I don’t think a year old base is bad. Unless there’s an absolutely devastating CVE in something like the network stack or a particular shared library, any vulnerabilities in it will probably be just privilege escalations that wouldn’t have any effect unless you were allowing people shell access to the container. Obviously, the application itself can have a vulnerability, but that would be the case regardless of base image.

Fair enough. I do think your goals are noble, so I hope you can find what you’re looking for.

I don’t think you’ll be able to find a project that doesn’t contain some code (like dependencies) hosted on GitHub.

I understand not wanting to use GitHub yourself, but not wanting to use a self-hosted software that is distributed through GitHub is kind of extreme.