chore(deps): bump github.com/aquasecurity/trivy from 0.70.0 to 0.71.1

[dependabot]

Bumps github.com/aquasecurity/trivy from 0.70.0 to 0.71.1.

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.71.1

Changelog

• 164b383121351c2d49c5d354c2245719d972752b release: v0.71.1 [release/v0.71] (#10818)
• a72d9a4d997c25fbb6534e231b4e206c9b202b31 fix(oci): validate artifact filename
• 3dd98471dfbbc4a95edd5cd866468d3a8c87fd17 fix: forward ospkg detector options through ospkg.NewScanner [backport: release/v0.71] (#10825)
• a62cbe40a240d3a3f568401b8a5f86e14114e371 fix(vex): load VEX documents from within the repository directory [backport: release/v0.71] (#10821)
• 43d1d2628725e913db110b89419f0bebd36f58a8 fix: surface the original analysis error instead of context cancellation [backport: release/v0.71] (#10812)
• ac7696c7b50d633183ce2ff44898d4b5c6eae565 ci: expect GitHub App bot as backport PR author [backport: release/v0.71] (#10815)

v0.71.0

⚡ Highlights ⚡

👉 aquasecurity/trivy#10767

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0710-2026-06-01

Changelog

Sourced from github.com/aquasecurity/trivy's changelog.

0.71.1 (2026-06-10)

Bug Fixes

• forward ospkg detector options through ospkg.NewScanner [backport: release/v0.71] (#10825) (3dd9847)
• oci: validate artifact filename (a72d9a4)
• surface the original analysis error instead of context cancellation [backport: release/v0.71] (#10812) (43d1d26)
• vex: load VEX documents from within the repository directory [backport: release/v0.71] (#10821) (a62cbe4)

0.71.0 (2026-06-01)

Features

• add WithDriver and WithProvider options to ospkg detector (#10740) (f8a6ddb)
• java: support <mirrors> from settings.xml (#10692) (c080ce3)
• sbom: support for CycloneDX 1.7 (#10715) (04f739e)
• seal: add vendor support for language file detection. (#10297) (b08bf6a)
• secret: add a way to customize skipped folders, files and exts (#10550) (e4325b1)
• secret: add Azure secret detection rules (#10562) (69dcd18)
• secret: add Maven rules to detect passwords and passphrases in settings.xml and settings-security.xml files (#10704) (9ad901d)
• spdx: add SHA-512 hash algorithm support to SPDX serializer (#10719) (f2a1237)
• ubuntu: detect Ubuntu 26.04 LTS (#10592) (a61feac)

Bug Fixes

• cloudformation: propagate AWS::EC2::Instance MetadataOptions (#10731) (ac2f3d7)
• image: correctly reconstruct RUN instructions built without BuildKit (#10714) (519eac9)
• java: surface 429 from a remote Maven repository as a fatal error when scanning pom.xml files (#10693) (f8fdb93)
• misconf: fix rendering of nested values in terraform plan lists (#10746) (9c1cf65)
• misconf: make identifiers in ignore rules case-insensitive (#10375) (a75a468)
• misconf: prevent path traversal in Terraform filesystem functions (#10664) (9d91b88)
• misconf: reject nil plays during playbook parsing (#10273) (0bc5c6d)
• misconf: skip null cty values in AsMapValue to prevent panic (#10723) (f080e1e)
• misconf: skip resources with no after changes (#10352) (f099dc4)
• nodejs: handle legacy license formats in npm lockfile parser (#10684) (451fd99)
• nodejs: silently skip subdirectory package.json files with invalid names (#10609) (0e4dc66)
• overwrite OS packages PURLs after overwrite OS (#10298) (39a28ed)
• pull instead of clone when test repo already exists (#10636) (3a2f7fb)
• report: don't produce trailing comma in gitlab.tpl links array (#10728) (69e78e2)
• secret: correctly skip secret-scanner config file from scanning (#10666) (fc1e46f)

Commits

• 164b383 release: v0.71.1 [release/v0.71] (#10818)
• a72d9a4 fix(oci): validate artifact filename
• 3dd9847 fix: forward ospkg detector options through ospkg.NewScanner [backport: relea...
• a62cbe4 fix(vex): load VEX documents from within the repository directory [backport: ...
• 43d1d26 fix: surface the original analysis error instead of context cancellation [bac...
• ac7696c ci: expect GitHub App bot as backport PR author [backport: release/v0.71] (#1...
• 9b49920 release: v0.71.0 [main] (#10638)
• 35cefae ci: use only the first line of commit message in release-please workflow (#10...
• f8a6ddb feat: add WithDriver and WithProvider options to ospkg detector (#10740)
• 3ea80c0 chore(deps): bump github.com/google/go-containerregistry to v0.21.6 (#10741)
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codacy-production]

Not up to standards ⛔

🔴 Issues 3 high · 2 medium

Alerts:
⚠ 5 issues (≤ 1 issue of at least medium severity)
⚠ 5 issues (≤ 0 issues of at least minor severity)

Results:
5 new issues

Category	Results
Security	2 medium 3 high

View in Codacy

🟢 Metrics 0 duplication

Metric	Results
Duplication	0

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[codacy-production]

Pull Request Overview

This pull request is currently not up to standards due to critical security vulnerabilities and the omission of required configuration updates. While the dependency upgrades align with the primary intent, the transition to Go 1.26.3 introduces several high-severity security risks (CVE-2026-42504, CVE-2026-27145, CVE-2026-42507) and pull in a vulnerable version of containerd/v2. Furthermore, there is a clear gap in the acceptance criteria: the mandatory update to .circle/config.yml, explicitly required by code comments when bumping Trivy, has not been performed. This missing file change will likely result in CI/CD failures.

Test suggestions

• Verify that the engine correctly initializes and executes scans using Trivy v0.71.1
• Verify that the Go 1.26.3 runtime is compatible with the current CI/CD environment
• Ensure CycloneDX report generation remains functional with cyclonedx-go v0.11.0

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify that the engine correctly initializes and executes scans using Trivy v0.71.1
2. Verify that the Go 1.26.3 runtime is compatible with the current CI/CD environment
3. Ensure CycloneDX report generation remains functional with cyclonedx-go v0.11.0

Low confidence findings

• The upgrade from Go 1.25.8 to 1.26.3 is a significant toolchain jump. Ensure that CI runners and production Docker base images are prepared to support this version to avoid 'unsupported toolchain' errors.

_{TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback}

[codacy-production]

_{🔴 HIGH RISK}

Updating to Go 1.26.3 introduces multiple high-severity security vulnerabilities, including CVE-2026-42504 (MIME header DoS), CVE-2026-27145 (hostname verification), and CVE-2026-42507 (input injection). Additionally, ensure the CI environment supports this version jump. It is recommended to use Go 1.26.4 to mitigate these security risks.

Suggested change

	go 1.26.3
	go 1.26.4