Container Scanning Enablement

As part of the Vulnerability Mangement team I'm currently working on ensuring that we have container scanning coverage for images that we ship, including the OpenTofu component container images.

We have an (internal) paved roads document which describes our preferred settings and the logic behind them, but looking at the existing CICD configuration it seems like engineering issues with self-hosted forced the standard container scanning method to be disabled, after it was enabled in the past.

I don't have a solution to those issues, but we do have a managed environment where our team can run the scans outside of this project and raise any vulnerabilities as confidential issues. If I set this up for the opentofu container image it would sidestep the self-hosted build issues but still let project members know about found vulnerabilities and give us scan coverage.

The workflow around scanning multiple image variants (opentofu versions, alpine/debian) still needs work, so for the moment I'd like to limit the scan to the latest alpine-based image to avoid raising multiple redundant issues for the same vulnerability.

Before I set anything up I have some questions:

• Is components/opentofu the best project to raise vulnerability issues in? I can point the issue creation to a different project if it makes more sense.
• Are there any standard labels you'd like applied to the issues? (eg, group/team labels)
• Do you have any other questions or concerns about us running scans and raising confidential issues for vulnerabilities found in this component's images?