🌱 Update Builder Image group #1572

syself-bot · 2025-04-01T11:03:24Z

This PR contains the following updates:

Package	Type	Update	Change
adrienverge/yamllint		minor	`v1.36.2` -> `v1.37.1`
docker.io/aquasec/trivy (source)	stage	minor	`0.60.0` -> `0.67.2`
docker.io/hadolint/hadolint	stage	minor	`v2.12.0-alpine` -> `v2.14.0-alpine`
docker.io/library/alpine	stage	minor	`3.21.3` -> `3.22.2`
docker.io/library/golang	final	patch	`1.24.5-bullseye` -> `1.24.6-bullseye`
golangci/golangci-lint		major	`v1.64.8` -> `v2.5.0`
helm/helm		minor	`v3.18.6` -> `v3.19.0`

Release Notes

adrienverge/yamllint (adrienverge/yamllint)

`v1.37.1`

Compare Source

`v1.37.0`

Compare Source

aquasecurity/trivy (docker.io/aquasec/trivy)

`v0.67.2`

Compare Source

Changelog

60c57ad release: v0.67.2 [release/v0.67] (#9639)
f3ee80c fix: Use fetch-level: 1 to check out trivy-repo in the release workflow [backport: release/v0.67] (#9638)

`v0.67.1`

Compare Source

Changelog

cbed239 release: v0.67.1 [release/v0.67] (#9614)
1a84093 fix: restore compatibility for google.protobuf.Value [backport: release/v0.67] (#9631)
3bc1490 fix: using SrcVersion instead of Version for echo detector [backport: release/v0.67] (#9629)
542eee7 fix: add buildInfo for BlobInfo in rpc package [backport: release/v0.67] (#9615)
f65dd05 fix(vex): don't use reused BOM [backport: release/v0.67] (#9612)

`v0.67.0`

Compare Source

Features

add documentation URL for database lock errors (#9531) (eba48af)
cli: change --list-all-pkgs default to true (#9510) (7b663d8)
cloudformation: support default values and list results in Fn::FindInMap (#9515) (42b3bf3)
cyclonedx: preserve SBOM structure when scanning SBOM files with vulnerability updates (#9439) (aff03eb)
redhat: add os-release detection for RHEL-based images (#9458) (cb25a07)
sbom: added support for CoreOS (#9448) (6d562a3)
seal: add seal support (#9370) (e4af279)

Bug Fixes

aws: use BuildableClient insead of xhttp.Client (#9436) (fa6f1bf)
close file descriptors and pipes on error paths (#9536) (a4cbd6a)
db: Dowload database when missing but metadata still exists (#9393) (92ebc7e)
k8s: disable parallel traversal with fs cache for k8s images (#9534) (c0c7a6b)
misconf: handle tofu files in module detection (#9486) (bfd2f6b)
misconf: strip build metadata suffixes from image history (#9498) (c938806)
misconf: unmark cty values before access (#9495) (8e40d27)
misconf: wrap legacy ENV values in quotes to preserve spaces (#9497) (267a970)
nodejs: parse workspaces as objects for package-lock.json files (#9518) (404abb3)
nodejs: use snapshot string as Package.ID for pnpm packages (#9330) (4517e8c)
vex: don't suppress vulns for packages with infinity loop (#9465) (78f0d4a)
vuln: compare nuget package names in lower case (#9456) (1ff9ac7)

`v0.66.0`

Compare Source

Features

add timeout handling for cache database operations (#9307) (235c24e)
misconf: added audit config attribute (#9249) (4d4a244)
secret: implement streaming secret scanner with byte offset tracking (#9264) (5a5e097)
terraform: use .terraform cache for remote modules in plan scanning (#9277) (298a994)

Bug Fixes

conda: memory leak by adding closure method for package.json file (#9349) (03d039f)
create temp file under composite fs dir (#9387) (ce22f54)
cyclonedx: handle multiple license types (#9378) (46ab76a)
fs: avoid shadowing errors in file.glob (#9286) (b51c789)
image: use standardized HTTP client for ECR authentication (#9322) (84fbf86)
misconf: ensure ignore rules respect subdirectory chart paths (#9324) (d3cd101)
misconf: ensure module source is known (#9404) (81d9425)
misconf: preserve original paths of remote submodules from .terraform (#9294) (1319d8d)
misconf: use correct field log_bucket instead of target_bucket in gcp bucket (#9296) (04ad0c4)
persistent flag option typo (#9374) (6e99dd3)
plugin: don't remove plugins when updating index.yaml file (#9358) (5f067ac)
python: impove package name normalization (#9290) (1473e88)
repo: preserve RepoMetadata on FS cache hit (#9389) (4f2a44e)
repo: sanitize git repo URL before inserting into report metadata (#9391) (1ac9b1f)
sbom: add support for file component type of CycloneDX (#9372) (aa7cf43)
suppress debug log for context cancellation errors (#9298) (2458d5e)

`v0.65.0`

Compare Source

Features

add graceful shutdown with signal handling (#9242) (2c05882)
add HTTP request/response tracing support (#9125) (aa5b32a)
alma: add AlmaLinux 10 support (#9207) (861d51e)
flag: add schema validation for --server flag (#9270) (ed4640e)
image: add Docker context resolution (#9166) (99cd4e7)
license: observe pkg types option in license scanner (#9091) (d44af8c)
misconf: add private ip google access attribute to subnetwork (#9199) (263845c)
misconf: added logging and versioning to the gcp storage bucket (#9226) (110f80e)
repo: add git repository metadata to reports (#9252) (f4b2cf1)
report: add CVSS vectors in sarif report (#9157) (60723e6)
sbom: add SHA-512 hash support for CycloneDX SBOM (#9126) (12d6706)

Bug Fixes

alma: parse epochs from rpmqa file (#9101) (82db2fc)
also check filepath when removing duplicate packages (#9142) (4d10a81)
aws: update amazon linux 2 EOL date (#9176) (0ecfed6)
cli: Add more non-sensitive flags to telemetry (#9110) (7041a39)
cli: ensure correct command is picked by telemetry (#9260) (b4ad00f)
cli: panic: attempt to get os.Args[1] when len(os.Args) < 2 (#9206) (adfa879)
license: add missed GFDL-NIV-1.1 and GFDL-NIV-1.2 into Trivy mapping (#9116) (a692f29)
license: handle WITH operator for LaxSplitLicenses (#9232) (b4193d0)
migrate from *.list to *.md5sums files for dpkg (#9131) (f224de3)
misconf: correctly adapt azure storage account (#9138) (51aa022)
misconf: correctly parse empty port ranges in google_compute_firewall (#9237) (77bab7b)
misconf: fix log bucket in schema (#9235) (7ebc129)
misconf: skip rewriting expr if attr is nil (#9113) (42ccd3d)
nodejs: don't use prerelease logic for compare npm constraints (#9208) (fe96436)
prevent graceful shutdown message on normal exit (#9244) (6095984)
rootio: check full version to detect root.io packages (#9117) (c2ddd44)
rootio: fix severity selection (#9181) (6fafbeb)
sbom: merge in-graph and out-of-graph OS packages in scan results (#9194) (aa944cc)
sbom: use correct field for licenses in CycloneDX reports (#9057) (143da88)
secret: add UTF-8 validation in secret scanner to prevent protobuf marshalling errors (#9253) (54832a7)
secret: fix line numbers for multiple-line secrets (#9104) (e579746)
server: add HTTP transport setup to server mode (#9217) (1163b04)
supporting .egg-info/METADATA in python.Packaging analyzer (#9151) (e306e2d)
terraform: for_each on a map returns a resource for every key (#9156) (153318f)

`v0.64.1`

Compare Source

Changelog

86ee3c1 release: v0.64.1 [release/v0.64] (#9122)
4e12722 fix(misconf): skip rewriting expr if attr is nil [backport: release/v0.64] (#9127)
9a7d384 fix(cli): Add more non-sensitive flags to telemetry [backport: release/v0.64] (#9124)
53adfba fix(rootio): check full version to detect root.io packages [backport: release/v0.64] (#9120)
8cf1bf9 fix(alma): parse epochs from rpmqa file [backport: release/v0.64] (#9119)

`v0.64.0`

Compare Source

Features

cli: add version constraints to annoucements (#9023) (19efa9f)
java: dereference all maven settings.xml env placeholders (#9024) (5aade69)
misconf: add OpenTofu file extension support (#8747) (57801d0)
misconf: normalize CreatedBy for buildah and legacy docker builder (#8953) (65e155f)
redhat: Add EOL date for RHEL 10. (#8910) (48258a7)
reject unsupported artifact types in remote image retrieval (#9052) (1e1e1b5)
sbom: add manufacturer field to CycloneDX tools metadata (#9019) (41d0f94)
terraform: add partial evaluation for policy templates (#8967) (a9f7dcd)
ubuntu: add end of life date for Ubuntu 25.04 (#9077) (367564a)
ubuntu: add eol date for 20.04-ESM (#8981) (87118a0)
vuln: add Root.io support for container image scanning (#9073) (3a0ec0f)

Bug Fixes

Add missing version check flags (#8951) (ef5f8de)
cli: add some values to the telemetry call (#9056) (fd2bc91)
Correctly check for semver versions for trivy version check (#8948) (b813527)
don't show corrupted trivy-db warning for first run (#8991) (4ed78e3)
misconf: .Config.User always takes precedence over USER in .History (#9050) (371b8cc)
misconf: correct Azure value-to-time conversion in AsTimeValue (#9015) (40d017b)
misconf: move disabled checks filtering after analyzer scan (#9002) (a58c36d)
misconf: reduce log noise on incompatible check (#9029) (99c5151)
nodejs: correctly parse packages array of bun.lock file (#8998) (875ec3a)
report: don't panic when report contains vulns, but doesn't contain packages for table format (#8549) (87fda76)
sbom: remove unnecessary OS detection check in SBOM decoding (#9034) (198789a)

`v0.63.0`

Compare Source

Features

add Bottlerocket OS package analyzer (#8653) (07ef63b)
add JSONC support for comments and trailing commas (#8862) (0b0e406)
alpine: add maintainer field extraction for APK packages (#8930) (104bbc1)
cli: Add available version checking (#8553) (5a0bf9e)
echo: Add Echo Support (#8833) (c7b8cc3)
go: support license scanning in both GOPATH and vendor (#8843) (26437be)
k8s: get components from namespaced resources (#8918) (4f1ab23)
license: improve work text licenses with custom classification (#8888) (ee52230)
license: improve work with custom classification of licenses from config file (#8861) (c321fdf)
license: scan vendor directory for license for go.mod files (#8689) (dd6a6e5)
license: Support compound licenses (licenses using SPDX operators) (#8816) (39f9ed1)
minimos: Add support for MinimOS (#8792) (c2dde33)
misconf: add misconfiguration location to junit template (#8793) (a516775)
misconf: Add support for Minimum Trivy Version (#8880) (3b2a397)
misconf: export raw Terraform data to Rego (#8741) (aaecc29)
nodejs: add a bun.lock analyzer (#8897) (7ca656d)
nodejs: add bun.lock parser (#8851) (1dcf816)
terraform parser option to set current working directory (#8909) (8939451)

Bug Fixes

check post-analyzers for StaticPaths (#8904) (93e6680)
cli: disable --skip-dir and --skip-files flags for sbom command (#8886) (69a5fa1)
cli: don't use allow values for --compliance flag (#8881) (35e8889)
filter all files when processing files installed from package managers (#8842) (6ebde88)
java: exclude dev dependencies in gradle lockfile (#8803) (8995838)
julia parser panicing (#8883) (be8c7b7)
julia: add Relationship field support (#8939) (22f040f)
k8s: use in-memory cache backend during misconfig scanning (#8873) (fe12771)
misconf: check if for-each is known when expanding dyn block (#8808) (5706603)
misconf: use argument value in WithIncludeDeprecatedChecks (#8942) (7e9a54c)
more revive rules (#8814) (3ab459e)
octalLiteral from go-critic (#8811) (a19e0aa)
redhat: Also try to find buildinfo in root layer (layer 0) (#8924) (906b037)
redhat: save contentSets for OS packages in fs/vm modes (#8820) (9256804)
redhat: trim invalid suffix from content_sets in manifest parsing (#8818) (fa1077b)
server: add missed Relationship field for rpc (#8872) (38f17c9)
use-any from revive (#8810) (883c63b)
vex: use lo.IsNil to check VEX from OCI artifact (#8858) (e97af98)
wolfi: support new APK database location (#8937) (b15d9a6)

Performance Improvements

secret: only match secrets of meaningful length, allow example strings to not be matched (#8602) (60fef1b)

`v0.62.1`

Compare Source

Changelog

c75ed21 release: v0.62.1 [release/v0.62] (#8825)
aafebeb chore(deps): bump the common group across 1 directory with 10 updates [backport: release/v0.62] (#8831)
99485cf fix(misconf): check if for-each is known when expanding dyn block [backport: release/v0.62] (#8826)
b4fc9e8 fix(redhat): trim invalid suffix from content_sets in manifest parsing [backport: release/v0.62] (#8824)

`v0.62.0`

Compare Source

Features

image: save layers metadata into report (#8394) (a95cab0)
misconf: add option to pass Rego scanner to IaC scanner (#8369) (890a360)
misconf: convert AWS managed policy to document (#8757) (7abf5f0)
misconf: support auto_provisioning_defaults in google_container_cluster (#8705) (9792611)
nodejs: add root and workspace for yarn packages (#8535) (bf4cd4f)
rust: add root and workspace relationships/package for cargo lock files (#8676) (93efe07)

Bug Fixes

early-return, indent-error-flow and superfluous-else rules from revive (#8796) (43350dd)
k8s: correct compare artifact versions (#8682) (cc47711)
k8s: remove using last-applied-configuration (#8791) (7a58ccb)
k8s: skip passed misconfigs for the summary report (#8684) (bff0e9b)
misconf: add missing variable as unknown (#8683) (9dcd06f)
misconf: check if metadata is not nil (#8647) (b7dfd64)
misconf: filter null nodes when parsing json manifest (#8785) (e10929a)
misconf: perform operations on attribute safely (#8774) (3ce7d59)
misconf: populate context correctly for module instances (#8656) (efd177b)
report: clean buffer after flushing (#8725) (9a5383e)
secret: ignore .dist-info directories during secret scanning (#8646) (a032ad6)
server: fix redis key when trying to delete blob (#8649) (36f8d0f)
terraform: evaluateStep to correctly set EvalContext for multiple instances of blocks (#8555) (e25de25)
terraform: hcl object expressions to return references (#8271) (0d3efa5)
testifylint last issues (#8768) (ee4f7dc)
unused-parameter rule from revive (#8794) (6562082)

`v0.61.1`

Compare Source

Changelog

7d3b4ff release: v0.61.1 [release/v0.61] (#8704)
80d120f fix(k8s): skip passed misconfigs for the summary report [backport: release/v0.61] (#8748)
9d6290b fix(k8s): correct compare artifact versions [backport: release/v0.61] (#8699)
3799ebb test: use aquasecurity repository for test images [backport: release/v0.61] (#8698)

`v0.61.0`

Compare Source

Features

fs: optimize scanning performance by direct file access for known paths (#8525) (8bf6caf)
k8s: add support for controllers (#8614) (1bf0117)
misconf: adapt aws_default_security_group (#8538) (b57eccb)
misconf: adapt aws_opensearch_domain (#8550) (9913465)
misconf: adapt AWS::DynamoDB::Table (#8529) (8112cdf)
misconf: adapt AWS::EC2::VPC (#8534) (0d9865f)
misconf: Add support for aws_ami (#8499) (573502e)
replace TinyGo with standard Go for WebAssembly modules (#8496) (529957e)

Bug Fixes

debian: don't include empty licenses for dpkgs (#8623) (346f5b3)
fs: check postAnalyzers for StaticPaths (#8543) (c228307)
k8s: show report for --report all (#8613) (dbb6f28)
misconf: add ephemeral block type to config schema (#8513) (41512f8)
misconf: Check values wholly prior to evalution (#8604) (ad58cf4)
misconf: do not skip loading documents from subdirectories (#8526) (de7eb13)
misconf: do not use cty.NilVal for non-nil values (#8567) (400a79c)
misconf: identify the chart file exactly by name (#8590) (ba77dbe)
misconf: Improve logging for unsupported checks (#8634) (5b7704d)
misconf: set default values for AWS::EKS::Cluster.ResourcesVpcConfig (#8548) (1f05b45)
misconf: skip Azure CreateUiDefinition (#8503) (c7814f1)
spdx: save text licenses into otherLicenses without normalize (#8502) (e5072f1)
use --file-patterns flag for all post analyzers (#7365) (8b88238)

Performance Improvements

misconf: parse input for Rego once (#8483) (0e5e909)
misconf: retrieve check metadata from annotations once (#8478) (7b96351)

hadolint/hadolint (docker.io/hadolint/hadolint)

Configuration

📅 Schedule: Branch creation - "on the first day of the month" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

👻 Immortal: This PR will be recreated if closed unmerged. Get config help if that's undesired.

If you want to rebase/retry this PR, check this box

| datasource | package | from | to | | ----------- | --------------------------- | ------- | ------- | | github-tags | adrienverge/yamllint | v1.36.2 | v1.37.1 | | docker | docker.io/aquasec/trivy | 0.60.0 | 0.67.2 | | docker | docker.io/hadolint/hadolint | v2.12.0 | v2.14.0 | | docker | docker.io/library/alpine | 3.21.3 | 3.22.2 | | docker | docker.io/library/golang | 1.24.5 | 1.24.6 | | github-tags | golangci/golangci-lint | v1.64.8 | v2.5.0 | | github-tags | helm/helm | v3.18.6 | v3.19.0 |

syself-bot bot added type/major type/minor update/container size/XS Denotes a PR that changes 0-20 lines, ignoring generated files. area/github Changes made in the github directory labels Apr 1, 2025

syself-bot bot force-pushed the renovate/caph-builder-image branch 3 times, most recently from 8fd09a5 to 22fdd92 Compare April 18, 2025 11:03

syself-bot bot force-pushed the renovate/caph-builder-image branch 2 times, most recently from d95fde7 to 23ff29a Compare May 1, 2025 11:03

syself-bot bot force-pushed the renovate/caph-builder-image branch 3 times, most recently from 5f1de23 to 027f1d7 Compare May 7, 2025 11:03

syself-bot bot force-pushed the renovate/caph-builder-image branch 2 times, most recently from e92f5b0 to 6d7b2be Compare May 31, 2025 11:03

github-actions bot added size/S Denotes a PR that changes 20-50 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-20 lines, ignoring generated files. labels May 31, 2025

syself-bot bot force-pushed the renovate/caph-builder-image branch 4 times, most recently from da47999 to a3dd0af Compare July 4, 2025 11:03

syself-bot bot force-pushed the renovate/caph-builder-image branch 2 times, most recently from 1a7a724 to 6db9a56 Compare July 16, 2025 11:03

syself-bot bot force-pushed the renovate/caph-builder-image branch from 6db9a56 to 8857bf8 Compare July 22, 2025 11:04

syself-bot bot force-pushed the renovate/caph-builder-image branch 2 times, most recently from 3fa17cb to 2a68080 Compare August 1, 2025 11:05

github-actions bot added size/XS Denotes a PR that changes 0-20 lines, ignoring generated files. and removed size/S Denotes a PR that changes 20-50 lines, ignoring generated files. labels Aug 1, 2025

syself-bot bot force-pushed the renovate/caph-builder-image branch 2 times, most recently from 2e7cb04 to bfa8118 Compare August 7, 2025 11:04

github-actions bot added size/S Denotes a PR that changes 20-50 lines, ignoring generated files. and removed size/XS Denotes a PR that changes 0-20 lines, ignoring generated files. labels Aug 7, 2025

syself-bot bot force-pushed the renovate/caph-builder-image branch 2 times, most recently from 220981e to b1f2510 Compare August 14, 2025 11:04

syself-bot bot force-pushed the renovate/caph-builder-image branch from b1f2510 to 23c54ec Compare September 3, 2025 11:04

syself-bot bot force-pushed the renovate/caph-builder-image branch 3 times, most recently from 558e5d7 to fb6c385 Compare September 22, 2025 11:04

syself-bot bot force-pushed the renovate/caph-builder-image branch from fb6c385 to 36688a4 Compare September 30, 2025 11:04

syself-bot bot force-pushed the renovate/caph-builder-image branch 2 times, most recently from 3f8695a to 1ad3df5 Compare October 10, 2025 11:05

syself-bot bot force-pushed the renovate/caph-builder-image branch from 1ad3df5 to e332925 Compare October 11, 2025 11:04

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

🌱 Update Builder Image group #1572

🌱 Update Builder Image group #1572

Uh oh!

syself-bot bot commented Apr 1, 2025 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

🌱 Update Builder Image group #1572

Are you sure you want to change the base?

🌱 Update Builder Image group #1572

Uh oh!

Conversation

syself-bot bot commented Apr 1, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Release Notes

Changelog

Changelog

Features

Bug Fixes

Features

Bug Fixes

Features

Bug Fixes

Changelog

Features

Bug Fixes

Features

Bug Fixes

Performance Improvements

Changelog

Features

Bug Fixes

Changelog

Features

Bug Fixes

Performance Improvements

What's Changed

New Contributors

What's Changed

Configuration

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

0 participants

syself-bot bot commented Apr 1, 2025 •

edited

Loading