ci: suppress unfixable test-only Trivy CVE-2026-34040

[arumes31]

Trivy FS scan fails on github.com/docker/docker v28.5.2 (CVE-2026-34040, Moby authz-plugin bypass). It is a test-only transitive dep via testcontainers-go, not present in the production binary, and the app runs no docker daemon. The fix ships under github.com/moby/moby (Moby 29.3.1); the legacy docker/docker import path has no v29.x tag and testcontainers-go v0.42.0 (latest) still depends on it, so no bump is possible.

Add a documented .trivyignore entry and wire it into the FS scan via the trivyignores input. Revisit when testcontainers-go migrates to moby/moby.

Summary by CodeRabbit

• Chores
  • Updated daily security scanning workflow to apply configured vulnerability exception rules for documented non-production issues.

[coderabbitai]

Caution

Review failed

The pull request is closed.

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 0f8d8b42-ce1b-408c-99de-cca0ac246689

📥 Commits

Reviewing files that changed from the base of the PR and between b7c6ab2 and cb4e944.

📒 Files selected for processing (2)

• .github/workflows/daily-security-scan.yml
• .trivyignore

---

📝 Walkthrough

Walkthrough

The PR configures Trivy's daily security scan to suppress a known CVE-2026-34040 vulnerability by adding a .trivyignore configuration file and updating the scan workflow to reference it. The CVE affects a test-only transitive dependency in Moby/Docker and includes documented rationale explaining it is not applicable to the production binary and cannot be remediated through dependency updates.

Changes

Trivy Security Scan Configuration

Layer / File(s)	Summary
Trivy CVE-2026-34040 ignore configuration .github/workflows/daily-security-scan.yml, .trivyignore	The daily Trivy FS scan workflow now includes a trivyignores input referencing .trivyignore, which suppresses CVE-2026-34040 (Moby authorization bypass) with documented rationale that the vulnerability affects only Docker integration tests as a transitive dependency and cannot be fixed through version constraints.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Poem

A rabbit hops through the security gates,
Trivy scans with care, but some alerts wait—
The Docker test fox won't reach production's domain,
So .trivyignore whispers, "Don't worry again!" 🐇✨

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch v2_test

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}