Bump scanner pins + base to clear Go stdlib CVEs

Dockerfile

@@ -8,14 +8,16 @@
 #
 # Secrets via env:  GITHUB_TOKEN, SLACK_WEBHOOK_URL or SLACK_BOT_TOKEN+SLACK_CHANNEL_ID
 
-FROM python:3.12-slim AS base
+FROM python:3.14-slim AS base
 
 # Pin scanner versions so "new vs resolved" diffs aren't polluted by upstream churn.
-ARG OSV_SCANNER_VERSION=1.9.2
-ARG GITLEAKS_VERSION=8.21.2
-ARG SEMGREP_VERSION=1.97.0
-ARG TRIVY_VERSION=0.70.0
-ARG TRUFFLEHOG_VERSION=3.95.3
+# When bumping, prefer the most recent stable release: each rebuild against a newer
+# Go toolchain is what closes the stdlib CVEs Docker Scout flags inside our binaries.
+ARG OSV_SCANNER_VERSION=2.3.8
+ARG GITLEAKS_VERSION=8.30.1
+ARG SEMGREP_VERSION=1.164.0
+ARG TRIVY_VERSION=0.71.0
+ARG TRUFFLEHOG_VERSION=3.95.5
 ARG SYFT_VERSION=1.44.0
 
 ENV PYTHONDONTWRITEBYTECODE=1 \
@@ -62,11 +64,14 @@ RUN set -eux; \
     gitleaks version
 
 # --- semgrep (pip — official channel) -------------------------------------
-# python:3.12-slim no longer ships setuptools, and semgrep's transitive
+# Upgrade pip/wheel/setuptools together so Scout doesn't catch a stale wheel
+# left behind from `ensurepip` bundling.
+# python:3.13-slim no longer ships setuptools, and semgrep's transitive
 # opentelemetry-instrumentation dep imports `pkg_resources` (provided by
 # setuptools). Pin setuptools < 80 because newer setuptools dropped the
 # bundled `pkg_resources` module.
-RUN pip install --no-cache-dir "setuptools>=70,<80" "semgrep==${SEMGREP_VERSION}" \
+RUN pip install --no-cache-dir --upgrade pip wheel "setuptools>=70,<80" \
+    && pip install --no-cache-dir "semgrep==${SEMGREP_VERSION}" \
     && semgrep --version
 
 # --- trivy (Aqua) — vuln + secret + iac + license, all in one ------------

SECURITY-SCAN-MANIFEST.yaml

@@ -27,13 +27,14 @@
 # Adding to this file in a new release is non-breaking. Removing fields is
 # breaking — skills must tolerate older manifests missing keys.
 
-version: "0.2.1"
+version: "0.2.2"
 config_schema_version: 2
 docker_image: "leverj/security-scan"
 released: "2026-06-02"
 
 # One-liners for the upgrade prompt the skill shows users.
 changelog:
+  - "0.2.2: CVE cleanup — bumped scanner pins (osv-scanner 2.3.8, gitleaks 8.30.1, trivy 0.71.0, trufflehog 3.95.5, semgrep 1.164.0) so each embeds a current Go stdlib; base bumped python:3.13-slim → python:3.14-slim; pip/wheel/setuptools upgraded together. Residual high-impact CVE (CVE-2025-68121 in Go 1.24.11) is inside gitleaks 8.30.1 — fix is upstream."
   - "0.2.1: hardened image — base bumped to python:3.12-slim with apt-get upgrade for current security patches; container now runs as non-root user 'scanner' (uid 1000); SBOM + SLSA provenance attestations now attached on publish."
   - "BREAKING (0.2.0): config moved from a single file to a directory (config/config.yaml). Bind-mount config/ at /config:ro."
   - "BREAKING (0.2.0): replaced parent_issue (int) with project.{owner,number} — findings file into a GitHub Projects v2 board, not as sub-issues."

pyproject.toml

@@ -4,7 +4,7 @@ build-backend = "setuptools.build_meta"
 
 [project]
 name = "security-scan"
-version = "0.2.1"
+version = "0.2.2"
 description = "Stateless single-repo security scanner; files findings into a GitHub Projects v2 board"
 requires-python = ">=3.11"
 dependencies = [

security_scan/__init__.py

@@ -1,3 +1,3 @@
 """security_scan — stateless single-repo security scanner; files findings into a GitHub Projects v2 board."""
 
-__version__ = "0.2.1"
+__version__ = "0.2.2"