Merge pull request #40 from dash14/improve/image-scan-all-severities

dash14 · web-flow · commit a164f128c3fa · 2026-04-05T22:26:23.000+09:00
Scan all severities on non-main branches and add trivyignore entries
diff --git a/.github/workflows/image-scan.yml b/.github/workflows/image-scan.yml
@@ -63,4 +63,3 @@ jobs:
           trivyignores: .trivyignore
           scanners: vuln
           format: table
-          severity: CRITICAL,HIGH
diff --git a/.trivyignore b/.trivyignore
@@ -61,3 +61,15 @@ CVE-2026-22184
 # Go stdlib net/url: incorrect parsing of IPv6 host literals.
 # CNI plugins do not parse user-supplied URLs.
 CVE-2026-25679
+
+# zlib: DoS via infinite loop in crc32_combine functions.
+# No code path in this product calls crc32_combine directly.
+CVE-2026-27171
+
+# Go stdlib html/template: URL escaping issue in meta content attribute.
+# CNI plugins do not generate or serve HTML.
+CVE-2026-27142
+
+# Go stdlib os: FileInfo can escape from a Root in ReadDir.
+# CNI plugins do not use the os.Root sandboxed filesystem API.
+CVE-2026-27139
