If you run Docker containers in a homelab, you have probably wondered how many unpatched CVEs are quietly sitting in your images. I finally stopped wondering and built something to answer that question every week.
I put together a GitHub Actions workflow that automatically scans all my homelab container images and generates a categorized vulnerability report as a GitHub Issue. Here is what it does:
- Dynamic repo discovery -- finds all container repos in the GitHub org automatically. Add a new project and it gets scanned next cycle with zero configuration.
- Trivy scanning -- pulls every image referenced in docker-compose files and runs HIGH/CRITICAL CVE scans.
- AI-powered risk assessment -- passes scan results through Claude CLI with environment context. The AI knows which services are internet-facing, which are LAN-only, and which are behind SSO, so it prioritizes findings that actually matter.
- Structured output -- creates a GitHub Issue with findings sorted into Needs Attention, Informational, and Clean categories. Auto-closes the previous week's issue.
- Resilient design -- handles large scan outputs gracefully, retries with compact summaries if context limits are hit.
The key differentiator over just running Trivy alone is the context layer. A critical CVE in a service exposed to the internet is a different conversation than the same CVE in something only reachable from your LAN behind SSO.
I used Claude as a coding assistant throughout the build, which worked well for this kind of infrastructure automation.
Full writeup with implementation details, design decisions, and lessons learned on my blog:
https://spaceterran.com/posts/automated-vulnerability-scanning-homelab-containers-ai/
The repo is public if you want to look at the code or adapt it:
https://github.com/SpaceTerran/homelab-vulnerability-scanner
Top comments (0)