-
Notifications
You must be signed in to change notification settings - Fork 5
Expand file tree
/
Copy path.trivyignore
More file actions
36 lines (31 loc) · 1.33 KB
/
.trivyignore
File metadata and controls
36 lines (31 loc) · 1.33 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
# Trivy Ignore File
# =================
# CVEs listed here are suppressed from Trivy scans.
# Only add CVEs after security review confirms they are acceptable risks.
# Node.js base image bundled npm packages
# These vulnerabilities are in npm's internal bundled dependencies (glob, tar)
# within the node:22-alpine base image. Since npm is not used at runtime
# (only node executes the CLI), these do not affect the application.
# Will be automatically fixed when Node.js releases a patched base image.
# glob command injection via malicious filenames (in npm's bundled glob)
CVE-2025-64756
# node-tar vulnerabilities (in npm's bundled tar)
CVE-2026-23745
CVE-2026-23950
CVE-2026-24842
CVE-2026-26960
CVE-2026-29786
GHSA-qffp-2rhf-9h96
# npm CLI local privilege escalation vulnerability
# This is a local-only vulnerability requiring system access, not applicable
# in our containerized runtime environment. No fix available yet.
# Tracking: Remove once npm releases a patched version
CVE-2026-0775
# minimatch ReDoS vulnerabilities (Regular Expression Denial of Service)
# Our direct dep is fixed (7.4.9), but npm bundled minimatch 9.0.5 in
# the node:22-alpine base image is still vulnerable. npm is not used at
# runtime, so risk is negligible.
# Tracking: Remove once Node.js releases a patched base image
CVE-2026-26996
CVE-2026-27903
CVE-2026-27904