SocketDev
diff --git a/‎README.md‎
Lines changed: 21 additions & 10 deletions b/‎README.md‎
Lines changed: 21 additions & 10 deletions
diff --git a/‎action.yml‎
Lines changed: 4 additions & 4 deletions b/‎action.yml‎
Lines changed: 4 additions & 4 deletions
diff --git a/‎docs/github-action.md‎
Lines changed: 73 additions & 44 deletions b/‎docs/github-action.md‎
Lines changed: 73 additions & 44 deletions
@@ -43,7 +43,8 @@ jobs:
           socket_security_api_key: ${{ secrets.SOCKET_SECURITY_API_KEY }}
 ```
 
-> **Why pin to a SHA?** Socket Basics is a security tool — its own supply-chain
+> [!NOTE]
+> Why pin to a SHA? Socket Basics is a security tool, so its own supply-chain
 > integrity matters. Version tags can be force-pushed or deleted; a commit SHA is
 > immutable. Dependabot manages the upgrade automatically so you still get updates
 > with a review gate. See [docs/github-action.md](docs/github-action.md#pinning-strategies)
@@ -54,7 +55,7 @@ jobs:
 ### What You Get
 
 - ✅ **Zero Configuration Required** — Configure scanning policies in the Socket Dashboard
-- ✅ **All Scanners Included** — SAST, secrets, containers, and dependency analysis
+- ✅ **Unified Scanning** — SAST, secrets, dependency analysis, and native container scanning support
 - ✅ **PR Comments** — Automated security findings on pull requests
 - ✅ **Centralized Management** — Update policies across all repos from one place
 
@@ -64,6 +65,16 @@ jobs:
 
 Socket Basics can also run locally or in other CI/CD environments:
 
+> [!NOTE]
+> Container and Dockerfile scanning remain part of Socket Basics, but the current
+> GitHub Action and pre-built image paths have Trivy-backed support temporarily
+> disabled while we complete additional security review of the underlying scanner
+> dependency path. If container or Dockerfile scanning is a near-term
+> requirement, the [native installation path](docs/local-installation.md) remains
+> available as a temporary workaround while the pre-built path is under
+> additional review. Review the upstream install path and artifacts carefully
+> before adopting it in production CI.
+
 - **[Pre-Commit Hook](docs/pre-commit-hook.md)** — Catch issues before they're committed
 - **[Local Docker Installation](docs/local-install-docker.md)** — Run in Docker with no tool installation required
 - **[Local Installation](docs/local-installation.md)** — Install security tools natively on your machine
@@ -73,7 +84,7 @@ Socket Basics can also run locally or in other CI/CD environments:
 **Built-in Security Scanners:**
 - 🔍 **SAST** — Static analysis for 15+ languages (Python, JavaScript, Go, Java, Ruby, C#, and more)
 - 🔐 **Secret Scanning** — Detect leaked credentials and API keys with TruffleHog
-- 🐳 **Container Scanning** — Vulnerability scanning for Docker images and Dockerfiles with Trivy
+- 🐳 **Container Scanning** — Trivy-backed image and Dockerfile scanning for native installs
 - 📦 **Dependency Analysis** — Socket Tier 1 reachability analysis for supply chain security
 
 **Enterprise Features** (requires [Socket Enterprise](https://socket.dev/enterprise)):
@@ -108,8 +119,7 @@ Every feature is customizable via GitHub Actions inputs, CLI flags, or environme
 - [PR Comment Guide](docs/github-pr-comment-guide.md) — Detailed guide to PR comment customization
 - [Pre-Commit Hook Setup](docs/pre-commit-hook.md) — Two installation methods (Docker vs native)
 - [Local Docker Installation](docs/local-install-docker.md) — Run with Docker, no tools to install
-- [Local Installation](docs/local-installation.md) — Install Socket CLI, Trivy, and other tools natively
-- [Releasing](docs/releasing.md) — Maintainer guide: How to cut a release for Socket Basics
+- [Local Installation](docs/local-installation.md) — Install Socket CLI and other tools natively with version pinning guidance
 
 ### Configuration
 All configuration can be managed through:
@@ -153,16 +163,18 @@ For GitHub Actions, see the [Quick Start](#-quick-start---github-actions) above
 
 ```bash
 # Pull the pre-built image (recommended — no build step required)
-docker pull socketdev/socket-basics:1.1.3
+docker pull ghcr.io/socketdev/socket-basics:2.0.2
 
 # Run scan
-docker run --rm -v "$PWD:/workspace" socketdev/socket-basics:1.1.3 \
+docker run --rm -v "$PWD:/workspace" ghcr.io/socketdev/socket-basics:2.0.2 \
   --workspace /workspace \
   --python-sast-enabled \
   --secret-scanning-enabled \
   --console-tabular-enabled
 ```
 
+The pre-built image is versioned and intended to be pinned exactly. Avoid floating tags like `:latest` in CI.
+
 📖 **[View Docker Installation Guide](docs/local-install-docker.md)**
 
 ### CLI
@@ -175,12 +187,12 @@ socket-basics --python --secrets --containers --verbose
 
 ## 🔧 Requirements
 
-**For GitHub Actions & Docker:** No installation needed — all tools are bundled in the container.
+**For GitHub Actions & Docker:** No local installation needed for the supported bundled scanners.
 
 **For Local Installation:**
 - Python 3.10+
 - [Socket CLI](https://docs.socket.dev/docs/cli) (for dependency analysis)
-- [Trivy](https://github.com/aquasecurity/trivy) (for container scanning)
+- [Trivy](https://github.com/aquasecurity/trivy) (for native container scanning)
 - [OpenGrep/Semgrep](https://semgrep.dev/) (for SAST)
 - [TruffleHog](https://github.com/trufflesecurity/trufflehog) (for secret scanning)
 
@@ -258,7 +270,6 @@ We welcome contributions! To add new features:
 2. **New Notifiers:** Implement under `socket_basics/core/notification/`
 3. **Configuration:** Add entries to `socket_basics/connectors.yaml` or `socket_basics/notifications.yaml`
 4. **Testing:** See [Testing](#-testing) section below
-5. **Releasing:** See [docs/releasing.md](docs/releasing.md) for the maintainer release process
 
 ## 🧪 Testing
 
 
@@ -383,19 +383,19 @@ inputs:
     required: false
     default: "false"
   trivy_disabled_rules:
-    description: "Comma-separated list of Trivy rules to disable"
+    description: "Comma-separated list of Trivy rules to disable. Trivy-backed scanning is temporarily unavailable in the pre-built GitHub Action image."
     required: false
     default: ""
   trivy_image_scanning_disabled:
-    description: "Disable Trivy image scanning"
+    description: "Disable Trivy image scanning. Trivy-backed scanning is temporarily unavailable in the pre-built GitHub Action image."
     required: false
     default: "false"
   trivy_notification_method:
-    description: "Notification method for Trivy (e.g., console, slack)"
+    description: "Notification method for Trivy (e.g., console, slack). Trivy-backed scanning is temporarily unavailable in the pre-built GitHub Action image."
     required: false
     default: ""
   trivy_vuln_enabled:
-    description: "Enable Trivy vulnerability scanning for all supported language ecosystems"
+    description: "Enable Trivy vulnerability scanning for all supported language ecosystems. Trivy-backed scanning is temporarily unavailable in the pre-built GitHub Action image."
     required: false
     default: "false"
   trufflehog_exclude_dir:
 
@@ -5,7 +5,7 @@ Complete guide to integrating Socket Basics into your GitHub Actions workflows f
 ## Table of Contents
 
 - [Quick Start](#quick-start)
-- [Performance and Caching](#performance-and-caching) *(maintainers: see [releasing.md](releasing.md))*
+- [Performance and Caching](#performance-and-caching)
 - [Basic Configuration](#basic-configuration)
 - [Enterprise Features](#enterprise-features)
 - [Advanced Workflows](#advanced-workflows)
@@ -57,10 +57,10 @@ With just your `SOCKET_SECURITY_API_KEY`, all scanning configurations are manage
 
 ### How the action is currently built
 
-When you reference `uses: SocketDev/socket-basics@v2.0.2`, GitHub Actions builds the
-`Dockerfile` from source at the start of every workflow run. As of `1.1.3` the
-Dockerfile uses a **multi-stage build** with BuildKit cache mounts, which provides
-two categories of improvement:
+When you reference `uses: SocketDev/socket-basics@v2.0.2`, GitHub Actions pulls the
+pre-built image referenced by [`action.yml`](../action.yml). The historical multi-stage
+Docker build still matters for maintainers because it determines what lands in the
+published image:
 
 | Improvement | Benefit |
 |-------------|---------|
@@ -69,27 +69,23 @@ two categories of improvement:
 | `--mount=type=cache` for apt / uv / npm | Faster repeated builds locally and on self-hosted runners with a persistent cache |
 
 **On standard GitHub-hosted runners** (ephemeral, no persistent Docker cache between
-jobs), the multi-stage improvement is most visible when the same runner picks up a
-cached layer — typically within a workflow run or when GitHub's runner image itself
-includes the base layers. Cold runs still download and run all tool-install steps.
+jobs), users mainly benefit from pulling a ready-made image instead of rebuilding
+Socket Basics from source in every workflow run.
 
 ### Pre-built image
 
 Starting with v2, the action pulls a pre-built image from GHCR rather than
-building from source on every run. Pinning to a specific version tag (e.g. `@v2.0.0`)
+building from source on every run. Pinning to a specific version tag (e.g. `@v2.0.2`)
 means the action starts in seconds — the image is built, integration-tested, and
 published before the release tag is ever created.
 
-> **Maintainers:** see [releasing.md](releasing.md) for the publish-before-tag
-> release process and the PR checklist.
-
 ### If you're running socket-basics outside of the GitHub Action
 
 If you run socket-basics in other CI systems (Jenkins, GitLab, CircleCI, etc.) or
 as a standalone `docker run`, pull the pre-built image directly:
 
 ```bash
-docker pull ghcr.io/socketdev/socket-basics:1.1.3
+docker pull ghcr.io/socketdev/socket-basics:2.0.2
 ```
 
 See [Local Docker Installation](local-install-docker.md) for usage examples.
@@ -104,15 +100,15 @@ is immediately affected. We've seen this happen across the ecosystem:
   A single bad push silently reaches all users with no review gate. This is
   structurally identical to `docker pull :latest` — the anti-pattern we
   explicitly warn against in our Docker docs.
-- **Version tags** (`@v2.0.0`) are better, but tags are mutable by default.
+- **Version tags** (`@v2.0.2`) are better, but tags are mutable by default.
   A tag can be deleted and recreated pointing at a different commit. There are
   documented cases of this happening — maliciously and accidentally.
 - **Commit SHAs** are the only truly immutable reference. A SHA cannot be
   reassigned. Combined with Dependabot, you get automated upgrades with a
   human review gate at zero ongoing maintenance cost.
 
 We don't publish a floating major tag (`v2`). We do publish immutable version
-tags (`v2.0.0`) protected by tag protection rules in GitHub — but SHA pinning
+tags (`v2.0.2`) protected by tag protection rules in GitHub — but SHA pinning
 is still the recommendation for defence in depth.
 
 ### Pinning strategies
@@ -128,14 +124,14 @@ The only truly immutable reference. Dependabot keeps it current automatically.
 ```yaml
 - name: Run Socket Basics
   # Dependabot keeps this SHA up to date — see .github/dependabot.yml setup below.
-  uses: SocketDev/socket-basics@<sha>  # v2.0.0
+  uses: SocketDev/socket-basics@<sha>  # v2.0.2
   with:
     socket_security_api_key: ${{ secrets.SOCKET_SECURITY_API_KEY }}
 ```
 
 Get the SHA for any release:
 ```bash
-git ls-remote https://github.com/SocketDev/socket-basics refs/tags/v2.0.0
+git ls-remote https://github.com/SocketDev/socket-basics refs/tags/v2.0.2
 ```
 
 ---
@@ -168,7 +164,7 @@ updates:
 ```
 
 Dependabot opens a PR for each new release, updating the SHA or version tag
-and keeping the `# v2.0.0` comment in sync. You review, approve, and merge
+and keeping the `# v2.0.2` comment in sync. You review, approve, and merge
 on your own schedule — automated upgrades with a human gate.
 
 ---
@@ -178,7 +174,7 @@ on your own schedule — automated upgrades with a human gate.
 | Strategy | Immutable? | Auto-updates | Review gate |
 |---|---|---|---|
 | `@v2` floating tag | ❌ (not published) | — | — |
-| `@v2.0.0` + Dependabot | ✅ (tag protection enforced) | Yes (weekly PR) | Yes |
+| `@v2.0.2` + Dependabot | ✅ (tag protection enforced) | Yes (weekly PR) | Yes |
 | `@<sha>` + Dependabot | ✅ always | Yes (weekly PR) | Yes |
 
 ## Basic Configuration
@@ -235,12 +231,21 @@ Include these in your workflow's `jobs.<job_id>.permissions` section.
 - uses: SocketDev/socket-basics@v2.0.2
   with:
     github_token: ${{ secrets.GITHUB_TOKEN }}
-    # Scan Docker images (auto-enables container scanning)
-    container_images: 'myorg/myapp:latest,redis:7'
-    # Scan Dockerfiles (auto-enables Dockerfile scanning)
-    dockerfiles: 'Dockerfile,docker/Dockerfile.prod'
+    # Trivy-backed container scanning is temporarily not available in the
+    # pre-built GitHub Action image. Use a native install if you need it today.
+    # See docs/local-installation.md.
 ```
 
+> [!NOTE]
+> Container and Dockerfile scanning remain part of Socket Basics, but the current
+> GitHub Action and pre-built image paths have Trivy-backed support temporarily
+> disabled while we complete additional security review of the underlying scanner
+> dependency path. If container or Dockerfile scanning is a near-term
+> requirement, the [native installation path](local-installation.md) remains
+> available as a temporary workaround while the pre-built path is under
+> additional review. Review the upstream install path and artifacts carefully
+> before adopting it in production CI.
+
 **Socket Tier 1 Reachability:**
 ```yaml
 - uses: SocketDev/socket-basics@v2.0.2
@@ -298,7 +303,8 @@ Configure Socket Basics centrally from the [Socket Dashboard](https://socket.dev
     socket_security_api_key: ${{ secrets.SOCKET_SECURITY_API_KEY }}
 ```
 
-> **Note:** You can also pass credentials using environment variables instead of the `with:` section:
+> [!NOTE]
+> You can also pass credentials using environment variables instead of the `with:` section:
 > ```yaml
 > - uses: SocketDev/socket-basics@v2.0.2
 >   env:
@@ -423,9 +429,6 @@ jobs:
           secret_scanning_enabled: 'true'
           socket_tier_1_enabled: 'true'
           
-          # Container scanning
-          dockerfiles: 'Dockerfile'
-          
           # Notifications (Enterprise)
           slack_webhook_url: ${{ secrets.SLACK_WEBHOOK_URL }}
 ```
@@ -480,6 +483,21 @@ jobs:
 
 ### Container Security Pipeline
 
+> [!NOTE]
+> Container and Dockerfile scanning remain part of Socket Basics, but the current
+> pre-built GitHub Action path has Trivy-backed support temporarily disabled while
+> we complete additional security review of the underlying scanner dependency path.
+> If container or Dockerfile scanning is a near-term requirement, the
+> [native installation path](local-installation.md) remains available as a
+> temporary workaround while the pre-built path is under additional review.
+> Review the upstream install path and artifacts carefully before adopting it in
+> production CI.
+
+> [!WARNING]
+> This fallback path relies on upstream Trivy installation material outside the
+> pinned pre-built distribution model. Review the upstream install path and
+> artifacts carefully before using it in production CI.
+
 ```yaml
 name: Container Security
 on:
@@ -504,19 +522,16 @@ jobs:
       - name: Build Docker Image
         run: docker build -t myapp:${{ github.sha }} .
       
+      - name: Install pinned Trivy
+        run: |
+          TRIVY_VERSION=0.69.3
+          curl -fsSL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh \
+            | sh -s -- -b /usr/local/bin "v${TRIVY_VERSION}"
+
       - name: Scan Container
-        uses: SocketDev/socket-basics@v2.0.2
-        env:
-          GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
-        with:
-          github_token: ${{ secrets.GITHUB_TOKEN }}
-          
-          # Scan built image and Dockerfile
-          container_images: 'myapp:${{ github.sha }}'
-          dockerfiles: 'Dockerfile'
-          
-          # Additional Trivy options
-          trivy_vuln_enabled: 'true'
+        run: |
+          trivy image --exit-code 1 --severity HIGH,CRITICAL "myapp:${{ github.sha }}"
+          trivy config --exit-code 1 --severity HIGH,CRITICAL Dockerfile
 ```
 
 ### Dockerfile Auto-Discovery
@@ -573,8 +588,10 @@ jobs:
           GITHUB_PR_NUMBER: ${{ github.event.pull_request.number || github.event.issue.number }}
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
-          dockerfiles: ${{ needs.discover-dockerfiles.outputs.dockerfiles }}
-          trivy_vuln_enabled: 'true'
+          # Dockerfile discovery remains useful context for future container
+          # scanning support, but the current pre-built action image does not
+          # execute Trivy-backed scans.
+          verbose: 'true'
 ```
 
 **How it works:**
@@ -674,12 +691,19 @@ See [`action.yml`](../action.yml) for the complete list of inputs.
 - `trufflehog_show_unverified` — Show unverified secrets
 - `socket_tier_1_enabled` — Socket Tier 1 reachability
 
-**Container Scanning:**
+**Container Scanning (configuration surface):**
 - `container_images` — Comma-separated images to scan
 - `dockerfiles` — Comma-separated Dockerfiles to scan
 - `trivy_disabled_rules` — Trivy rules to disable
 - `trivy_vuln_enabled` — Enable vulnerability scanning
 
+> [!NOTE]
+> These inputs remain part of the action interface, but the current pre-built
+> GitHub Action path has Trivy-backed support temporarily disabled while we
+> complete additional security review of the underlying scanner dependency path.
+> Use the [native installation path](local-installation.md) if container scanning
+> is a near-term requirement.
+
 **Notifications (Enterprise Required):**
 - `slack_webhook_url` — Slack webhook
 - `jira_url`, `jira_email`, `jira_api_token`, `jira_project` — Jira config
@@ -734,8 +758,13 @@ permissions:
 **Problem:** Container image scanning fails.
 
 **Solutions:**
-1. Ensure Docker is available in runner
-2. For private images, add authentication:
+> [!NOTE]
+> The current pre-built GitHub Action path has Trivy-backed support temporarily
+> disabled while the underlying scanner dependency path remains under additional
+> security review. If container scanning is a near-term requirement, switch to a
+> native Trivy install in the workflow.
+
+1. For private images, add authentication:
 ```yaml
 - name: Login to Registry
   run: echo "${{ secrets.DOCKER_PASSWORD }}" | docker login -u "${{ secrets.DOCKER_USERNAME }}" --password-stdin