Update aquasec/trivy Docker tag to v0.70.0

[alaudaa-renovate]

This PR contains the following updates:

Package	Type	Update	Change
aquasec/trivy (source)	final	minor	0.67.2 -> 0.70.0

---

Warning

Some dependencies could not be looked up. Check the Dependency Dashboard for more information.

---

Release Notes

aquasecurity/trivy (aquasec/trivy)

v0.70.0

Compare Source

Features

• go: detect version from ELF symbol table for binaries built with -trimpath (#​10197) (7acb5f6)
• java: add support for proxy configuration from Maven settings.xml (#​10187) (350fe33)
• misconf: adapt ARM k8s clusters (#​9696) (#​10125) (66bdec4)
• misconf: resolve Azure resources via resource_id (#​10173) (823f363)
• misconf: support for azurerm_network_interface_security_group_association (#​10215) (da94d5f)
• python: add pylock.toml (PEP 751) parser (#​9632) (1a72b32)
• python: add pylock.toml support (#​10137) (d0a3f63)
• server: include server version info in JSON output for client/server mode (#​10075) (4c46d41)
• ubuntu: add eol data for 25.10 (#​10181) (2c1f65b)
• vuln: skip third-party packages in common Detect function (#​10129) (d6e6331)

Bug Fixes

• cyclonedx: include CVSS v4 vulnerability ratings (#​10313) (2a4dfbf)
• detected vulnerability fields in azure and mariner detector (#​10275) (77f5cb5)
• flag: validate template file extension (#​10296) (20458b8)
• handle Go 1.26 GOEXPERIMENT version format change (#​10351) (f207ec6)
• java: Disable overwriting exclusions (#​10088) (9a3e0a8)
• misconf: apply check aliases when filtering results via .trivyignore (#​10112) (b775a1b)
• misconf: initialize custom annotation field if empty (#​10123) (0f0d6db)
• python: handle multiple version specifiers in requirements.txt (#​10361) (4cf4498)
• python: nil pointer dereference with optional poetry groups without dependencies (#​10359) (12ab3ce)
• remove os.Stdout from wazero module config (#​10403) (bda9710)
• report: set correct sarif ROOTPATH uri when scanning a git repository (#​10366) (e5da6de)
• sbom: add NOASSERTION for licenseDeclared/licenseConcluded in SPDX non-library packages (#​10368) (33b9d8e)
• sbom: preserve Red Hat BuildInfo when scanning SBOMs without layer info (#​10378) (e9e9e8c)
• server: exclude JavaDB and CheckBundle from /version endpoint (#​10100) (b9a8d2d)
• update PhotonOS feed URL (#​10122) (fa195b4)
• use Development category for GoReleaser discussions (#​10530) (7ee3e1e)

Performance Improvements

• plugin: optimize directory traversal by replacing filepath.Walk with filepath.WalkDir (#​10325) (d7fb355)

v0.69.3

Compare Source

Changelog

• 6fb20c8 release: v0.69.3 [release/v0.69] (#​10293)
• dabefec fix(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 [backport: release/v0.69] (#​10291)

v0.69.2

Compare Source

Changelog

• cfa322e release: v0.69.2 [release/v0.69] (#​10266)
• 86debce fix(deps): bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 [backport: release/v0.69] (#​10267)
• cf3d4cd fix(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 [backport: release/v0.69] (#​10264)
• 6dfd3b0 ci: remove apidiff workflow

v0.69.1

Compare Source

v0.69.0

Compare Source

⚠ BREAKING CHANGES

• misconf: use ID instead of AVDID for providers mapping (#​9752)

Features

• activestate: add support ActiveState images (#​10081) (676709d)
• add AnalyzedBy field to track which analyzer detected packages (#​10059) (1953824)
• cloudformation: add support for Fn::ForEach (#​9508) (d65b504)
• debian: detect third-party packages using maintainer list (#​9917) (effc1c0)
• flag: add JSON Schema for trivy.yaml configuration file (#​9971) (4caf731)
• helm: add sslCertDir parameter (#​9697) (879e4fc)
• julia: enable vulnerability scanning for the Julia language ecosystem (#​9800) (c2f82ad)
• misconf: add action block to Terraform schema (#​10035) (b06ef6d)
• misconf: initial ansible scanning support (#​9332) (9275e15)
• misconf: support for ARM resources defined as an object (#​9959) (92d3465)
• misconf: support for azurerm_*_web_app (#​9944) (37b5da8)
• misconf: Update Azure Database schema (#​9811) (48dfede)
• misconf: use Terraform plan configuration to partially restore schema (#​9623) (5fced3a)
• nodejs: parse licenses from package-lock.json file (#​9983) (b64d5ad)
• php: add support for dev dependencies in Composer (#​9910) (56b59e8)
• report: add Trivy version to JSON output (#​10065) (fe7d20a)
• rocky: enable modular package vulnerability detection (#​10069) (31c4780)
• rootio: Update trivy db to support usage of Severity from root.io feed (#​9930) (d3096e7)
• sbom: exclude PEP 770 SBOMs in .dist-info/sboms/ (#​10033) (07ff788)
• secret: add detection for Symfony default secret key (#​9892) (34baef2)
• vex: support per-repo tls configuration (#​10030) (f809066)
• vuln: skip vulnerability scanning for third-party packages in Debian/Ubuntu (#​9932) (74819bf)

Bug Fixes

• docker: fix non-det scan results for images with embedded SBOM (#​9866) (7f71b57)
• go: use ldflags version for all pseudo-versions (#​10037) (3c0ab97)
• image: race condition in image artifact inspection (#​9966) (18acf4f)
• java: add hash of GAV+root pom file path for pkgID for packages from pom.xml files (#​9880) (809db46)
• java: correctly inherit properties from parent fields for pom.xml files (#​9111) (2933b01)
• java: correctly propagate repositories from upper POMs to dependencies (#​10077) (b9415a3)
• license: normalize licenses for PostAnalyzers (#​9941) (11dd3fa)
• misconf: correct typos in block and attribute names (#​9993) (ac061f8)
• misconf: respect .yml files when Helm charts are detected (#​9912) (18ecf75)
• misconf: safely parse rotation_period in google_kms_crypto_key (#​9980) (a0ecc8e)
• move enum into items for array-type fields in JSON Schema (#​10039) (4e06c3d)
• remove trailing tab in statefulset template (#​9889) (9db123c)
• repo: return a nil interface for gitAuth if missing (#​10097) (036c05b)
• rust: add cargo workspace members glob support (#​10032) (d2dc46a)
• rust: implement version inheritance for Cargo mono repos (#​10011) (47d3103)
• secret: improve word boundary detection for Hugging Face tokens (#​10046) (cdb28ee)
• use canonical SPDX license IDs from embedded licenses.json (#​10053) (c233735)
• vex: add CVE-2025-66564 as not_affected into Trivy VEX file (#​9924) (335cc99)
• vuln: skip vulns detection for CentOS Stream family without scan failure (#​9964) (b46cde0)

Performance Improvements

• misconf: optimize string concatenation in azure scanner (#​9969) (10a50a7)

Code Refactoring

• misconf: use ID instead of AVDID for providers mapping (#​9752) (6462dc8)

v0.68.2

Compare Source

v0.68.1

Compare Source

Bug Fixes

• update cosing settings for GoReleaser after bumping cosing to v3 (#​9863) (c7accc8)

---

Configuration

📅 Schedule: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR has been generated by Renovate Bot.

[alaudabot]

🤖 AI Code Review

Property	Value
Model	opencode/minimax-m2.5-free
Style	strict
Issues Found	0
Config Source	centralized
Profile	❌ Not Found
Personalized Prompt	❌ No
Prompt Path	.github/review/profiles/alaudadevops/harbor-scanner-trivy/pr-review.md
Alauda Skills	✅ base-authoring, base-skill-setup, builders-component-knowledge, builders-confluence, builders-jira, builders-publish-errata, builders-story-split, devops-autodns, devops-bulk-string-replace, devops-candidate-version-supervisor, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-write-user-docs, devops-docker-keyword-analysis, devops-gen-advanced-form-descriptors, devops-go-vuln-fix, devops-knowledge-adoption, devops-refresh-alauda-tags, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-task-generator, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-update-containerfile-digests, devops-upgrade-go
Reviewed at	2026-04-19 04:22:29 UTC

---

Summary

This PR updates the Trivy Docker image version from v0.67.2 to v0.70.0 in both Dockerfile and Dockerfile.dev. The changes are straightforward version bumps performed by Renovate Bot. The update includes security fixes and new features from the Trivy release notes.

Review Statistics

Category	Count
Critical Issues	0
Warnings	0
Suggestions	1
Files Reviewed	2

Critical Issues

Issues that MUST be addressed before merging (security, bugs, breaking changes)

(None)

Warnings

Issues that SHOULD be addressed but are not blocking

(None)

Suggestions

Recommendations for improvement (nice to have)

• [Dockerfile:2] Consider adding a comment noting the minimum supported Trivy version for this project to help future maintainers understand version constraints.

Positive Feedback

• The version update is consistent across both Dockerfile and Dockerfile.dev
• Using the official aquasec/trivy image from a known registry
• The ARG pattern follows Docker best practices for build-time variables
• Update includes security fixes from v0.69.x and v0.70.0 releases

---

---

ℹ️ About this review

This review was automatically generated using the run-actions workflow.

• Shared prompt: .github/prompts/code-review.md
• Config source: centralized
• Profile path: Not Found
• Profile ref: 70116bce40f93e28716196a4b479fec1049b7950
• No repository-specific prompt configured
• Alauda skills: base-authoring, base-skill-setup, builders-component-knowledge, builders-confluence, builders-jira, builders-publish-errata, builders-story-split, devops-autodns, devops-bulk-string-replace, devops-candidate-version-supervisor, devops-connectors-explore, devops-connectors-poc-case, devops-connectors-review, devops-connectors-unit-test, devops-connectors-write-user-docs, devops-docker-keyword-analysis, devops-gen-advanced-form-descriptors, devops-go-vuln-fix, devops-knowledge-adoption, devops-refresh-alauda-tags, devops-sync-alauda-github-releases, devops-tekton-dynamic-form-optimizer, devops-tekton-operator-task-e2e, devops-tekton-task-generator, devops-tekton-task-overview-template, devops-tekton-task-version-upgrade, devops-tekton-upgrade-notes, devops-tool-report-troubleshoot, devops-ui-e2e-code-audit, devops-ui-e2e-fix-base-on-report, devops-ui-e2e-regression-and-fix, devops-ui-generate-e2e-from-feature, devops-ui-pre-setup, devops-update-containerfile-digests, devops-upgrade-go

[alaudabot]

Suggestion (style/documentation): Consider tracking Trivy EOL dates to proactively update before versions become unsupported. Current v0.67.2 → v0.69.3 jump includes v0.69.0 with a breaking change in misconfiguration provider IDs.

[alaudabot]

Suggestion (style/documentation): Same as Dockerfile - consider EOL tracking for Trivy versions.

[alaudabot]

Suggestion (docs/missing): Consider verifying that v0.70.0 works correctly with the scanner. The v0.69.0 breaking change (ID instead of AVDID for providers mapping in misconf) affects configuration scanning, but this scanner primarily uses vulnerability scanning via the image subcommand. A quick integration test would confirm compatibility.

[alaudabot]

Suggestion (style/documentation): Same as Dockerfile - consider verifying v0.70.0 compatibility via integration test.

[alaudaa-renovate]

Edited/Blocked Notification

Renovate will not automatically rebase this PR, because it does not recognize the last commit author and assumes somebody else may have edited the PR.

You can manually request rebase by checking the rebase/retry box above.

⚠️ Warning: custom changes will be lost.

[alaudabot]

🚨 Stale Pull Request Warning

This pull request has been inactive for 32 days.

Automated Actions Schedule:

• ⚠️ Warning: After 30 days (now)
• 🔒 Auto-close: After 60 days
• 🗑️ Branch deletion: After 90 days (if not protected)

To keep this PR active:

• Add new commits
• Reply to this comment
• Request reviews

Protected branches (won't be deleted): main,release-*,alauda-*

This is an automated message. Reply to this comment to reset the inactivity timer.