From cb4e944224a9902d6e1f210e54a0a779bb016375 Mon Sep 17 00:00:00 2001
From: arumes31 <114224498+arumes31@users.noreply.github.com>
Date: Thu, 4 Jun 2026 16:19:24 +0200
Subject: [PATCH] ci: suppress unfixable test-only Trivy CVE-2026-34040

Trivy FS scan fails on github.com/docker/docker v28.5.2 (CVE-2026-34040,
Moby authz-plugin bypass). It is a test-only transitive dep via
testcontainers-go, not present in the production binary, and the app runs
no docker daemon. The fix ships under github.com/moby/moby (Moby 29.3.1);
the legacy docker/docker import path has no v29.x tag and testcontainers-go
v0.42.0 (latest) still depends on it, so no bump is possible.

Add a documented .trivyignore entry and wire it into the FS scan via the
trivyignores input. Revisit when testcontainers-go migrates to moby/moby.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .github/workflows/daily-security-scan.yml |  1 +
 .trivyignore                              | 21 +++++++++++++++++++++
 2 files changed, 22 insertions(+)
 create mode 100644 .trivyignore

diff --git a/.github/workflows/daily-security-scan.yml b/.github/workflows/daily-security-scan.yml
index 9518ed9..3abe8a6 100644
--- a/.github/workflows/daily-security-scan.yml
+++ b/.github/workflows/daily-security-scan.yml
@@ -23,5 +23,6 @@ jobs:
           format: 'table'
           exit-code: '1'
           ignore-unfixed: true
+          trivyignores: '.trivyignore'
           vuln-type: 'os,library'
           severity: 'CRITICAL,HIGH'
diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 0000000..191f97a
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,21 @@
+# Trivy vulnerability suppressions.
+#
+# Each entry must document WHY the finding is not applicable. Re-review on every
+# dependency bump and remove the entry once it can be resolved upstream.
+
+# CVE-2026-34040 — github.com/docker/docker (Moby authorization bypass)
+#
+# Not exploitable here and not fixable via a dependency bump:
+#   * docker/docker is a TEST-ONLY transitive dependency, pulled in by
+#     testcontainers-go (integration tests that only run under Docker and are
+#     skipped on the application build and on Windows). It is not part of the
+#     production blocklist-server binary.
+#   * The CVE is a Moby *daemon* authz-plugin bypass. This project never runs a
+#     docker daemon and uses no authz plugins; it only imports the client
+#     library transitively.
+#   * The fix (Moby 29.3.1) ships under the github.com/moby/moby module path.
+#     The legacy github.com/docker/docker import path tops out at
+#     v28.5.2+incompatible (no v29.x tag exists), and testcontainers-go v0.42.0
+#     (latest) still depends on the legacy path, so there is no version to
+#     bump to. Revisit when testcontainers-go migrates fully to moby/moby.
+CVE-2026-34040