I am trying to create a private debian package repository.
I will be using GitHub to store my debian packages (nginx,python).
I want to run vulnerability scanning on my package repository.
I tried to check tools like Qualys but it seems that they run CVE or vulnerability scan on the VMs or Container Images but not on the central repository.
My question is can I scan my central debian package repository for CVE or other vulnerability before making them available to my users directly or I will have to launch a VM or Container with all of the packages available in my central repository perform CVE and scanning and then update my repository accordingly if a patch or new version is available?
