From 36f09f7dac1f862378a8eae6589014eff729ed69 Mon Sep 17 00:00:00 2001
From: Chris Burns <29541485+ChrisJBurns@users.noreply.github.com>
Date: Fri, 3 Apr 2026 15:39:10 +0100
Subject: [PATCH] Ignore Docker daemon-side vulns in govulncheck
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

GO-2026-4883 (plugin privilege validation) and GO-2026-4887 (AuthZ
plugin bypass) affect Docker daemon internals. ToolHive only uses the
Docker client SDK and is not impacted. No fix exists for the
github.com/docker/docker module path yet — the patch is only in
github.com/moby/moby/v2 v2.0.0-beta.8+.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .github/workflows/security-scan.yml | 13 ++++++++++++-
 1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/security-scan.yml b/.github/workflows/security-scan.yml
index 5709b848cf..f8dacbb362 100644
--- a/.github/workflows/security-scan.yml
+++ b/.github/workflows/security-scan.yml
@@ -68,7 +68,18 @@ jobs:
           #   Indirect dependency via mcp-go, invopop/jsonschema, wk8/go-ordered-map.
           #   The vulnerability is in the Delete function which is not called by ToolHive
           #   or any of its dependencies. No fixed version exists yet (all versions affected).
-          IGNORED_VULNS="GO-2025-4192 GO-2026-4514"
+          # GO-2026-4883: Off-by-one error in Moby plugin privilege validation (CVE-2026-33997)
+          #   Affects the Docker daemon's plugin privilege handling code. ToolHive only uses
+          #   the Docker client SDK to manage containers, not the daemon plugin subsystem.
+          #   No fixed version exists for github.com/docker/docker; fix is only in
+          #   github.com/moby/moby/v2 v2.0.0-beta.8+ which is not yet available as a
+          #   docker/docker release.
+          # GO-2026-4887: AuthZ plugin bypass with oversized request bodies (CVE-2026-34040)
+          #   Affects the Docker daemon's AuthZ plugin mechanism. ToolHive only uses the
+          #   Docker client SDK and does not run or configure AuthZ plugins. No fixed version
+          #   exists for github.com/docker/docker; fix is only in github.com/moby/moby/v2
+          #   v2.0.0-beta.8+ which is not yet available as a docker/docker release.
+          IGNORED_VULNS="GO-2025-4192 GO-2026-4514 GO-2026-4883 GO-2026-4887"
 
           # Show the raw output for debugging
           echo "::group::govulncheck raw output"