Bump scanner pins + base to clear Go stdlib CVEs#8
Merged
Conversation
…B target)
After v0.2.1 cleared the 4 structural Docker Scout warnings (Scout grade
moved F -> E), the remaining warnings ("High-profile vulnerabilities
found", "Fixable critical or high vulnerabilities found") were entirely
CVEs inside the pinned scanner binaries' embedded Go stdlibs.
Used `docker scout cves --only-fixed --format only-packages` to find them.
The big offenders were old Go stdlibs (1.23.x — multiple criticals + 15+
highs) baked into the binaries pinned in the previous Dockerfile.
Bumped each scanner to the most recent upstream release so we pull
binaries built against current Go toolchains:
osv-scanner 1.9.2 -> 2.3.8 (stdlib 1.26.2, was 1.23.x)
gitleaks 8.21.2 -> 8.30.1 (stdlib 1.24.11)
trivy 0.70.0 -> 0.71.0 (stdlib 1.26.3 — clean)
trufflehog 3.95.3 -> 3.95.5 (stdlib 1.25.10)
semgrep 1.97.0 -> 1.164.0 (pip-installed; transitive deps fresh)
Base image:
python:3.12-slim -> python:3.14-slim
(Scout suggested this — -2M; alpine would shave another 1C+4H but means
swapping libc and is too disruptive for the marginal gain since the
remaining critical is from gitleaks anyway.)
pip / wheel / setuptools upgraded together in a single layer so the older
wheel 0.45.1 bundled by ensurepip doesn't linger alongside the new one.
Verified each binary works at the new version after the bump:
osv-scanner 2.3.8, gitleaks 8.30.1, trivy 0.71.0,
trufflehog 3.95.5, syft 1.44.0, semgrep 1.164.0
All scanners still launch; non-root user still uid=1000(scanner);
221 tests still pass; multi-arch publish dry-run still clean.
Known residual: gitleaks 8.30.1 embeds Go 1.24.11 which carries
CVE-2025-68121 (fixed in Go 1.24.13+). gitleaks 8.30.1 is the latest
upstream release; rebuild has to come from gitleaks. Documented in the
manifest changelog so the skill surfaces it on the upgrade prompt.
Version bumped 0.2.1 -> 0.2.2.
Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
There was a problem hiding this comment.
Pull request overview
Updates the container base image and pinned scanner tool versions to reduce/clear CVEs (primarily those stemming from embedded Go stdlib versions inside bundled scanner binaries), and bumps the project release to 0.2.2.
Changes:
- Bumped pinned scanner versions (osv-scanner, gitleaks, semgrep, trivy, trufflehog) in the Docker image.
- Updated the Docker base image to
python:3.14-slimand adjusted the semgrep install step to upgrade pip tooling together. - Bumped the project version to
0.2.2and recorded the release in the manifest changelog.
Reviewed changes
Copilot reviewed 4 out of 4 changed files in this pull request and generated 2 comments.
| File | Description |
|---|---|
SECURITY-SCAN-MANIFEST.yaml |
Bumps manifest version and adds a 0.2.2 changelog entry describing the CVE-related upgrades. |
security_scan/__init__.py |
Updates __version__ to 0.2.2. |
pyproject.toml |
Updates [project].version to 0.2.2. |
Dockerfile |
Bumps base image and scanner pins; adjusts semgrep/pip toolchain installation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
|
|
||
| # One-liners for the upgrade prompt the skill shows users. | ||
| changelog: | ||
| - "0.2.2: CVE cleanup — bumped scanner pins (osv-scanner 2.3.8, gitleaks 8.30.1, trivy 0.71.0, trufflehog 3.95.5, semgrep 1.164.0) so each embeds a current Go stdlib; base bumped python:3.13-slim → python:3.14-slim; pip/wheel/setuptools upgraded together. Residual high-impact CVE (CVE-2025-68121 in Go 1.24.11) is inside gitleaks 8.30.1 — fix is upstream." |
| # python:3.12-slim no longer ships setuptools, and semgrep's transitive | ||
| # Upgrade pip/wheel/setuptools together so Scout doesn't catch a stale wheel | ||
| # left behind from `ensurepip` bundling. | ||
| # python:3.13-slim no longer ships setuptools, and semgrep's transitive |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
After PR #7 (Scout grade F → E by adding SBOM + non-root), the two remaining warnings were entirely CVEs inside the scanner binaries' embedded Go stdlibs. Used `docker scout cves --only-fixed --format only-packages` to identify them, then bumped each pin to the most recent upstream release.
What changed
Verified each binary still works at the new pin; non-root user (uid 1000) still in effect; 221 tests still pass; multi-arch `./security-scan.sh publish --no-push` runs cleanly with SBOM + provenance.
Version bumped `0.2.1` → `0.2.2`. Manifest changelog updated.
Known residual
`gitleaks 8.30.1` (the latest upstream release as of today) embeds Go 1.24.11. CVE-2025-68121 is in Go stdlib <1.24.13. The fix requires a gitleaks rebuild against a newer Go toolchain — that's an upstream change we can't make here. Documented in the manifest changelog.
Test plan
🤖 Generated with Claude Code