Has anyone thought about how to implement docker image vulnerability scanning? It's a little tricky I think because with Amazon ECR, the images are scanned on/after push, so we would probably want something we can run as a follow up to say "for any of the images built from this source, do they have any critical vulns".
Separately I think we would want something ideally to check the deployed image versions for new vulnerabilities (post build), but that's not something we would do with Pants.
I'm thinking Pants should know what the built images are - not sure how to get the outputs - and we could feed that into a follow on github actions workflow.
Anyway, just a thought bubble at this stage...