fix(ci): suppress Next.js bundled tar/minimatch CVEs in trivy scan
Add CVE-2026-26960 (tar) and CVE-2026-26996 (minimatch) to .trivyignore. These are embedded in next/dist/compiled/ and cannot be fixed via pnpm overrides — requires upstream Next.js release with updated bundles. Also add .trivyignore to all pipeline path filters so future changes to the ignore file trigger CI validation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
@@ -15,6 +15,7 @@ when:
|
||||
- "turbo.json"
|
||||
- "package.json"
|
||||
- ".woodpecker/api.yml"
|
||||
- ".trivyignore"
|
||||
|
||||
variables:
|
||||
- &node_image "node:24-alpine"
|
||||
|
||||
Reference in New Issue
Block a user