chore(deps): update aquasec/trivy docker tag to v0.69.3 (alauda-v0.33.1) - abandoned

[alaudaa-renovate]

This PR contains the following updates:

Package	Type	Update	Change
aquasec/trivy (source)	final	minor	0.62.1 -> 0.69.3

---

Release Notes

aquasecurity/trivy (aquasec/trivy)

v0.69.3

Compare Source

Changelog

• 6fb20c8 release: v0.69.3 [release/v0.69] (#​10293)
• dabefec fix(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 [backport: release/v0.69] (#​10291)

v0.69.2

Compare Source

Changelog

• cfa322e release: v0.69.2 [release/v0.69] (#​10266)
• 86debce fix(deps): bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 [backport: release/v0.69] (#​10267)
• cf3d4cd fix(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 [backport: release/v0.69] (#​10264)
• 6dfd3b0 ci: remove apidiff workflow

v0.69.1

Compare Source

v0.69.0

Compare Source

⚠ BREAKING CHANGES

• misconf: use ID instead of AVDID for providers mapping (#​9752)

Features

• activestate: add support ActiveState images (#​10081) (676709d)
• add AnalyzedBy field to track which analyzer detected packages (#​10059) (1953824)
• cloudformation: add support for Fn::ForEach (#​9508) (d65b504)
• debian: detect third-party packages using maintainer list (#​9917) (effc1c0)
• flag: add JSON Schema for trivy.yaml configuration file (#​9971) (4caf731)
• helm: add sslCertDir parameter (#​9697) (879e4fc)
• julia: enable vulnerability scanning for the Julia language ecosystem (#​9800) (c2f82ad)
• misconf: add action block to Terraform schema (#​10035) (b06ef6d)
• misconf: initial ansible scanning support (#​9332) (9275e15)
• misconf: support for ARM resources defined as an object (#​9959) (92d3465)
• misconf: support for azurerm_*_web_app (#​9944) (37b5da8)
• misconf: Update Azure Database schema (#​9811) (48dfede)
• misconf: use Terraform plan configuration to partially restore schema (#​9623) (5fced3a)
• nodejs: parse licenses from package-lock.json file (#​9983) (b64d5ad)
• php: add support for dev dependencies in Composer (#​9910) (56b59e8)
• report: add Trivy version to JSON output (#​10065) (fe7d20a)
• rocky: enable modular package vulnerability detection (#​10069) (31c4780)
• rootio: Update trivy db to support usage of Severity from root.io feed (#​9930) (d3096e7)
• sbom: exclude PEP 770 SBOMs in .dist-info/sboms/ (#​10033) (07ff788)
• secret: add detection for Symfony default secret key (#​9892) (34baef2)
• vex: support per-repo tls configuration (#​10030) (f809066)
• vuln: skip vulnerability scanning for third-party packages in Debian/Ubuntu (#​9932) (74819bf)

Bug Fixes

• docker: fix non-det scan results for images with embedded SBOM (#​9866) (7f71b57)
• go: use ldflags version for all pseudo-versions (#​10037) (3c0ab97)
• image: race condition in image artifact inspection (#​9966) (18acf4f)
• java: add hash of GAV+root pom file path for pkgID for packages from pom.xml files (#​9880) (809db46)
• java: correctly inherit properties from parent fields for pom.xml files (#​9111) (2933b01)
• java: correctly propagate repositories from upper POMs to dependencies (#​10077) (b9415a3)
• license: normalize licenses for PostAnalyzers (#​9941) (11dd3fa)
• misconf: correct typos in block and attribute names (#​9993) (ac061f8)
• misconf: respect .yml files when Helm charts are detected (#​9912) (18ecf75)
• misconf: safely parse rotation_period in google_kms_crypto_key (#​9980) (a0ecc8e)
• move enum into items for array-type fields in JSON Schema (#​10039) (4e06c3d)
• remove trailing tab in statefulset template (#​9889) (9db123c)
• repo: return a nil interface for gitAuth if missing (#​10097) (036c05b)
• rust: add cargo workspace members glob support (#​10032) (d2dc46a)
• rust: implement version inheritance for Cargo mono repos (#​10011) (47d3103)
• secret: improve word boundary detection for Hugging Face tokens (#​10046) (cdb28ee)
• use canonical SPDX license IDs from embedded licenses.json (#​10053) (c233735)
• vex: add CVE-2025-66564 as not_affected into Trivy VEX file (#​9924) (335cc99)
• vuln: skip vulns detection for CentOS Stream family without scan failure (#​9964) (b46cde0)

Performance Improvements

• misconf: optimize string concatenation in azure scanner (#​9969) (10a50a7)

Code Refactoring

• misconf: use ID instead of AVDID for providers mapping (#​9752) (6462dc8)

v0.68.2

Compare Source

v0.68.1

Compare Source

Bug Fixes

• update cosing settings for GoReleaser after bumping cosing to v3 (#​9863) (c7accc8)

v0.67.2

Compare Source

v0.67.1

Compare Source

v0.67.0

Compare Source

Features

• add documentation URL for database lock errors (#​9531) (eba48af)
• cli: change --list-all-pkgs default to true (#​9510) (7b663d8)
• cloudformation: support default values and list results in Fn::FindInMap (#​9515) (42b3bf3)
• cyclonedx: preserve SBOM structure when scanning SBOM files with vulnerability updates (#​9439) (aff03eb)
• redhat: add os-release detection for RHEL-based images (#​9458) (cb25a07)
• sbom: added support for CoreOS (#​9448) (6d562a3)
• seal: add seal support (#​9370) (e4af279)

Bug Fixes

• aws: use BuildableClient instead of xhttp.Client (#​9436) (fa6f1bf)
• close file descriptors and pipes on error paths (#​9536) (a4cbd6a)
• db: Download database when missing but metadata still exists (#​9393) (92ebc7e)
• k8s: disable parallel traversal with fs cache for k8s images (#​9534) (c0c7a6b)
• misconf: handle tofu files in module detection (#​9486) (bfd2f6b)
• misconf: strip build metadata suffixes from image history (#​9498) (c938806)
• misconf: unmark cty values before access (#​9495) (8e40d27)
• misconf: wrap legacy ENV values in quotes to preserve spaces (#​9497) (267a970)
• nodejs: parse workspaces as objects for package-lock.json files (#​9518) (404abb3)
• nodejs: use snapshot string as Package.ID for pnpm packages (#​9330) (4517e8c)
• vex: don't suppress vulns for packages with infinity loop (#​9465) (78f0d4a)
• vuln: compare nuget package names in lower case (#​9456) (1ff9ac7)

v0.66.0

Compare Source

Features

• add timeout handling for cache database operations (#​9307) (235c24e)
• misconf: added audit config attribute (#​9249) (4d4a244)
• secret: implement streaming secret scanner with byte offset tracking (#​9264) (5a5e097)
• terraform: use .terraform cache for remote modules in plan scanning (#​9277) (298a994)

Bug Fixes

• conda: memory leak by adding closure method for package.json file (#​9349) (03d039f)
• create temp file under composite fs dir (#​9387) (ce22f54)
• cyclonedx: handle multiple license types (#​9378) (46ab76a)
• fs: avoid shadowing errors in file.glob (#​9286) (b51c789)
• image: use standardized HTTP client for ECR authentication (#​9322) (84fbf86)
• misconf: ensure ignore rules respect subdirectory chart paths (#​9324) (d3cd101)
• misconf: ensure module source is known (#​9404) (81d9425)
• misconf: preserve original paths of remote submodules from .terraform (#​9294) (1319d8d)
• misconf: use correct field log_bucket instead of target_bucket in gcp bucket (#​9296) (04ad0c4)
• persistent flag option typo (#​9374) (6e99dd3)
• plugin: don't remove plugins when updating index.yaml file (#​9358) (5f067ac)
• python: improve package name normalization (#​9290) (1473e88)
• repo: preserve RepoMetadata on FS cache hit (#​9389) (4f2a44e)
• repo: sanitize git repo URL before inserting into report metadata (#​9391) (1ac9b1f)
• sbom: add support for file component type of CycloneDX (#​9372) (aa7cf43)
• suppress debug log for context cancellation errors (#​9298) (2458d5e)

v0.65.0

Compare Source

Features

• add graceful shutdown with signal handling (#​9242) (2c05882)
• add HTTP request/response tracing support (#​9125) (aa5b32a)
• alma: add AlmaLinux 10 support (#​9207) (861d51e)
• flag: add schema validation for --server flag (#​9270) (ed4640e)
• image: add Docker context resolution (#​9166) (99cd4e7)
• license: observe pkg types option in license scanner (#​9091) (d44af8c)
• misconf: add private ip google access attribute to subnetwork (#​9199) (263845c)
• misconf: added logging and versioning to the gcp storage bucket (#​9226) (110f80e)
• repo: add git repository metadata to reports (#​9252) (f4b2cf1)
• report: add CVSS vectors in sarif report (#​9157) (60723e6)
• sbom: add SHA-512 hash support for CycloneDX SBOM (#​9126) (12d6706)

Bug Fixes

• alma: parse epochs from rpmqa file (#​9101) (82db2fc)
• also check filepath when removing duplicate packages (#​9142) (4d10a81)
• aws: update amazon linux 2 EOL date (#​9176) (0ecfed6)
• cli: Add more non-sensitive flags to telemetry (#​9110) (7041a39)
• cli: ensure correct command is picked by telemetry (#​9260) (b4ad00f)
• cli: panic: attempt to get os.Args[1] when len(os.Args) < 2 (#​9206) (adfa879)
• license: add missed GFDL-NIV-1.1 and GFDL-NIV-1.2 into Trivy mapping (#​9116) (a692f29)
• license: handle WITH operator for LaxSplitLicenses (#​9232) (b4193d0)
• migrate from *.list to *.md5sums files for dpkg (#​9131) (f224de3)
• misconf: correctly adapt azure storage account (#​9138) (51aa022)
• misconf: correctly parse empty port ranges in google_compute_firewall (#​9237) (77bab7b)
• misconf: fix log bucket in schema (#​9235) (7ebc129)
• misconf: skip rewriting expr if attr is nil (#​9113) (42ccd3d)
• nodejs: don't use prerelease logic for compare npm constraints (#​9208) (fe96436)
• prevent graceful shutdown message on normal exit (#​9244) (6095984)
• rootio: check full version to detect root.io packages (#​9117) (c2ddd44)
• rootio: fix severity selection (#​9181) (6fafbeb)
• sbom: merge in-graph and out-of-graph OS packages in scan results (#​9194) (aa944cc)
• sbom: use correct field for licenses in CycloneDX reports (#​9057) (143da88)
• secret: add UTF-8 validation in secret scanner to prevent protobuf marshalling errors (#​9253) (54832a7)
• secret: fix line numbers for multiple-line secrets (#​9104) (e579746)
• server: add HTTP transport setup to server mode (#​9217) (1163b04)
• supporting .egg-info/METADATA in python.Packaging analyzer (#​9151) (e306e2d)
• terraform: for_each on a map returns a resource for every key (#​9156) (153318f)

v0.64.1

Compare Source

v0.64.0

Compare Source

Features

• cli: add version constraints to announcements (#​9023) (19efa9f)
• java: dereference all maven settings.xml env placeholders (#​9024) (5aade69)
• misconf: add OpenTofu file extension support (#​8747) (57801d0)
• misconf: normalize CreatedBy for buildah and legacy docker builder (#​8953) (65e155f)
• redhat: Add EOL date for RHEL 10. (#​8910) (48258a7)
• reject unsupported artifact types in remote image retrieval (#​9052) (1e1e1b5)
• sbom: add manufacturer field to CycloneDX tools metadata (#​9019) (41d0f94)
• terraform: add partial evaluation for policy templates (#​8967) (a9f7dcd)
• ubuntu: add end of life date for Ubuntu 25.04 (#​9077) (367564a)
• ubuntu: add eol date for 20.04-ESM (#​8981) (87118a0)
• vuln: add Root.io support for container image scanning (#​9073) (3a0ec0f)

Bug Fixes

• Add missing version check flags (#​8951) (ef5f8de)
• cli: add some values to the telemetry call (#​9056) (fd2bc91)
• Correctly check for semver versions for trivy version check (#​8948) (b813527)
• don't show corrupted trivy-db warning for first run (#​8991) (4ed78e3)
• misconf: .Config.User always takes precedence over USER in .History (#​9050) (371b8cc)
• misconf: correct Azure value-to-time conversion in AsTimeValue (#​9015) (40d017b)
• misconf: move disabled checks filtering after analyzer scan (#​9002) (a58c36d)
• misconf: reduce log noise on incompatible check (#​9029) (99c5151)
• nodejs: correctly parse packages array of bun.lock file (#​8998) (875ec3a)
• report: don't panic when report contains vulns, but doesn't contain packages for table format (#​8549) (87fda76)
• sbom: remove unnecessary OS detection check in SBOM decoding (#​9034) (198789a)

v0.63.0

Compare Source

Features

• add Bottlerocket OS package analyzer (#​8653) (07ef63b)
• add JSONC support for comments and trailing commas (#​8862) (0b0e406)
• alpine: add maintainer field extraction for APK packages (#​8930) (104bbc1)
• cli: Add available version checking (#​8553) (5a0bf9e)
• echo: Add Echo Support (#​8833) (c7b8cc3)
• go: support license scanning in both GOPATH and vendor (#​8843) (26437be)
• k8s: get components from namespaced resources (#​8918) (4f1ab23)
• license: improve work text licenses with custom classification (#​8888) (ee52230)
• license: improve work with custom classification of licenses from config file (#​8861) (c321fdf)
• license: scan vendor directory for license for go.mod files (#​8689) (dd6a6e5)
• license: Support compound licenses (licenses using SPDX operators) (#​8816) (39f9ed1)
• minimos: Add support for MinimOS (#​8792) (c2dde33)
• misconf: add misconfiguration location to junit template (#​8793) (a516775)
• misconf: Add support for Minimum Trivy Version (#​8880) (3b2a397)
• misconf: export raw Terraform data to Rego (#​8741) (aaecc29)
• nodejs: add a bun.lock analyzer (#​8897) (7ca656d)
• nodejs: add bun.lock parser (#​8851) (1dcf816)
• terraform parser option to set current working directory (#​8909) (8939451)

Bug Fixes

• check post-analyzers for StaticPaths (#​8904) (93e6680)
• cli: disable --skip-dir and --skip-files flags for sbom command (#​8886) (69a5fa1)
• cli: don't use allow values for --compliance flag (#​8881) (35e8889)
• filter all files when processing files installed from package managers (#​8842) (6ebde88)
• java: exclude dev dependencies in gradle lockfile (#​8803) (8995838)
• julia parser panicking (#​8883) (be8c7b7)
• julia: add Relationship field support (#​8939) (22f040f)
• k8s: use in-memory cache backend during misconfig scanning (#​8873) (fe12771)
• misconf: check if for-each is known when expanding dyn block (#​8808) (5706603)
• misconf: use argument value in WithIncludeDeprecatedChecks (#​8942) (7e9a54c)
• more revive rules (#​8814) (3ab459e)
• octalLiteral from go-critic (#​8811) (a19e0aa)
• redhat: Also try to find buildinfo in root layer (layer 0) (#​8924) (906b037)
• redhat: save contentSets for OS packages in fs/vm modes (#​8820) (9256804)
• redhat: trim invalid suffix from content_sets in manifest parsing (#​8818) (fa1077b)
• server: add missed Relationship field for rpc (#​8872) (38f17c9)
• use-any from revive (#​8810) (883c63b)
• vex: use lo.IsNil to check VEX from OCI artifact (#​8858) (e97af98)
• wolfi: support new APK database location (#​8937) (b15d9a6)

Performance Improvements

• secret: only match secrets of meaningful length, allow example strings to not be matched (#​8602) (60fef1b)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[alaudabot]

🤖 AI Code Review

Property	Value
Model	opencode/minimax-m2.5-free
Style	strict
Issues Found	0
Config Source	centralized
Profile	❌ Not Found
Personalized Prompt	❌ No
Prompt Path	.github/review/profiles/alaudadevops/harbor-scanner-trivy/pr-review.md
Alauda Skills	✅ base-sample-email-draft, base-skill-setup, builders-component-knowledge, builders-confluence, builders-jira, builders-sample-code-review, connectors-explore, connectors-poc-case, connectors-review, connectors-unit-test, connectors-write-user-docs, devops-autodns, devops-bulk-string-replace, devops-candidate-version-supervisor, devops-docker-keyword-analysis, devops-gen-advanced-form-descriptors, devops-go-vuln-fix, devops-knowledge-adoption, devops-refresh-alauda-tags, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-task-generator, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-update-containerfile-digests, devops-upgrade-go
Reviewed at	2026-04-17 05:36:23 UTC

---

Summary

This PR is a straightforward dependency update that upgrades the Trivy Docker image version from 0.62.1 to 0.69.3 across both Dockerfile and Dockerfile.dev. Changes follow proper conventions by updating the version via ARG at the top of each file. The release notes indicate this is a minor version upgrade with bug fixes and new features, including no breaking changes that would affect this scanner.

Review Statistics

Category	Count
Critical Issues	0
Warnings	0
Suggestions	0
Files Reviewed	2

Critical Issues

Issues that MUST be addressed before merging (security, bugs, breaking changes)

None identified.

Warnings

Issues that SHOULD be addressed but are not blocking

None identified.

Suggestions

Recommendations for improvement (nice to have)

• The PR title indicates "abandoned" but the state is still OPEN. Consider closing the PR if the changes are no longer needed.

Positive Feedback

• Proper use of ARG at the top of Dockerfile for version management
• Consistent version update across both Dockerfile and Dockerfile.dev
• Changes follow minimal diff principle - only version strings changed

---

---

ℹ️ About this review

This review was automatically generated using the run-actions workflow.

• Shared prompt: .github/prompts/code-review.md
• Config source: centralized
• Profile path: Not Found
• Profile ref: 70116bce40f93e28716196a4b479fec1049b7950
• No repository-specific prompt configured
• Alauda skills: base-sample-email-draft, base-skill-setup, builders-component-knowledge, builders-confluence, builders-jira, builders-sample-code-review, connectors-explore, connectors-poc-case, connectors-review, connectors-unit-test, connectors-write-user-docs, devops-autodns, devops-bulk-string-replace, devops-candidate-version-supervisor, devops-docker-keyword-analysis, devops-gen-advanced-form-descriptors, devops-go-vuln-fix, devops-knowledge-adoption, devops-refresh-alauda-tags, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-task-generator, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-update-containerfile-digests, devops-upgrade-go

[alaudaa-renovate]

Autoclosing Skipped

This PR has been flagged for autoclosing. However, it is being skipped due to the branch being already modified. Please close/delete it manually or report a bug if you think this is in error.

[alaudabot]

🚨 Stale Pull Request Warning

This pull request has been inactive for 31 days.

Automated Actions Schedule:

• ⚠️ Warning: After 30 days (now)
• 🔒 Auto-close: After 60 days
• 🗑️ Branch deletion: After 90 days (if not protected)

To keep this PR active:

• Add new commits
• Reply to this comment
• Request reviews

Protected branches (won't be deleted): main,release-*,alauda-*

This is an automated message. Reply to this comment to reset the inactivity timer.