chore: upgrade trivy to v0.69.3 with GOEXPERIMENT=jsonv2

[olegsu]

Summary

• Upgrades github.com/aquasecurity/trivy from v0.66.0 to v0.69.3
• Adds GOEXPERIMENT=jsonv2 to all build paths — required because trivy v0.67+ imports Go's experimental encoding/json/v2 packages which are only available at compile time when this flag is set
• Removes transitive dependency on deprecated AWS SDK v1 (github.com/aws/aws-sdk-go v1.55.8) which was previously pulled in by trivy v0.66.0
• Co-upgrades 22 transitive dependencies (trivy-checks, trivy-db, opa v1.8→v1.11, helm v3.18→v3.19, k8s.io v0.33→v0.34, kustomize v0.19→v0.20, and others)

Why GOEXPERIMENT=jsonv2 is needed

Starting with trivy v0.67.0, trivy uses encoding/json/v2 (Go's experimental next-gen JSON library) via github.com/aquasecurity/trivy/pkg/x/json. Without GOEXPERIMENT=jsonv2 set at compile time, any go build that imports trivy fails with:

build constraints exclude all Go files in .../encoding/json/jsontext

Go 1.26.1 (already in use) satisfies the Go ≥ 1.25 requirement, but the flag is still required as encoding/json/v2 remains experimental.

Files changed

File	Change
go.mod / go.sum	Bumped trivy + transitive deps
magefile.go	args.Env["GOEXPERIMENT"] = "jsonv2" in Build() and GolangCrossBuild()
.buildkite/scripts/package.sh	export GOEXPERIMENT=jsonv2 after hermit activation
.github/workflows/packaging.yml	Added to top-level env:
.github/workflows/ci-pull_request.yml	New top-level env: block
.github/workflows/binary-size-monitor.yml	Added to env:
.github/workflows/eks-ci.yml	Added to env:
.github/actions/docker-images/action.yml	Added to Build cloudbeat binary step env:
justfile	Inline GOEXPERIMENT=jsonv2 on go build in build-binary and build-cloudbeat-debug

Test plan

• GOEXPERIMENT=jsonv2 go build ./... — clean
• GOEXPERIMENT=jsonv2 go vet ./... — clean
• go mod verify — all modules verified
• TestVulnerabilityWorker_Run — PASS
• Full go test ./... (will run in CI)
• Packaging CI (packaging.yml) validates cross-build path
• Watch first Buildkite DRA pipeline on merge to confirm golang-crossbuild containers work

See trivy-upgrade-report.md for the full analysis including DRA process breakdown.

🤖 Generated with Claude Code

[mergify]

This pull request does not have a backport label. Could you fix it @olegsu? 🙏
To fixup this pull request, you need to add the backport labels for the needed
branches, such as:

• backport-v./d./d./d is the label to automatically backport to the 8./d branch. /d is the digit
• backport-active-all is the label that automatically backports to all active branches.
• backport-active-8 is the label that automatically backports to all active minor branches for the 8 major.
• backport-active-9 is the label that automatically backports to all active minor branches for the 9 major.

[mergify]

Caution

The updated Mergify configuration is adding new deprecated fields:

• pull_request_rules → actions → delete_head_branch
• pull_request_rules → actions → delete_head_branch

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b cloudbeat-trivy-upgrade upstream/cloudbeat-trivy-upgrade
git merge upstream/main
git push upstream cloudbeat-trivy-upgrade

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b cloudbeat-trivy-upgrade upstream/cloudbeat-trivy-upgrade
git merge upstream/main
git push upstream cloudbeat-trivy-upgrade

[olegsu]

Update: created an environment with the changes from this PR,so far I dont see any unexpected logs
@gurevichdmitry

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b cloudbeat-trivy-upgrade upstream/cloudbeat-trivy-upgrade
git merge upstream/main
git push upstream cloudbeat-trivy-upgrade

[mergify]

This pull request is now in conflicts. Could you fix it? 🙏
To fixup this pull request, you can check out it locally. See documentation: https://help.github.com/articles/checking-out-pull-requests-locally/

git fetch upstream
git checkout -b cloudbeat-trivy-upgrade upstream/cloudbeat-trivy-upgrade
git merge upstream/main
git push upstream cloudbeat-trivy-upgrade

[olegsu]

@Mergifyio backport 9.4

[mergify]

backport 9.4

✅ Backports have been created

Details

• #5907 [9.4](backport #4380) chore: upgrade trivy to v0.69.3 with GOEXPERIMENT=jsonv2 has been created for branch 9.4 but encountered conflicts

Cherry-pick of cfd61d8 has failed:

On branch mergify/bp/9.4/pr-4380
Your branch is up to date with 'origin/9.4'.

You are currently cherry-picking commit cfd61d8f.
  (fix conflicts and run "git cherry-pick --continue")
  (use "git cherry-pick --skip" to skip this patch)
  (use "git cherry-pick --abort" to cancel the cherry-pick operation)

Changes to be committed:
	modified:   .buildkite/scripts/package.sh
	modified:   .github/actions/docker-images/action.yml
	modified:   .github/workflows/binary-size-monitor.yml
	modified:   .github/workflows/ci-pull_request.yml
	modified:   .github/workflows/eks-ci.yml
	modified:   .github/workflows/packaging.yml
	modified:   justfile
	modified:   magefile.go

Unmerged paths:
  (use "git add <file>..." to mark resolution)
	both modified:   go.mod
	both modified:   go.sum

To fix up this pull request, you can check it out locally. See documentation: https://docs.github.com/en/pull-requests/collaborating-with-pull-requests/reviewing-changes-in-pull-requests/checking-out-pull-requests-locally