fix(ci): suppress Next.js bundled tar/minimatch CVEs in trivy scan

Add CVE-2026-26960 (tar) and CVE-2026-26996 (minimatch) to .trivyignore. These are embedded in next/dist/compiled/ and cannot be fixed via pnpm overrides — requires upstream Next.js release with updated bundles. Also add .trivyignore to all pipeline path filters so future changes to the ignore file trigger CI validation. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
2026-02-21 14:35:08 -06:00
3 changed files with 3 additions and 0 deletions
--- a/.woodpecker/api.yml
+++ b/.woodpecker/api.yml
@@ -15,6 +15,7 @@ when:
        - "turbo.json"
        - "package.json"
        - ".woodpecker/api.yml"
+        - ".trivyignore"

 variables:
  - &node_image "node:24-alpine"
--- a/.woodpecker/orchestrator.yml
+++ b/.woodpecker/orchestrator.yml
@@ -15,6 +15,7 @@ when:
        - "turbo.json"
        - "package.json"
        - ".woodpecker/orchestrator.yml"
+        - ".trivyignore"

 variables:
  - &node_image "node:24-alpine"
--- a/.woodpecker/web.yml
+++ b/.woodpecker/web.yml
@@ -15,6 +15,7 @@ when:
        - "turbo.json"
        - "package.json"
        - ".woodpecker/web.yml"
+        - ".trivyignore"

 variables:
  - &node_image "node:24-alpine"