","details":["Warn: no fuzzer integrations found"],"documentation":{"short":"Determines if the project uses fuzzing.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#fuzzing"}},{"name":"SAST","score":10,"reason":"SAST tool is run on all commits","details":["Info: SAST configuration detected: CodeQL","Info: all commits (30) are checked with a SAST tool"],"documentation":{"short":"Determines if the project uses static code analysis.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#sast"}},{"name":"Signed-Releases","score":0,"reason":"Project has not signed or included provenance with any releases.","details":["Warn: release artifact v0.11.1 not signed: https://api.github.com/repos/project-copacetic/copacetic/releases/239085066","Warn: release artifact v0.11.0 not signed: https://api.github.com/repos/project-copacetic/copacetic/releases/229842456","Warn: release artifact v0.10.0 not signed: https://api.github.com/repos/project-copacetic/copacetic/releases/203966159","Warn: release artifact v0.9.0 not signed: https://api.github.com/repos/project-copacetic/copacetic/releases/182543573","Warn: release artifact v0.8.0 not signed: https://api.github.com/repos/project-copacetic/copacetic/releases/174623451","Warn: release artifact v0.11.1 does not have provenance: https://api.github.com/repos/project-copacetic/copacetic/releases/239085066","Warn: release artifact v0.11.0 does not have provenance: https://api.github.com/repos/project-copacetic/copacetic/releases/229842456","Warn: release artifact v0.10.0 does not have provenance: https://api.github.com/repos/project-copacetic/copacetic/releases/203966159","Warn: release artifact v0.9.0 does not have provenance: https://api.github.com/repos/project-copacetic/copacetic/releases/182543573","Warn: release artifact v0.8.0 does not have provenance: https://api.github.com/repos/project-copacetic/copacetic/releases/174623451"],"documentation":{"short":"Determines if the project cryptographically signs release artifacts.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#signed-releases"}},{"name":"Branch-Protection","score":5,"reason":"branch protection is not maximal on development and all release branches","details":["Info: 'allow deletion' disabled on branch 'main'","Info: 'force pushes' disabled on branch 'main'","Info: 'branch protection settings apply to administrators' is required to merge on branch 'main'","Warn: 'stale review dismissal' is disabled on branch 'main'","Warn: required approving review count is 1 on branch 'main'","Info: codeowner review is required on branch 'main'","Warn: 'last push approval' is disabled on branch 'main'","Info: status check found to merge onto on branch 'main'","Info: PRs are required in order to make changes on branch 'main'"],"documentation":{"short":"Determines if the default and release branches are protected with GitHub's branch protection settings.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#branch-protection"}},{"name":"Vulnerabilities","score":9,"reason":"1 existing vulnerabilities detected","details":["Warn: Project is vulnerable to: GHSA-76c9-3jph-rj3q"],"documentation":{"short":"Determines if the project has open, known unfixed vulnerabilities.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#vulnerabilities"}},{"name":"CI-Tests","score":10,"reason":"30 out of 30 merged PRs checked by a CI test -- score normalized to 10","details":null,"documentation":{"short":"Determines if the project runs tests before pull requests are merged.","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#ci-tests"}},{"name":"Contributors","score":10,"reason":"project has 15 contributing companies or organizations","details":["Info: found contributions from: Azure, CatalystCode, MicrosoftCopilot, MicrosoftDocs, azure, containerd, deis, deislabs, eraser-dev, microsoft, moby, open-policy-agent, prequel.dev, project-copacetic, software engineer @microsoft"],"documentation":{"short":"Determines if the project has a set of contributors from multiple organizations (e.g., companies).","url":"https://github.com/ossf/scorecard/blob/ab2f6e92482462fe66246d9e32f642855a691dc1/docs/checks.md#contributors"}}]},"last_synced_at":"2025-08-18T23:23:28.238Z","repository_id":65278063,"created_at":"2025-08-18T23:23:28.238Z","updated_at":"2025-08-18T23:23:28.238Z"},"host":{"name":"GitHub","url":"https://github.com","kind":"github","repositories_count":280207209,"owners_count":26290616,"icon_url":"https://github.com/github.png","version":null,"created_at":"2022-05-30T11:31:42.601Z","updated_at":"2022-07-04T15:15:14.044Z","status":"online","status_checked_at":"2025-10-21T02:00:06.614Z","response_time":58,"last_error":null,"robots_txt_status":"success","robots_txt_updated_at":"2025-07-24T06:49:26.215Z","robots_txt_url":"https://github.com/robots.txt","online":true,"can_crawl_api":true,"host_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub","repositories_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repositories","repository_names_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/repository_names","owners_url":"https://repos.ecosyste.ms/api/v1/hosts/GitHub/owners"}},"keywords":["cncf","compliance","container-image","container-security","containers","devsecops","docker","hacktoberfest","patching","security","security-tools","trivy","vulnerabilities","vulnerability","vulnerability-management"],"created_at":"2024-08-01T07:01:19.295Z","updated_at":"2025-10-21T04:56:10.245Z","avatar_url":"https://github.com/project-copacetic.png","language":"Go","funding_links":[],"categories":["Containers","Go","security-tools","蓝队工具","vulnerability","Build techniques"],"sub_categories":["Threat modelling","漏洞修复","Supply chain beyond libraries"],"readme":"# Project Copacetic: Directly patch container image vulnerabilities\n\n![GitHub](https://img.shields.io/github/license/project-copacetic/copacetic)\n[![codecov](https://codecov.io/gh/project-copacetic/copacetic/branch/main/graph/badge.svg?token=PBC8EPNHRL)](https://codecov.io/gh/project-copacetic/copacetic)\n[![OpenSSF Best Practices](https://www.bestpractices.dev/projects/8031/badge)](https://www.bestpractices.dev/projects/8031)\n[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/project-copacetic/copacetic/badge)](https://api.securityscorecards.dev/projects/github.com/project-copacetic/copacetic)\n\n\u003cimg src=\"./images/copa-color.png\" alt=\"Copa logo\" width=\"25%\" /\u003e\n\u003cbr\u003e\n\u003cbr\u003e\n\n`copa` is a CLI tool written in [Go](https://golang.org) and based on [buildkit](https://github.com/moby/buildkit) that can be used to directly patch container images without full rebuilds. `copa` can also patch container images using the vulnerability scanning results from popular tools like [Trivy](https://github.com/aquasecurity/trivy).\n\nFor more details and how to get started, please refer to [full documentation](https://project-copacetic.github.io/copacetic/).\n\n## Demo\n\n![intro](demo/copa-demo.gif)\n\n## Why?\n\nWe needed the ability to patch containers quickly without going upstream for a full rebuild. As the window between [vulnerability disclosure and active exploitation continues to narrow](https://www.bleepingcomputer.com/news/security/hackers-scan-for-vulnerabilities-within-15-minutes-of-disclosure/), there is a growing operational need to patch critical security vulnerabilities in container images so they can be quickly redeployed into production. The need is especially acute when those vulnerabilities are:\n\n- inherited from base images several levels deep and waiting on updated releases to percolate through the supply chain is not an option\n- found in 3rd party app images you don't maintain with update cadences that don't meet your security SLAs.\n\n![direct image patching](./website/static/img/direct-image-patching.png)\n\nIn addition to filling the operational gap not met by left-shift security practices and tools, the ability of `copa` to patch a container without requiring a rebuild of the container image provides other benefits:\n\n- Allows users other than the image publishers to also patch container images, such as DevSecOps engineers.\n- Reduces the storage and transmission costs of redistributing patched images by only creating an additional patch layer, instead of rebuilding the entire image which usually results in different layer hashes that break layer caching.\n- Reduces the turnaround time for patching a container image by not having to wait for base image updates and being a faster operation than a full image rebuild.\n- Reduces the complexity of patching the image from running a rebuild pipeline to running a single tool on the image.\n\n## How?\n\nThe `copa` tool is an extensible engine that:\n\n1. Parses the needed update packages from the container image’s vulnerability report produced by a scanner like Trivy. New adapters can be written to accommodate more report formats.\n2. Obtains and processes the needed update packages using the appropriate package manager tools such as apt, apk, etc. New adapters can be written to support more package managers.\n3. Applies the resulting update binaries to the container image using buildkit.\n\n![report-driven vulnerability patching](./website/static/img/vulnerability-patch.png)\n\nThis approach is motivated by the core principles of making direct container patching broadly applicable and accessible:\n\n- **Copa supports patching _existing_ container images**.\n  - Devs don't need to build their images using specific tools or modify them in some way just to support container patching.\n- **Copa works with the existing vulnerability scanning and mitigation ecosystems**.\n  - Image publishers don't need to create new workflows for container patching since Copa supports patching container images using the security update packages already being published today.\n  - Consumers do not need to migrate to a new and potentially more limited support ecosystem for custom distros or change their container vulnerability scanning pipelines to include remediation, since Copa can be integrated seamlessly as an extra step to patch containers based on those scanning reports.\n- **Copa reduces the technical expertise needed and waiting on dependencies needed to patch an image**.\n  - For OS package vulnerabilities, no specialized knowledge about a specific image is needed to be patch it as Copa relies on the vulnerability remediation knowledge already embedded in the reports produced by popular container scanning tools today.\n\n## Contributing\nThere are several ways to get involved:\n* Join the [mailing list](https://groups.google.com/g/project-copa) to get notifications for releases, security announcements, etc.\n* Join the [biweekly community meetings](https://docs.google.com/document/d/1QdskbeCtgKcdWYHI6EXkLFxyzTCyVT6e8MgB3CaAhWI/edit#heading=h.294j02tlxam) to discuss development, issues, use cases, etc.\n* Join the [`#copacetic`](https://cloud-native.slack.com/archives/C071UU5QDKJ) channel on the [CNCF Slack](https://communityinviter.com/apps/cloud-native/cncf).\n\nThe project welcomes contributions and suggestions that abide by the [CNCF Code of Conduct](./CODE_OF_CONDUCT.md).\n","project_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fproject-copacetic%2Fcopacetic","html_url":"https://awesome.ecosyste.ms/projects/github.com%2Fproject-copacetic%2Fcopacetic","lists_url":"https://awesome.ecosyste.ms/api/v1/projects/github.com%2Fproject-copacetic%2Fcopacetic/lists"}