DEV Community: Space Terran

Automated Vulnerability Scanning for Homelab Containers with Trivy + AI

Space Terran — Thu, 05 Mar 2026 21:24:59 +0000

If you run Docker containers in a homelab, you have probably wondered how many unpatched CVEs are quietly sitting in your images. I finally stopped wondering and built something to answer that question every week.

I put together a GitHub Actions workflow that automatically scans all my homelab container images and generates a categorized vulnerability report as a GitHub Issue. Here is what it does:

Dynamic repo discovery -- finds all container repos in the GitHub org automatically. Add a new project and it gets scanned next cycle with zero configuration.
Trivy scanning -- pulls every image referenced in docker-compose files and runs HIGH/CRITICAL CVE scans.
AI-powered risk assessment -- passes scan results through Claude CLI with environment context. The AI knows which services are internet-facing, which are LAN-only, and which are behind SSO, so it prioritizes findings that actually matter.
Structured output -- creates a GitHub Issue with findings sorted into Needs Attention, Informational, and Clean categories. Auto-closes the previous week's issue.
Resilient design -- handles large scan outputs gracefully, retries with compact summaries if context limits are hit.

The key differentiator over just running Trivy alone is the context layer. A critical CVE in a service exposed to the internet is a different conversation than the same CVE in something only reachable from your LAN behind SSO.

I used Claude as a coding assistant throughout the build, which worked well for this kind of infrastructure automation.

Full writeup with implementation details, design decisions, and lessons learned on my blog:

https://spaceterran.com/posts/automated-vulnerability-scanning-homelab-containers-ai/

The repo is public if you want to look at the code or adapt it:

https://github.com/SpaceTerran/homelab-vulnerability-scanner