chore(deps): bump github.com/aquasecurity/trivy from 0.66.0 to 0.67.0 #196

dependabot · 2025-10-06T11:29:53Z

Bumps github.com/aquasecurity/trivy from 0.66.0 to 0.67.0.

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.67.0

👉 Trivy v0.67.0 release notes (click here)

⬇️ Download Trivy

MacOS Apple Silicon

MacOS Intel

Linux Intel

Linux ARM

Windows Intel

🐳 New Docker Install option

docker pull get.trivy.dev/image/trivy:0.67.0

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0670-2025-09-30

Changelog

Sourced from github.com/aquasecurity/trivy's changelog.

0.67.0 (2025-09-30)

Features

add documentation URL for database lock errors (#9531) (eba48af)

cli: change --list-all-pkgs default to true (#9510) (7b663d8)

cloudformation: support default values and list results in Fn::FindInMap (#9515) (42b3bf3)

cyclonedx: preserve SBOM structure when scanning SBOM files with vulnerability updates (#9439) (aff03eb)

redhat: add os-release detection for RHEL-based images (#9458) (cb25a07)

sbom: added support for CoreOS (#9448) (6d562a3)

seal: add seal support (#9370) (e4af279)

Bug Fixes

aws: use BuildableClient insead of xhttp.Client (#9436) (fa6f1bf)

close file descriptors and pipes on error paths (#9536) (a4cbd6a)

db: Dowload database when missing but metadata still exists (#9393) (92ebc7e)

k8s: disable parallel traversal with fs cache for k8s images (#9534) (c0c7a6b)

misconf: handle tofu files in module detection (#9486) (bfd2f6b)

misconf: strip build metadata suffixes from image history (#9498) (c938806)

misconf: unmark cty values before access (#9495) (8e40d27)

misconf: wrap legacy ENV values in quotes to preserve spaces (#9497) (267a970)

nodejs: parse workspaces as objects for package-lock.json files (#9518) (404abb3)

nodejs: use snapshot string as Package.ID for pnpm packages (#9330) (4517e8c)

vex: don't suppress vulns for packages with infinity loop (#9465) (78f0d4a)

vuln: compare nuget package names in lower case (#9456) (1ff9ac7)

Commits

adeb362 release: v0.67.0 [main] (#9432)
78f0d4a fix(vex): don't suppress vulns for packages with infinity loop (#9465)
fa6f1bf fix(aws): use BuildableClient insead of xhttp.Client (#9436)
e7c16a7 refactor(misconf): replace github.com/liamg/memoryfs with internal mapfs and ...
c446a5c docs: clarify inline ignore limitations for resource-less checks (#9537)
c0c7a6b fix(k8s): disable parallel traversal with fs cache for k8s images (#9534)
bfd2f6b fix(misconf): handle tofu files in module detection (#9486)
e4af279 feat(seal): add seal support (#9370)
e149094 docs: fix modules path and update code example (#9539)
a4cbd6a fix: close file descriptors and pipes on error paths (#9536)
Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

@dependabot rebase will rebase this PR
@dependabot recreate will recreate this PR, overwriting any edits that have been made to it
@dependabot merge will merge this PR after your CI passes on it
@dependabot squash and merge will squash and merge this PR after your CI passes on it
@dependabot cancel merge will cancel a previously requested merge and block automerging
@dependabot reopen will reopen this PR if it is closed
@dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
@dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
@dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
@dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

Bumps [github.com/aquasecurity/trivy](https://github.com/aquasecurity/trivy) from 0.66.0 to 0.67.0. - [Release notes](https://github.com/aquasecurity/trivy/releases) - [Changelog](https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md) - [Commits](aquasecurity/trivy@v0.66.0...v0.67.0) --- updated-dependencies: - dependency-name: github.com/aquasecurity/trivy dependency-version: 0.67.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <[email protected]>

dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Oct 6, 2025

dependabot bot requested a review from a team as a code owner October 6, 2025 11:29

dependabot bot added dependencies Pull requests that update a dependency file go Pull requests that update Go code labels Oct 6, 2025

github-actions bot enabled auto-merge (squash) October 6, 2025 11:30

github-actions bot approved these changes Oct 6, 2025

View reviewed changes

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

chore(deps): bump github.com/aquasecurity/trivy from 0.66.0 to 0.67.0 #196

chore(deps): bump github.com/aquasecurity/trivy from 0.66.0 to 0.67.0 #196

Uh oh!

dependabot bot commented on behalf of github Oct 6, 2025

Uh oh!

Uh oh!

chore(deps): bump github.com/aquasecurity/trivy from 0.66.0 to 0.67.0 #196

Are you sure you want to change the base?

chore(deps): bump github.com/aquasecurity/trivy from 0.66.0 to 0.67.0 #196

Uh oh!

Conversation

dependabot bot commented on behalf of github Oct 6, 2025

v0.67.0

👉 Trivy v0.67.0 release notes (click here)

⬇️ Download Trivy

🐳 New Docker Install option

Changelog

0.67.0 (2025-09-30)

Features

Bug Fixes

Uh oh!

Uh oh!