Skip to content

chore(docker): bump the docker group in /versions with 5 updates#38

Open
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/docker/versions/docker-fb3d359985
Open

chore(docker): bump the docker group in /versions with 5 updates#38
dependabot[bot] wants to merge 1 commit into
mainfrom
dependabot/docker/versions/docker-fb3d359985

Conversation

@dependabot

@dependabot dependabot Bot commented on behalf of github Jun 20, 2026

Copy link
Copy Markdown

Bumps the docker group in /versions with 5 updates:

Package From To
trufflesecurity/trufflehog 3.95.2 3.95.6
anchore/syft v1.44.0 v1.45.1
aquasecurity/trivy 0.70.0 0.71.2
anchore/grype v0.112.0 v0.114.0
semgrep/semgrep 1.161.0 1.166.0

Updates trufflesecurity/trufflehog from 3.95.2 to 3.95.6

Release notes

Sourced from trufflesecurity/trufflehog's releases.

v3.95.6

What's Changed

New Contributors

Full Changelog: trufflesecurity/trufflehog@v3.95.4...v3.95.6

v3.95.5

What's Changed

... (truncated)

Commits
  • 30d5bb9 S3: surface bucket listing failures and fix multi-role object count (#5035)
  • f0739f1 close todo - embed small HTTP test fixtures (#5001)
  • 36d680a add filetype=sdist param so we get the correct response code (#4988)
  • 248ffd5 fix(dropbox): prevent long sl.u. tokens from being truncated before verificat...
  • afbdaa8 Fix: Resolve known dedup issues in notifierWorker (#5028)
  • 7bcf376 [INS-472] [INS-515] Add user detector to defaults.go, gate it behind feat fla...
  • 84a2b33 Fix Renovate lookup: update setup-captain version comment (#4999)
  • ac0805e [INS-469] Added Rev detectors to defaults.go and gated it behind feature flag...
  • d03d087 GitHub finegrain analyzer was improperly handling errors (#4498)
  • b64cefe set redacted value to last 4 characters of secret, to match how the secret ty...
  • Additional commits viewable in compare view

Updates anchore/syft from v1.44.0 to v1.45.1

Release notes

Sourced from anchore/syft's releases.

v1.45.1

Bug Fixes

(Full Changelog)

v1.45.0

Added Features

Bug Fixes

Additional Changes

(Full Changelog)

Commits
  • d4496b0 chore(deps): update anchore dependencies (#4934)
  • adc55cd chore(deps): bump the go-minor-patch group across 1 directory with 3 updates ...
  • 00d0bb5 chore(deps): update tool versions (#4724)
  • f474308 chore(deps): bump the go-minor-patch group across 2 directories with 14 updat...
  • bf67072 chore: bump golang.org/x/crypto (#4955)
  • 9673f86 Pass contents: read to check-gate (#4951)
  • a4fb2c0 perf(python): hoist name normalization regexp to package level (#4926)
  • cf2ce64 update helm classifier (#4922)
  • 524a44b chore(deps): bump the actions-minor-patch group across 1 directory with 6 upd...
  • 4e86715 fix: improve julia classifier to find shared libs and beta versions (#4945)
  • Additional commits viewable in compare view

Updates aquasecurity/trivy from 0.70.0 to 0.71.2

Release notes

Sourced from aquasecurity/trivy's releases.

v0.71.2

Changelog

  • 055a5c8a53bfd61f7a8e276a5b2f0c3fc1673420 release: v0.71.2 [release/v0.71] (#10871)
  • 875328a4138f26e8559cfee80adaef82b6693076 fix(deps): bump alpine to 3.24.1 [backport: release/v0.71] (#10870)
  • 998f7b3c3f3c9de2132bc4358970eeafbd797fba chore(deps): bump the common group with 4 updates [backport: release/v0.71] (#10867)

v0.71.1

Changelog

  • 164b383121351c2d49c5d354c2245719d972752b release: v0.71.1 [release/v0.71] (#10818)
  • a72d9a4d997c25fbb6534e231b4e206c9b202b31 fix(oci): validate artifact filename
  • 3dd98471dfbbc4a95edd5cd866468d3a8c87fd17 fix: forward ospkg detector options through ospkg.NewScanner [backport: release/v0.71] (#10825)
  • a62cbe40a240d3a3f568401b8a5f86e14114e371 fix(vex): load VEX documents from within the repository directory [backport: release/v0.71] (#10821)
  • 43d1d2628725e913db110b89419f0bebd36f58a8 fix: surface the original analysis error instead of context cancellation [backport: release/v0.71] (#10812)
  • ac7696c7b50d633183ce2ff44898d4b5c6eae565 ci: expect GitHub App bot as backport PR author [backport: release/v0.71] (#10815)

v0.71.0

⚡ Highlights ⚡

👉 aquasecurity/trivy#10767

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0710-2026-06-01

Changelog

Sourced from aquasecurity/trivy's changelog.

0.71.2 (2026-06-19)

Bug Fixes

  • deps: bump alpine to 3.24.1 [backport: release/v0.71] (#10870) (875328a)

0.71.1 (2026-06-10)

Bug Fixes

  • forward ospkg detector options through ospkg.NewScanner [backport: release/v0.71] (#10825) (3dd9847)
  • oci: validate artifact filename (a72d9a4)
  • surface the original analysis error instead of context cancellation [backport: release/v0.71] (#10812) (43d1d26)
  • vex: load VEX documents from within the repository directory [backport: release/v0.71] (#10821) (a62cbe4)

0.71.0 (2026-06-01)

Features

  • add WithDriver and WithProvider options to ospkg detector (#10740) (f8a6ddb)
  • java: support <mirrors> from settings.xml (#10692) (c080ce3)
  • sbom: support for CycloneDX 1.7 (#10715) (04f739e)
  • seal: add vendor support for language file detection. (#10297) (b08bf6a)
  • secret: add a way to customize skipped folders, files and exts (#10550) (e4325b1)
  • secret: add Azure secret detection rules (#10562) (69dcd18)
  • secret: add Maven rules to detect passwords and passphrases in settings.xml and settings-security.xml files (#10704) (9ad901d)
  • spdx: add SHA-512 hash algorithm support to SPDX serializer (#10719) (f2a1237)
  • ubuntu: detect Ubuntu 26.04 LTS (#10592) (a61feac)

Bug Fixes

  • cloudformation: propagate AWS::EC2::Instance MetadataOptions (#10731) (ac2f3d7)
  • image: correctly reconstruct RUN instructions built without BuildKit (#10714) (519eac9)
  • java: surface 429 from a remote Maven repository as a fatal error when scanning pom.xml files (#10693) (f8fdb93)
  • misconf: fix rendering of nested values in terraform plan lists (#10746) (9c1cf65)
  • misconf: make identifiers in ignore rules case-insensitive (#10375) (a75a468)
  • misconf: prevent path traversal in Terraform filesystem functions (#10664) (9d91b88)
  • misconf: reject nil plays during playbook parsing (#10273) (0bc5c6d)
  • misconf: skip null cty values in AsMapValue to prevent panic (#10723) (f080e1e)
  • misconf: skip resources with no after changes (#10352) (f099dc4)
  • nodejs: handle legacy license formats in npm lockfile parser (#10684) (451fd99)
  • nodejs: silently skip subdirectory package.json files with invalid names (#10609) (0e4dc66)
  • overwrite OS packages PURLs after overwrite OS (#10298) (39a28ed)
  • pull instead of clone when test repo already exists (#10636) (3a2f7fb)
  • report: don't produce trailing comma in gitlab.tpl links array (#10728) (69e78e2)
  • secret: correctly skip secret-scanner config file from scanning (#10666) (fc1e46f)
Commits
  • 055a5c8 release: v0.71.2 [release/v0.71] (#10871)
  • 875328a fix(deps): bump alpine to 3.24.1 [backport: release/v0.71] (#10870)
  • 998f7b3 chore(deps): bump the common group with 4 updates [backport: release/v0.71] (...
  • 164b383 release: v0.71.1 [release/v0.71] (#10818)
  • a72d9a4 fix(oci): validate artifact filename
  • 3dd9847 fix: forward ospkg detector options through ospkg.NewScanner [backport: relea...
  • a62cbe4 fix(vex): load VEX documents from within the repository directory [backport: ...
  • 43d1d26 fix: surface the original analysis error instead of context cancellation [bac...
  • ac7696c ci: expect GitHub App bot as backport PR author [backport: release/v0.71] (#1...
  • 9b49920 release: v0.71.0 [main] (#10638)
  • Additional commits viewable in compare view

Updates anchore/grype from v0.112.0 to v0.114.0

Release notes

Sourced from anchore/grype's releases.

v0.114.0

Added Features

Additional Changes

(Full Changelog)

v0.113.0

Added Features

Bug Fixes

(Full Changelog)

Commits

Updates semgrep/semgrep from 1.161.0 to 1.166.0

You can trigger a rebase of this PR by commenting @dependabot rebase.


Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

  • @dependabot rebase will rebase this PR
  • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
  • @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
  • @dependabot ignore <dependency name> major version will close this group update PR and stop Dependabot creating any more for the specific dependency's major version (unless you unignore this specific dependency's major version or upgrade to it yourself)
  • @dependabot ignore <dependency name> minor version will close this group update PR and stop Dependabot creating any more for the specific dependency's minor version (unless you unignore this specific dependency's minor version or upgrade to it yourself)
  • @dependabot ignore <dependency name> will close this group update PR and stop Dependabot creating any more for the specific dependency (unless you unignore this specific dependency or upgrade to it yourself)
  • @dependabot unignore <dependency name> will remove all of the ignore conditions of the specified dependency
  • @dependabot unignore <dependency name> <ignore condition> will remove the ignore condition of the specified dependency and ignore conditions

Bumps the docker group in /versions with 5 updates:

| Package | From | To |
| --- | --- | --- |
| [trufflesecurity/trufflehog](https://github.com/trufflesecurity/trufflehog) | `3.95.2` | `3.95.6` |
| [anchore/syft](https://github.com/anchore/syft) | `v1.44.0` | `v1.45.1` |
| [aquasecurity/trivy](https://github.com/aquasecurity/trivy) | `0.70.0` | `0.71.2` |
| [anchore/grype](https://github.com/anchore/grype) | `v0.112.0` | `v0.114.0` |
| semgrep/semgrep | `1.161.0` | `1.166.0` |


Updates `trufflesecurity/trufflehog` from 3.95.2 to 3.95.6
- [Release notes](https://github.com/trufflesecurity/trufflehog/releases)
- [Commits](trufflesecurity/trufflehog@v3.95.2...v3.95.6)

Updates `anchore/syft` from v1.44.0 to v1.45.1
- [Release notes](https://github.com/anchore/syft/releases)
- [Changelog](https://github.com/anchore/syft/blob/main/RELEASE.md)
- [Commits](anchore/syft@v1.44.0...v1.45.1)

Updates `aquasecurity/trivy` from 0.70.0 to 0.71.2
- [Release notes](https://github.com/aquasecurity/trivy/releases)
- [Changelog](https://github.com/aquasecurity/trivy/blob/v0.71.2/CHANGELOG.md)
- [Commits](aquasecurity/trivy@v0.70.0...v0.71.2)

Updates `anchore/grype` from v0.112.0 to v0.114.0
- [Release notes](https://github.com/anchore/grype/releases)
- [Changelog](https://github.com/anchore/grype/blob/main/RELEASE.md)
- [Commits](anchore/grype@v0.112.0...v0.114.0)

Updates `semgrep/semgrep` from 1.161.0 to 1.166.0

---
updated-dependencies:
- dependency-name: trufflesecurity/trufflehog
  dependency-version: 3.95.6
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: docker
- dependency-name: anchore/syft
  dependency-version: v1.45.1
  dependency-type: direct:production
  dependency-group: docker
- dependency-name: aquasecurity/trivy
  dependency-version: 0.71.2
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: docker
- dependency-name: anchore/grype
  dependency-version: v0.114.0
  dependency-type: direct:production
  dependency-group: docker
- dependency-name: semgrep/semgrep
  dependency-version: 1.166.0
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: docker
...

Signed-off-by: dependabot[bot] <support@github.com>
@github-actions

Copy link
Copy Markdown

Semgrep Scan Results

Repository: actions | Commit: 3b1ee24

Check Status Details
✅ Semgrep Pass 0 total findings (no error/warning)

Scanned at 2026-06-20 13:30 UTC

@github-actions

Copy link
Copy Markdown

Security Scan Results

Repository: actions | Commit: 3b1ee24

Check Status Details
✅ Secret Scan Pass No secrets detected
⏩ Dependencies Skipped -

Scanned at 2026-06-20 13:30 UTC

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

dependencies Pull requests that update a dependency file docker Pull requests that update Docker base images

Projects

None yet

Development

Successfully merging this pull request may close these issues.

0 participants