chore(deps): update aquasec/trivy docker tag to v0.69.3

[renovate]

This PR contains the following updates:

Package	Update	Change
aquasec/trivy (source)	minor	0.62.1 → 0.69.3

---

Release Notes

aquasecurity/trivy (aquasec/trivy)

v0.69.3

Compare Source

Changelog

• 6fb20c8 release: v0.69.3 [release/v0.69] (#​10293)
• dabefec fix(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 [backport: release/v0.69] (#​10291)

v0.69.2

Compare Source

Changelog

• cfa322e release: v0.69.2 [release/v0.69] (#​10266)
• 86debce fix(deps): bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 [backport: release/v0.69] (#​10267)
• cf3d4cd fix(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 [backport: release/v0.69] (#​10264)
• 6dfd3b0 ci: remove apidiff workflow

v0.69.1

Compare Source

v0.69.0

Compare Source

⚠ BREAKING CHANGES

• misconf: use ID instead of AVDID for providers mapping (#​9752)

Features

• activestate: add support ActiveState images (#​10081) (676709d)
• add AnalyzedBy field to track which analyzer detected packages (#​10059) (1953824)
• cloudformation: add support for Fn::ForEach (#​9508) (d65b504)
• debian: detect third-party packages using maintainer list (#​9917) (effc1c0)
• flag: add JSON Schema for trivy.yaml configuration file (#​9971) (4caf731)
• helm: add sslCertDir parameter (#​9697) (879e4fc)
• julia: enable vulnerability scanning for the Julia language ecosystem (#​9800) (c2f82ad)
• misconf: add action block to Terraform schema (#​10035) (b06ef6d)
• misconf: initial ansible scanning support (#​9332) (9275e15)
• misconf: support for ARM resources defined as an object (#​9959) (92d3465)
• misconf: support for azurerm_*_web_app (#​9944) (37b5da8)
• misconf: Update Azure Database schema (#​9811) (48dfede)
• misconf: use Terraform plan configuration to partially restore schema (#​9623) (5fced3a)
• nodejs: parse licenses from package-lock.json file (#​9983) (b64d5ad)
• php: add support for dev dependencies in Composer (#​9910) (56b59e8)
• report: add Trivy version to JSON output (#​10065) (fe7d20a)
• rocky: enable modular package vulnerability detection (#​10069) (31c4780)
• rootio: Update trivy db to support usage of Severity from root.io feed (#​9930) (d3096e7)
• sbom: exclude PEP 770 SBOMs in .dist-info/sboms/ (#​10033) (07ff788)
• secret: add detection for Symfony default secret key (#​9892) (34baef2)
• vex: support per-repo tls configuration (#​10030) (f809066)
• vuln: skip vulnerability scanning for third-party packages in Debian/Ubuntu (#​9932) (74819bf)

Bug Fixes

• docker: fix non-det scan results for images with embedded SBOM (#​9866) (7f71b57)
• go: use ldflags version for all pseudo-versions (#​10037) (3c0ab97)
• image: race condition in image artifact inspection (#​9966) (18acf4f)
• java: add hash of GAV+root pom file path for pkgID for packages from pom.xml files (#​9880) (809db46)
• java: correctly inherit properties from parent fields for pom.xml files (#​9111) (2933b01)
• java: correctly propagate repositories from upper POMs to dependencies (#​10077) (b9415a3)
• license: normalize licenses for PostAnalyzers (#​9941) (11dd3fa)
• misconf: correct typos in block and attribute names (#​9993) (ac061f8)
• misconf: respect .yml files when Helm charts are detected (#​9912) (18ecf75)
• misconf: safely parse rotation_period in google_kms_crypto_key (#​9980) (a0ecc8e)
• move enum into items for array-type fields in JSON Schema (#​10039) (4e06c3d)
• remove trailing tab in statefulset template (#​9889) (9db123c)
• repo: return a nil interface for gitAuth if missing (#​10097) (036c05b)
• rust: add cargo workspace members glob support (#​10032) (d2dc46a)
• rust: implement version inheritance for Cargo mono repos (#​10011) (47d3103)
• secret: improve word boundary detection for Hugging Face tokens (#​10046) (cdb28ee)
• use canonical SPDX license IDs from embeded licenses.json (#​10053) (c233735)
• vex: add CVE-2025-66564 as not_affected into Trivy VEX file (#​9924) (335cc99)
• vuln: skip vulns detection for CentOS Stream family without scan failure (#​9964) (b46cde0)

Performance Improvements

• misconf: optimize string concatenation in azure scanner (#​9969) (10a50a7)

Code Refactoring

• misconf: use ID instead of AVDID for providers mapping (#​9752) (6462dc8)

v0.68.2

Compare Source

Changelog

• 0c40a8d release: v0.68.2 [release/v0.68] (#​9950)
• db28945 fix(deps): bump alpine from 3.22.1 to 3.23.0 [backport: release/v0.68] (#​9949)

v0.68.1

Compare Source

Bug Fixes

• update cosing settings for GoReleaser after bumping cosing to v3 (#​9863) (c7accc8)

v0.67.2

Compare Source

Changelog

• 60c57ad release: v0.67.2 [release/v0.67] (#​9639)
• f3ee80c fix: Use fetch-level: 1 to check out trivy-repo in the release workflow [backport: release/v0.67] (#​9638)

v0.67.1

Compare Source

Changelog

• cbed239 release: v0.67.1 [release/v0.67] (#​9614)
• 1a84093 fix: restore compatibility for google.protobuf.Value [backport: release/v0.67] (#​9631)
• 3bc1490 fix: using SrcVersion instead of Version for echo detector [backport: release/v0.67] (#​9629)
• 542eee7 fix: add buildInfo for BlobInfo in rpc package [backport: release/v0.67] (#​9615)
• f65dd05 fix(vex): don't use reused BOM [backport: release/v0.67] (#​9612)

v0.67.0

Compare Source

Features

• add documentation URL for database lock errors (#​9531) (eba48af)
• cli: change --list-all-pkgs default to true (#​9510) (7b663d8)
• cloudformation: support default values and list results in Fn::FindInMap (#​9515) (42b3bf3)
• cyclonedx: preserve SBOM structure when scanning SBOM files with vulnerability updates (#​9439) (aff03eb)
• redhat: add os-release detection for RHEL-based images (#​9458) (cb25a07)
• sbom: added support for CoreOS (#​9448) (6d562a3)
• seal: add seal support (#​9370) (e4af279)

Bug Fixes

• aws: use BuildableClient insead of xhttp.Client (#​9436) (fa6f1bf)
• close file descriptors and pipes on error paths (#​9536) (a4cbd6a)
• db: Dowload database when missing but metadata still exists (#​9393) (92ebc7e)
• k8s: disable parallel traversal with fs cache for k8s images (#​9534) (c0c7a6b)
• misconf: handle tofu files in module detection (#​9486) (bfd2f6b)
• misconf: strip build metadata suffixes from image history (#​9498) (c938806)
• misconf: unmark cty values before access (#​9495) (8e40d27)
• misconf: wrap legacy ENV values in quotes to preserve spaces (#​9497) (267a970)
• nodejs: parse workspaces as objects for package-lock.json files (#​9518) (404abb3)
• nodejs: use snapshot string as Package.ID for pnpm packages (#​9330) (4517e8c)
• vex: don't suppress vulns for packages with infinity loop (#​9465) (78f0d4a)
• vuln: compare nuget package names in lower case (#​9456) (1ff9ac7)

v0.66.0

Compare Source

Features

• add timeout handling for cache database operations (#​9307) (235c24e)
• misconf: added audit config attribute (#​9249) (4d4a244)
• secret: implement streaming secret scanner with byte offset tracking (#​9264) (5a5e097)
• terraform: use .terraform cache for remote modules in plan scanning (#​9277) (298a994)

Bug Fixes

• conda: memory leak by adding closure method for package.json file (#​9349) (03d039f)
• create temp file under composite fs dir (#​9387) (ce22f54)
• cyclonedx: handle multiple license types (#​9378) (46ab76a)
• fs: avoid shadowing errors in file.glob (#​9286) (b51c789)
• image: use standardized HTTP client for ECR authentication (#​9322) (84fbf86)
• misconf: ensure ignore rules respect subdirectory chart paths (#​9324) (d3cd101)
• misconf: ensure module source is known (#​9404) (81d9425)
• misconf: preserve original paths of remote submodules from .terraform (#​9294) (1319d8d)
• misconf: use correct field log_bucket instead of target_bucket in gcp bucket (#​9296) (04ad0c4)
• persistent flag option typo (#​9374) (6e99dd3)
• plugin: don't remove plugins when updating index.yaml file (#​9358) (5f067ac)
• python: impove package name normalization (#​9290) (1473e88)
• repo: preserve RepoMetadata on FS cache hit (#​9389) (4f2a44e)
• repo: sanitize git repo URL before inserting into report metadata (#​9391) (1ac9b1f)
• sbom: add support for file component type of CycloneDX (#​9372) (aa7cf43)
• suppress debug log for context cancellation errors (#​9298) (2458d5e)

v0.65.0

Compare Source

Features

• add graceful shutdown with signal handling (#​9242) (2c05882)
• add HTTP request/response tracing support (#​9125) (aa5b32a)
• alma: add AlmaLinux 10 support (#​9207) (861d51e)
• flag: add schema validation for --server flag (#​9270) (ed4640e)
• image: add Docker context resolution (#​9166) (99cd4e7)
• license: observe pkg types option in license scanner (#​9091) (d44af8c)
• misconf: add private ip google access attribute to subnetwork (#​9199) (263845c)
• misconf: added logging and versioning to the gcp storage bucket (#​9226) (110f80e)
• repo: add git repository metadata to reports (#​9252) (f4b2cf1)
• report: add CVSS vectors in sarif report (#​9157) (60723e6)
• sbom: add SHA-512 hash support for CycloneDX SBOM (#​9126) (12d6706)

Bug Fixes

• alma: parse epochs from rpmqa file (#​9101) (82db2fc)
• also check filepath when removing duplicate packages (#​9142) (4d10a81)
• aws: update amazon linux 2 EOL date (#​9176) (0ecfed6)
• cli: Add more non-sensitive flags to telemetry (#​9110) (7041a39)
• cli: ensure correct command is picked by telemetry (#​9260) (b4ad00f)
• cli: panic: attempt to get os.Args[1] when len(os.Args) < 2 (#​9206) (adfa879)
• license: add missed GFDL-NIV-1.1 and GFDL-NIV-1.2 into Trivy mapping (#​9116) (a692f29)
• license: handle WITH operator for LaxSplitLicenses (#​9232) (b4193d0)
• migrate from *.list to *.md5sums files for dpkg (#​9131) (f224de3)
• misconf: correctly adapt azure storage account (#​9138) (51aa022)
• misconf: correctly parse empty port ranges in google_compute_firewall (#​9237) (77bab7b)
• misconf: fix log bucket in schema (#​9235) (7ebc129)
• misconf: skip rewriting expr if attr is nil (#​9113) (42ccd3d)
• nodejs: don't use prerelease logic for compare npm constraints (#​9208) (fe96436)
• prevent graceful shutdown message on normal exit (#​9244) (6095984)
• rootio: check full version to detect root.io packages (#​9117) (c2ddd44)
• rootio: fix severity selection (#​9181) (6fafbeb)
• sbom: merge in-graph and out-of-graph OS packages in scan results (#​9194) (aa944cc)
• sbom: use correct field for licenses in CycloneDX reports (#​9057) (143da88)
• secret: add UTF-8 validation in secret scanner to prevent protobuf marshalling errors (#​9253) (54832a7)
• secret: fix line numbers for multiple-line secrets (#​9104) (e579746)
• server: add HTTP transport setup to server mode (#​9217) (1163b04)
• supporting .egg-info/METADATA in python.Packaging analyzer (#​9151) (e306e2d)
• terraform: for_each on a map returns a resource for every key (#​9156) (153318f)

v0.64.1

Compare Source

Changelog

• 86ee3c1 release: v0.64.1 [release/v0.64] (#​9122)
• 4e12722 fix(misconf): skip rewriting expr if attr is nil [backport: release/v0.64] (#​9127)
• 9a7d384 fix(cli): Add more non-sensitive flags to telemetry [backport: release/v0.64] (#​9124)
• 53adfba fix(rootio): check full version to detect root.io packages [backport: release/v0.64] (#​9120)
• 8cf1bf9 fix(alma): parse epochs from rpmqa file [backport: release/v0.64] (#​9119)

v0.64.0

Compare Source

Features

• cli: add version constraints to annoucements (#​9023) (19efa9f)
• java: dereference all maven settings.xml env placeholders (#​9024) (5aade69)
• misconf: add OpenTofu file extension support (#​8747) (57801d0)
• misconf: normalize CreatedBy for buildah and legacy docker builder (#​8953) (65e155f)
• redhat: Add EOL date for RHEL 10. (#​8910) (48258a7)
• reject unsupported artifact types in remote image retrieval (#​9052) (1e1e1b5)
• sbom: add manufacturer field to CycloneDX tools metadata (#​9019) (41d0f94)
• terraform: add partial evaluation for policy templates (#​8967) (a9f7dcd)
• ubuntu: add end of life date for Ubuntu 25.04 (#​9077) (367564a)
• ubuntu: add eol date for 20.04-ESM (#​8981) (87118a0)
• vuln: add Root.io support for container image scanning (#​9073) (3a0ec0f)

Bug Fixes

• Add missing version check flags (#​8951) (ef5f8de)
• cli: add some values to the telemetry call (#​9056) (fd2bc91)
• Correctly check for semver versions for trivy version check (#​8948) (b813527)
• don't show corrupted trivy-db warning for first run (#​8991) (4ed78e3)
• misconf: .Config.User always takes precedence over USER in .History (#​9050) (371b8cc)
• misconf: correct Azure value-to-time conversion in AsTimeValue (#​9015) (40d017b)
• misconf: move disabled checks filtering after analyzer scan (#​9002) (a58c36d)
• misconf: reduce log noise on incompatible check (#​9029) (99c5151)
• nodejs: correctly parse packages array of bun.lock file (#​8998) (875ec3a)
• report: don't panic when report contains vulns, but doesn't contain packages for table format (#​8549) (87fda76)
• sbom: remove unnecessary OS detection check in SBOM decoding (#​9034) (198789a)

v0.63.0

Compare Source

Features

• add Bottlerocket OS package analyzer (#​8653) (07ef63b)
• add JSONC support for comments and trailing commas (#​8862) (0b0e406)
• alpine: add maintainer field extraction for APK packages (#​8930) (104bbc1)
• cli: Add available version checking (#​8553) (5a0bf9e)
• echo: Add Echo Support (#​8833) (c7b8cc3)
• go: support license scanning in both GOPATH and vendor (#​8843) (26437be)
• k8s: get components from namespaced resources (#​8918) (4f1ab23)
• license: improve work text licenses with custom classification (#​8888) (ee52230)
• license: improve work with custom classification of licenses from config file (#​8861) (c321fdf)
• license: scan vendor directory for license for go.mod files (#​8689) (dd6a6e5)
• license: Support compound licenses (licenses using SPDX operators) (#​8816) (39f9ed1)
• minimos: Add support for MinimOS (#​8792) (c2dde33)
• misconf: add misconfiguration location to junit template (#​8793) (a516775)
• misconf: Add support for Minimum Trivy Version (#​8880) (3b2a397)
• misconf: export raw Terraform data to Rego (#​8741) (aaecc29)
• nodejs: add a bun.lock analyzer (#​8897) (7ca656d)
• nodejs: add bun.lock parser (#​8851) (1dcf816)
• terraform parser option to set current working directory (#​8909) (8939451)

Bug Fixes

• check post-analyzers for StaticPaths (#​8904) (93e6680)
• cli: disable --skip-dir and --skip-files flags for sbom command (#​8886) (69a5fa1)
• cli: don't use allow values for --compliance flag (#​8881) (35e8889)
• filter all files when processing files installed from package managers (#​8842) (6ebde88)
• java: exclude dev dependencies in gradle lockfile (#​8803) (8995838)
• julia parser panicing (#​8883) (be8c7b7)
• julia: add Relationship field support (#​8939) (22f040f)
• k8s: use in-memory cache backend during misconfig scanning (#​8873) (fe12771)
• misconf: check if for-each is known when expanding dyn block (#​8808) (5706603)
• misconf: use argument value in WithIncludeDeprecatedChecks (#​8942) (7e9a54c)
• more revive rules (#​8814) (3ab459e)
• octalLiteral from go-critic (#​8811) (a19e0aa)
• redhat: Also try to find buildinfo in root layer (layer 0) (#​8924) (906b037)
• redhat: save contentSets for OS packages in fs/vm modes (#​8820) (9256804)
• redhat: trim invalid suffix from content_sets in manifest parsing (#​8818) (fa1077b)
• server: add missed Relationship field for rpc (#​8872) (38f17c9)
• use-any from revive (#​8810) (883c63b)
• vex: use lo.IsNil to check VEX from OCI artifact (#​8858) (e97af98)
• wolfi: support new APK database location (#​8937) (b15d9a6)

Performance Improvements

• secret: only match secrets of meaningful length, allow example strings to not be matched (#​8602) (60fef1b)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.