Description:
This update for trivy fixes the following issues:
Update to version 0.68.2:
* fix(deps): bump alpine from `3.22.1` to `3.23.0` [backport: release/v0.68] (#9949)
* ci: enable `check-latest` for `setup-go` [backport: release/v0.68] (#9946)
Update to version 0.68.1 (boo#1251363, CVE-2025-47911,
boo#1251547, CVE-2025-58190, boo#1253512, CVE-2025-47913,
boo#1253512, CVE-2025-47913, boo#1253786, CVE-2025-58181,
boo#1253977, CVE-2025-47914):
* fix: update cosing settings for GoReleaser after bumping cosing to v3 (#9863)
* chore(deps): bump the testcontainers group with 2 updates (#9506)
* feat(aws): Add support for dualstack ECR endpoints (#9862)
* fix(vex): use a separate `visited` set for each DFS path (#9760)
* docs: catch some missed docs -> guide (#9850)
* refactor(misconf): parse azure_policy_enabled to addonprofile.azurepolicy.enabled (#9851)
* chore(cli): Remove Trivy Cloud (#9847)
* fix(misconf): ensure value used as ignore marker is non-null and known (#9835)
* fix(misconf): map healthcheck start period flag to --start-period instead of --startPeriod (#9837)
* chore(deps): bump the docker group with 3 updates (#9776)
* chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#9827)
* chore(deps): bump the common group across 1 directory with 20 updates (#9840)
* feat(image): add Sigstore bundle SBOM support (#9516)
* chore(deps): bump the aws group with 7 updates (#9691)
* test(k8s): update k8s integrtion test (#9725)
* chore(deps): bump github.com/containerd/containerd from 1.7.28 to 1.7.29 (#9764)
* feat(sbom): add support for SPDX attestations (#9829)
* docs(misconf): Remove duplicate sections (#9819)
* feat(misconf): Update Azure network schema for new checks (#9791)
* feat(misconf): Update AppService schema (#9792)
* fix(misconf): ensure boolean metadata values are correctly interpreted (#9770)
* feat(misconf): support https_traffic_only_enabled in Az storage account (#9784)
* docs: restructure docs for new hosting (#9799)
* docs(server): fix info about scanning licenses on the client side. (#9805)
* ci: remove unused preinstalled software/images for build tests to free up disk space. (#9814)
* feat(report): add fingerprint generation for vulnerabilities (#9794)
* chore: trigger the trivy-www workflow (#9737)
* fix: update all documentation links (#9777)
* feat(suse): Add new openSUSE, Micro and SLES releases end of life dates (#9788)
* test(go): set `GOPATH` for tests (#9785)
* feat(flag): add `--cacert` flag (#9781)
* fix(misconf): handle unsupported experimental flags in Dockerfile (#9769)
* test(go): refactor mod_test.go to use txtar format (#9775)
* docs: Fix typos and linguistic errors in documentation / hacktoberfest (#9586)
* chore(deps): bump github.com/opencontainers/selinux from 1.12.0 to 1.13.0 (#9778)
* chore(deps): bump github.com/containerd/containerd/v2 from 2.1.4 to 2.1.5 (#9763)
* fix(java): use `true` as default value for Repository Release|Snapshot Enabled in pom.xml and settings.xml files (#9751)
* docs: add info that `SSL_CERT_FILE` works on `Unix systems other than macOS` only (#9772)
* docs: change SecObserve URLs in documentatio (#9771)
* feat(db): enable concurrent access to vulnerability database (#9750)
* feat(misconf): add agentpools to azure container schema (#9714)
* feat(report): switch ReportID from UUIDv4 to UUIDv7 (#9749)
* feat(misconf): Update Azure Compute schema (#9675)
* feat(misconf): Update azure storage schema (#9728)
* feat(misconf): Update SecurityCenter schema (#9674)
* feat(image): pass global context to docker/podman image save func (#9733)
* chore(deps): bump the github-actions group with 4 updates (#9739)
* fix(flag): remove viper.SetDefault to fix IsSet() for config-only flags (#9732)
* feat(license): use separate SPDX ids to ignore SPDX expressions (#9087)
* feat(dotnet): add dependency graph support for .deps.json files (#9726)
* feat(misconf): Add support for configurable Rego error limit (#9657)
* feat(misconf): Add RoleAssignments attribute (#9396)
* feat(report): add image reference to report metadata (#9729)
* fix(os): Add photon 5.0 in supported OS (#9724)
* fix(license): handle SPDX WITH exceptions as single license in category detection (#9380)
* refactor: add case-insensitive string set implementation (#9720)
* feat: include registry and repository in artifact ID calculation (#9689)
* feat(java): add support remote repositories from settings.xml files (#9708)
* fix(sbom): don’t panic on SBOM format if scanned CycloneDX file has empty metadata (#9562)
* docs: update vulnerability reporting guidelines in SECURITY.md (#9395)
* docs: add info about `java-db` subdir (#9706)
* fix(report): correct field order in SARIF license results (#9712)
* test: improve golden file management in integration tests (#9699)
* ci: get base_sha using base.ref (#9704)
* refactor(misconf): mark AVDID fields as deprecated and use ID internally (#9576)
* fix(nodejs): fix npmjs parser.pkgNameFromPath() panic issue (#9688)
* fix: close all opened resources if an error occurs (#9665)
* refactor(misconf): type-safe parser results in generic scanner (#9685)
* feat(image): add RepoTags support for Docker archives (#9690)
* chore(deps): bump github.com/quic-go/quic-go from 0.52.0 to 0.54.1 (#9694)
* feat(misconf): Update Azure Container Schema (#9673)
* ci: use merge commit for apidiff to avoid false positives (#9622)
* feat(misconf): include map key in manifest snippet for diagnostics (#9681)
* refactor(misconf): add ManifestFromYAML for unified manifest parsing (#9680)
* test: update golden files for TestRepository* integration tests (#9684)
* refactor(cli): Update the cloud config command (#9676)
* fix(sbom): add `buildInfo` info as properties (#9683)
* feat: add ReportID field to scan reports (#9670)
* docs: add vulnerability database contribution guide (#9667)
* feat(cli): Add trivy cloud suppport (#9637)
* feat: add ArtifactID field to uniquely identify scan targets (#9663)
* fix(nodejs): use the default ID format to match licenses in pnpm packages. (#9661)
* feat(sbom): use SPDX license IDs list to validate SPDX IDs (#9569)
* fix: use context for analyzers (#9538)
* chore(deps): bump the docker group with 3 updates (#9545)
* chore(deps): bump the aws group with 6 updates (#9547)
* ci(helm): bump Trivy version to 0.67.2 for Trivy Helm Chart 0.19.1 (#9641)
* test(helm): bump up Yamale dependency for Helm chart-testing-action (#9653)
* fix: Trim the end-of-range suffix (#9618)
* test(k8s): use a specific bundle for k8s misconfig scan (#9633)
* fix: Use `fetch-level: 1` to check out trivy-repo in the release workflow (#9636)
* refactor: move the aws config (#9617)
* fix(license): don't normalize `unlicensed` licenses into `unlicense` (#9611)
* fix: using SrcVersion instead of Version for echo detector (#9552)
* feat(fs): change artifact type to repository when git info is detected (#9613)
* fix: add `buildInfo` for `BlobInfo` in `rpc` package (#9608)
* fix(vex): don't use reused BOM (#9604)
* ci: use pull_request_target for apidiff workflow to support fork PRs (#9605)
* fix: restore compatibility for google.protobuf.Value (#9559)
* ci: add API diff workflow (#9600)
* chore(deps): update to module-compatible docker-credential-gcr/v2 (#9591)
* docs: improve documentation for scanning raw IaC configurations (#9571)
* feat: allow ignoring findings by type in Rego (#9578)
* docs: bump pygments from 2.18.0 to 2.19.2 (#9596)
* refactor(misconf): add ID to scan.Rule (#9573)
* fix(java): update order for resolving package fields from multiple demManagement (#9575)
* chore(deps): bump the github-actions group across 1 directory with 9 updates (#9563)
* chore(deps): bump the common group across 1 directory with 7 updates (#9590)
* chore(deps): Switch to go-viper/mapstructure (#9579)
* chore: add context to the cache interface (#9565)
* ci(helm): bump Trivy version to 0.67.0 for Trivy Helm Chart 0.19.0 (#9554)
* fix: validate backport branch name (#9548)
Update to version 0.67.2 (boo#1250625, CVE-2025-11065,
boo#1248897, CVE-2025-58058):
* fix: Use `fetch-level: 1` to check out trivy-repo in the release workflow [backport: release/v0.67] (#9638)
* fix: restore compatibility for google.protobuf.Value [backport: release/v0.67] (#9631)
* fix: using SrcVersion instead of Version for echo detector [backport: release/v0.67] (#9629)
* fix: add `buildInfo` for `BlobInfo` in `rpc` package [backport: release/v0.67] (#9615)
* fix(vex): don't use reused BOM [backport: release/v0.67] (#9612)
* fix(vex): don't suppress vulns for packages with infinity loop (#9465)
* fix(aws): use `BuildableClient` insead of `xhttp.Client` (#9436)
* refactor(misconf): replace github.com/liamg/memoryfs with internal mapfs and testing/fstest (#9282)
* docs: clarify inline ignore limitations for resource-less checks (#9537)
* fix(k8s): disable parallel traversal with fs cache for k8s images (#9534)
* fix(misconf): handle tofu files in module detection (#9486)
* feat(seal): add seal support (#9370)
* docs: fix modules path and update code example (#9539)
* fix: close file descriptors and pipes on error paths (#9536)
* feat: add documentation URL for database lock errors (#9531)
* fix(db): Dowload database when missing but metadata still exists (#9393)
* feat(cloudformation): support default values and list results in Fn::FindInMap (#9515)
* fix(misconf): unmark cty values before access (#9495)
* feat(cli): change --list-all-pkgs default to true (#9510)
* fix(nodejs): parse workspaces as objects for package-lock.json files (#9518)
* refactor(fs): use underlyingPath to determine virtual files more reliably (#9302)
* refactor: remove google/wire dependency and implement manual DI (#9509)
* chore(deps): bump the aws group with 6 updates (#9481)
* chore(deps): bump the common group across 1 directory with 24 updates (#9507)
* fix(misconf): wrap legacy ENV values in quotes to preserve spaces (#9497)
* docs: move info about `detection priority` into coverage section (#9469)
* feat(sbom): added support for CoreOS (#9448)
* fix(misconf): strip build metadata suffixes from image history (#9498)
* feat(cyclonedx): preserve SBOM structure when scanning SBOM files with vulnerability updates (#9439)
* docs: Fix typo in terraform docs (#9492)
* feat(redhat): add os-release detection for RHEL-based images (#9458)
* ci(deps): add 3-day cooldown period for Dependabot updates (#9475)
* refactor: migrate from go-json-experiment to encoding/json/v2 (#9422)
* fix(vuln): compare `nuget` package names in lower case (#9456)
* chore: Update release flow to include chocolatey (#9460)
* docs: document eol supportability (#9434)
* docs(report): add nuanses about secret/license scanner in summary table (#9442)
* ci: use environment variables in GitHub Actions for improved security (#9433)
* chore: bump Go to 1.24.7 (#9435)
* fix(nodejs): use snapshot string as `Package.ID` for pnpm packages (#9330)
* ci(helm): bump Trivy version to 0.66.0 for Trivy Helm Chart 0.18.0 (#9425)
- Fix version number shown for 'trivy -v'
Update to version 0.66.0 (boo#1248937, CVE-2025-58058):
* chore(deps): bump the aws group with 7 updates (#9419)
* refactor(secret): clarify secret scanner messages (#9409)
* fix(cyclonedx): handle multiple license types (#9378)
* fix(repo): sanitize git repo URL before inserting into report metadata (#9391)
* test: add HTTP basic authentication to git test server (#9407)
* fix(sbom): add support for `file` component type of `CycloneDX` (#9372)
* fix(misconf): ensure module source is known (#9404)
* ci: migrate GitHub Actions from version tags to SHA pinning (#9405)
* fix: create temp file under composite fs dir (#9387)
* chore(deps): bump github.com/ulikunitz/xz from 0.5.12 to 0.5.14 (#9403)
* refactor: switch to stable azcontainerregistry SDK package (#9319)
* chore(deps): bump the common group with 7 updates (#9382)
* refactor(misconf): migrate from custom Azure JSON parser (#9222)
* fix(repo): preserve RepoMetadata on FS cache hit (#9389)
* refactor(misconf): use atomic.Int32 (#9385)
* chore(deps): bump the aws group with 6 updates (#9383)
* docs: Fix broken link to "Built-in Checks" (#9375)
* fix(plugin): don't remove plugins when updating index.yaml file (#9358)
* fix: persistent flag option typo (#9374)
* chore(deps): bump the common group across 1 directory with 26 updates (#9347)
* fix(image): use standardized HTTP client for ECR authentication (#9322)
* refactor: export `systemFileFiltering` Post Handler (#9359)
* docs: update links to Semaphore pages (#9352)
* fix(conda): memory leak by adding closure method for `package.json` file (#9349)
* feat: add timeout handling for cache database operations (#9307)
* fix(misconf): use correct field log_bucket instead of target_bucket in gcp bucket (#9296)
* fix(misconf): ensure ignore rules respect subdirectory chart paths (#9324)
* chore(deps): bump alpine from 3.21.4 to 3.22.1 (#9301)
* feat(terraform): use .terraform cache for remote modules in plan scanning (#9277)
* chore: fix some function names in comment (#9314)
* chore(deps): bump the aws group with 7 updates (#9311)
* docs: add explanation for how to use non-system certificates (#9081)
* chore(deps): bump the github-actions group across 1 directory with 2 updates (#8962)
* fix(misconf): preserve original paths of remote submodules from .terraform (#9294)
* refactor(terraform): make Scan method of Terraform plan scanner private (#9272)
* fix: suppress debug log for context cancellation errors (#9298)
* feat(secret): implement streaming secret scanner with byte offset tracking (#9264)
* fix(python): impove package name normalization (#9290)
* feat(misconf): added audit config attribute (#9249)
* refactor(misconf): decouple input fs and track extracted files with fs references (#9281)
* test(misconf): remove BenchmarkCalculate using outdated check metadata (#9291)
* refactor: simplify Detect function signature (#9280)
* ci(helm): bump Trivy version to 0.65.0 for Trivy Helm Chart 0.17.0 (#9288)
* fix(fs): avoid shadowing errors in file.glob (#9286)
* test(misconf): move terraform scan tests to integration tests (#9271)
* test(misconf): drop gcp iam test covered by another case (#9285)
* chore(deps): bump to alpine from `3.21.3` to `3.21.4` (#9283)
Update to version 0.65.0:
* fix(cli): ensure correct command is picked by telemetry (#9260)
* feat(flag): add schema validation for `--server` flag (#9270)
* chore(deps): bump github.com/docker/docker from 28.3.2+incompatible to 28.3.3+incompatible (#9274)
* ci: skip undefined labels in discussion triage action (#9175)
* feat(repo): add git repository metadata to reports (#9252)
* fix(license): handle WITH operator for `LaxSplitLicenses` (#9232)
* chore: add modernize tool integration for code modernization (#9251)
* fix(secret): add UTF-8 validation in secret scanner to prevent protobuf marshalling errors (#9253)
* chore: implement process-safe temp file cleanup (#9241)
* fix: prevent graceful shutdown message on normal exit (#9244)
* fix(misconf): correctly parse empty port ranges in google_compute_firewall (#9237)
* feat: add graceful shutdown with signal handling (#9242)
* chore: update template URL for brew formula (#9221)
* test: add end-to-end testing framework with image scan and proxy tests (#9231)
* refactor(db): use `Getter` interface with `GetParams` for trivy-db sources (#9239)
* ci: specify repository for `gh cache delete` in canary worklfow (#9240)
* ci: remove invalid `--confirm` flag from `gh cache delete` command in canary builds (#9236)
* fix(misconf): fix log bucket in schema (#9235)
* chore(deps): bump the common group across 1 directory with 24 updates (#9228)
* ci: move runner.os context from job-level env to step-level in canary workflow (#9233)
* chore(deps): bump up Trivy-kubernetes to v0.9.1 (#9214)
* feat(misconf): added logging and versioning to the gcp storage bucket (#9226)
* fix(server): add HTTP transport setup to server mode (#9217)
* chore: update the rpm download Update (#9202)
* feat(alma): add AlmaLinux 10 support (#9207)
* fix(nodejs): don't use prerelease logic for compare npm constraints (#9208)
* fix(rootio): fix severity selection (#9181)
* fix(sbom): merge in-graph and out-of-graph OS packages in scan results (#9194)
* fix(cli): panic: attempt to get os.Args[1] when len(os.Args) < 2 (#9206)
* fix(misconf): correctly adapt azure storage account (#9138)
* feat(misconf): add private ip google access attribute to subnetwork (#9199)
* feat(report): add CVSS vectors in sarif report (#9157)
* fix(terraform): `for_each` on a map returns a resource for every key (#9156)
* fix: supporting .egg-info/METADATA in python.Packaging analyzer (#9151)
* chore: migrate protoc setup from Docker to buf CLI (#9184)
* ci: delete cache after artifacts upload in canary workflow (#9177)
* refactor: remove aws flag helper message (#9080)
* ci: use gh pr view to get PR number for forked repositories in auto-ready workflow (#9183)
* ci: add auto-ready-for-review workflow (#9179)
* feat(image): add Docker context resolution (#9166)
* ci: optimize golangci-lint performance with cache-based strategy (#9173)
* feat: add HTTP request/response tracing support (#9125)
* fix(aws): update amazon linux 2 EOL date (#9176)
* chore: Update release workflow to trigger version updates (#9162)
* chore(deps): bump helm.sh/helm/v3 from 3.18.3 to 3.18.4 (#9164)
* fix: also check `filepath` when removing duplicate packages (#9142)
* chore: add debug log to show image source location (#9163)
* docs: add section on customizing default check data (#9114)
* chore(deps): bump the common group across 1 directory with 9 updates (#9153)
* docs: partners page content updates (#9149)
* chore(license): add missed spdx exceptions: (#9147)
* docs: trivy partners page updates (#9133)
* fix: migrate from `*.list` to `*.md5sums` files for `dpkg` (#9131)
* ci(helm): bump Trivy version to 0.64.1 for Trivy Helm Chart 0.16.1 (#9135)
* feat(sbom): add SHA-512 hash support for CycloneDX SBOM (#9126)
* fix(misconf): skip rewriting expr if attr is nil (#9113)
* fix(license): add missed `GFDL-NIV-1.1` and `GFDL-NIV-1.2` into Trivy mapping (#9116)
* fix(cli): Add more non-sensitive flags to telemetry (#9110)
* fix(alma): parse epochs from rpmqa file (#9101)
* fix(rootio): check full version to detect `root.io` packages (#9117)
* chore: drop FreeBSD 32-bit support (#9102)
* fix(sbom): use correct field for licenses in CycloneDX reports (#9057)
* fix(secret): fix line numbers for multiple-line secrets (#9104)
* feat(license): observe pkg types option in license scanner (#9091)
* ci(helm): bump Trivy version to 0.64.0 for Trivy Helm Chart 0.16.0 (#9107)
- Update to version 0.64.1 (boo#1243633, CVE-2025-47291,
(boo#1246730, CVE-2025-46569):
- Update to version 0.62.1 (boo#1239225, CVE-2025-22868,
boo#1241724, CVE-2025-22872):
- Update to version 0.61.1 (boo#1239385, CVE-2025-22869,
boo#1240466, CVE-2025-30204):