Comprehensive SCA pass on top of the Go 1.25.10 + go-billy 5.9.0 work
in this PR's first commit. Identifies + fixes additional vulnerable
deps that the first triage missed.

## go-git/v5 5.18.0 → 5.19.0

CVE-2026-45022 (HIGH) — go-git's improper parsing of specially crafted
objects may lead to inconsistent interpretation compared to upstream
Git. Trivy fs flagged this; my earlier triage missed it because
Scorecard's flag pointed at the v6-alpha advisory and I incorrectly
classified the v5 sibling as a false positive too.

Same upstream advisory, separate v5 advisory: GHSA-389r-gv7p-r3rp
(v6) and CVE-2026-45022 (v5). Fix is in 5.19.0.

## Caddy 2.11.2 → 2.11.3 (caddy.Dockerfile)

Caddy 2.11.2 image scan revealed 18 CVEs (2 CRITICAL, 9 HIGH) all in
the binary's vendored deps. Caddy 2.11.3 released after our Phase 1
lock; it bumps:
- go-jose/v4 4.1.3 → 4.1.4 (CVE-2026-34986 HIGH)
- otel + otel/sdk 1.42→1.43 (CVE-2026-29181, CVE-2026-39883 HIGH)
- smallstep/certificates 0.30.0-rc3 → 0.30.0 (CVE-2026-30836 CRITICAL)
- Plus Caddy core fixes: fastcgi non-PHP execution bug, admin-socket
  auth-bypass via array-index normalization + path-prefix matching.

Source: https://github.com/caddyserver/caddy/releases/tag/v2.11.3

Updated all three sites (builder FROM + final FROM + xcaddy build arg)
per the in-file note. New digests resolved via Docker Hub registry
API on 2026-05-16.

## Net source-side state after this commit

- trivy fs: 0 vulnerabilities (was 1 HIGH = CVE-2026-45022, now fixed)
- govulncheck: 0 reachable; 2 unreachable in modules (the documented
  aws-sdk-go v1 s3crypto false positives)

## Image-side state (verify post-rebuild)

Each prod image at v2026.5.14:
  kubectl       8 (5H/3M) — all upstream kubectl-binary stdlib@1.26.2;
                            no SC action; track upstream rebuild
  caddy        18 (2C/9H/6M/1L) — should drop to ~6 after rebuild with
                                  Caddy 2.11.3 (this PR)
  github-actions 27 (17H/10M) — 7 fixed by Go 1.25.10 + go-git/go-billy
                                bumps (this PR); remaining 20 are bundled
                                pulumi/gcloud binaries @ 1.26.2 (upstream)
  cloud-helpers 17 (9H/8M) — glibc 2.34-231.amzn2023.0.4 NOW patched
                             (Phase 1 deferred status closes); rebuild
                             auto-picks via dnf upgrade. Plus stdlib
                             fixed by Go 1.25.10.

## Dependabot reconciliation

| PR | What | Verdict |
|---|---|---|
| #162 | go-git/v5 5.13.1 → 5.16.5 | SUPERSEDED — we're at 5.19.0 now |
| #237 | pulumi-command/sdk 0.9.2 → 1.2.1 | LET STAND |
| #242 | alpine 3.21 → 3.23 (docker-minor-and-patch group) | LET STAND — fixes Alpine OS-pkg CVEs in kubectl/github-actions images |
| #243 | caddy digest bump (still 2.11.2) | SUPERSEDED — this PR bumps to 2.11.3 |
| #244 | alpine/kubectl base digest bump | LET STAND |
| #245-247 | mkdocs deps | LET STAND |
| #248-251 | GitHub Actions bumps | LET STAND |
| #252 | gomod-minor-and-patch group (26 deps) | PARTIAL SUPERSEDE — go-billy/go-git/go-jose/otel/grpc bumps from this PR. Dependabot will auto-rebase #252 on top with the remaining 22 non-security minor/patch bumps. |
| #233 | reecetech/version-increment | LET STAND |

## Validation

- `go build ./...` clean
- `go vet ./...` clean
- `go test -short ./pkg/security/...` — all 8 packages PASS
- `govulncheck ./...` — 0 reachable
- `trivy fs` — 0 findings (any severity)

Refs HARDENING.md Phase 8 Scorecard climb plan.

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>

…addy 2.11.3 (#261)

## SCA pass — comprehensive deps + image scan

Goes beyond the initial Scorecard `Vulnerabilities` fix to address
**every** vulnerable dep found across source + 4 published images, all
severities. Per the `feedback_all_severities` rule.

Two commits in this PR:
1. Go 1.25.9 → **1.25.10** + go-billy/v5 5.8.0 → **5.9.0**
2. go-git/v5 5.18.0 → **5.19.0** + Caddy `caddy.Dockerfile` 2.11.2 →
**2.11.3**

## Source-side (govulncheck + trivy fs)

| Before | After |
|---|---|
| 6 reachable stdlib HIGH/MEDIUM + 1 HIGH go-git in `trivy fs` | **0
trivy fs findings · 0 reachable govulncheck** |

### Reachable Go stdlib (6, all fixed by Go 1.25.10)

| Advisory | Module | Severity | Call path govulncheck traced |
|---|---|---|---|
| GO-2026-4986 | `net/mail` consumeComment — quadratic concat | HIGH |
`pulumi.init` → `mail.ParseAddress` |
| GO-2026-4977 | `net/mail` consumePhrase — quadratic concat | HIGH |
same |
| GO-2026-4982 | `html/template` meta-content URL escaping bypass | HIGH
| `mcp.Start` → `http.Server.Serve` → `template.Execute` |
| GO-2026-4980 | `html/template` escaper bypass | HIGH | same |
| GO-2026-4971 | `net` Dial / LookupPort NUL-byte panic | HIGH | many
call sites (aws, mongo, mcp) |
| GO-2026-4918 | `net/http` HTTP/2 SETTINGS_MAX_FRAME_SIZE infinite loop
| HIGH | many call sites |

### Reachable Go-deps (3 fixed, 2 documented)

| Advisory | Module | Old → New | Status |
|---|---|---|---|
| GHSA-m3xc-h892-ggx6 | `go-git/go-billy/v5 < 5.9.0` | 5.8.0 → 5.9.0 | ✅
fixed |
| GHSA-qw64-3x98-g7q2 | `go-git/go-billy/v5 < 5.9.0` | 5.8.0 → 5.9.0 | ✅
fixed |
| **CVE-2026-45022** | `go-git/go-git/v5 < 5.19.0` | 5.18.0 → 5.19.0 | ✅
fixed (trivy fs flagged) |
| GO-2022-0635 | `aws-sdk-go v1 service/s3/s3crypto` | n/a | ❌ FALSE
POSITIVE — we import aws-sdk-go v1 for cloudtrail code but NOT
`s3crypto`. govulncheck reachability confirms 0 hits. No upstream fix
(architectural deprecation; AWS recommends migrating to v3 in
`aws-sdk-go-v2`). Documented; standalone migration PR tracked. |
| GO-2022-0646 | same as above | n/a | ❌ FALSE POSITIVE — same |

(GHSA-389r-gv7p-r3rp / CVE-2026-45022 — initial triage misread the GHSA
as a v6-alpha flag; the Dependabot record makes clear it is the v5
advisory. Bumping to 5.19.0 closes it.)

## Image-side (Trivy + Grype on the 4 v2026.5.14 published images)

| Image | Before (v2026.5.14) | Source of fix | After next release |
|---|---|---|---|
| **simplecontainer/kubectl** | 8 (5H/3M) — all `kubectl` binary
stdlib@1.26.2 | Upstream kubectl needs Go 1.26.3 rebuild | unchanged
this PR; track upstream |
| **simplecontainer/caddy** | 18 (2C/9H/6M/1L) — all Caddy 2.11.2
vendored deps | **Caddy 2.11.3 bump in this PR** | drops to ~6
(residual: grpc 1.79.1 — Caddy 2.11.3 ships only 1.79.0; tracked
upstream) |
| **simplecontainer/github-actions** | 27 (17H/10M) — 7 our binary, 20
bundled gcloud/pulumi | Our 7 fixed by Go 1.25.10 + go-git/go-billy in
this PR; rest are upstream | drops to ~20 |
| **simplecontainer/cloud-helpers** | 17 (9H/8M) — 4× glibc, 4×
curl/krb5/libgcrypt (AL2023 now patched!), 8× stdlib in cloud-helpers
binary | AL2023 `dnf upgrade` auto-picks patched packages; Go 1.25.10
fixes the binary | drops to ~0 |

### Phase 1 deferred items — status check

Reviewed all four Phase 1 deferred items per HARDENING.md:

| Phase 1 deferred | Now |
|---|---|
| `glibc` CVE-2026-4046 (HIGH, AL2023 pending) | ✅ **AL2023 published
2.34-231.amzn2023.0.4** — picked up automatically by Dockerfile's `dnf
upgrade` on next rebuild |
| Caddy 2.11.2 upstream transitives (2C/4H/3M/1L originally) | 🟡 **Caddy
2.11.3 ships partial fix** (this PR); residual ~6 vulns track Caddy
2.11.4+ |
| `docker/docker` CVE-2026-34040 / CVE-2026-33997 | ❓ Re-check via `go
list -m -versions github.com/docker/docker` — separate triage. Was
migrated to `github.com/moby/moby` in PR #238; need to re-verify
reachability. |
| Caddy non-root USER | ⏳ Phase 6 (TUF + distro repackaging) |
| github-actions non-root USER | ⏳ Track upstream GitHub Actions
OIDC/userns guidance |

## Dependabot security alerts addressed

Three OPEN Dependabot alerts as of this PR — all close automatically
when this merges to `main`:

| Alert | GHSA | CVE | Sev | Package | Fixed in | Source of fix in this
PR |
|---|---|---|---|---|---|---|
|
[#62](https://github.com/simple-container-com/api/security/dependabot/62)
| GHSA-389r-gv7p-r3rp | CVE-2026-45022 | HIGH |
`github.com/go-git/go-git/v5` | 5.19.0 | ✅ `go.mod`: 5.18.0 → 5.19.0 |
|
[#63](https://github.com/simple-container-com/api/security/dependabot/63)
| GHSA-m3xc-h892-ggx6 | CVE-2026-44740 | MED |
`github.com/go-git/go-billy/v5` | 5.9.0 | ✅ `go.mod`: 5.8.0 → 5.9.0 |
|
[#64](https://github.com/simple-container-com/api/security/dependabot/64)
| GHSA-qw64-3x98-g7q2 | CVE-2026-44973 | HIGH |
`github.com/go-git/go-billy/v5` | 5.9.0 | ✅ `go.mod`: 5.8.0 → 5.9.0 |

What each one is:
- **GHSA-389r-gv7p-r3rp** — go-git parses specially-crafted objects
inconsistently with upstream Git, which can cause divergent state on a
clone. Reachable via the SC `welder` git-driver path.
- **GHSA-m3xc-h892-ggx6** — go-billy lacks depth/cycle detection in
symlink resolution; a crafted repo can spin the resolver into infinite
loops / resource exhaustion. Reachable via `welder` clone.
- **GHSA-qw64-3x98-g7q2** — go-billy path-traversal across multiple
components (`osfs.ChrootOS` deprecated in v5, removed in v6 — upstream
recommendation is `osfs.New(path, WithBoundOS())`). Reachable via
`welder` clone.

(The 60 historical Dependabot alerts in `state: fixed` were closed by
earlier PRs over 2025 — full audit available via `gh api
repos/simple-container-com/api/dependabot/alerts`. No additional
outstanding security alerts remain after this PR.)

## Dependabot PR reconciliation

| PR | What | Verdict |
|---|---|---|
| [#162](#162) |
go-git/v5 5.13.1 → 5.16.5 | **SUPERSEDED** — now at 5.19.0 |
| [#237](#237) |
pulumi-command/sdk 0.9.2 → 1.2.1 | LET STAND |
| [#242](#242) | alpine
3.21 → 3.23 (docker-minor-and-patch group) | **LET STAND + merge first**
— fixes Alpine OS-pkg CVEs in kubectl/github-actions images |
| [#243](#243) | caddy
digest bump (still 2.11.2) | **SUPERSEDED** — this PR bumps to 2.11.3 |
| [#244](#244) |
alpine/kubectl base digest bump | LET STAND |
| #245-247 | mkdocs deps | LET STAND (docs/) |
| #248-251 | GitHub Actions bumps | LET STAND |
| [#252](#252) |
gomod-minor-and-patch group (26 deps) | **PARTIAL SUPERSEDE** — go-billy
/ go-git / go-jose / otel / grpc bumps from this PR. Dependabot will
auto-rebase #252 on top with the remaining ~22 non-security bumps. |
| [#233](#233) |
reecetech/version-increment | LET STAND |

## Scorecard `Vulnerabilities` projection

| State | Score |
|---|---|
| Pre-PR (5 advisories flagged) | 5/10 |
| Post-PR + Scorecard rescan | **9-10/10** (3 advisories remaining are
documented false-positives + Scorecard's go-git/v6 flag, all
reachability-clean per govulncheck) |

## Validation

- `go build ./...` clean
- `go vet ./...` clean (no output)
- `go test -short ./pkg/security/...` — all 8 packages PASS (29 tests;
HMAC integrity cache from PR #254 still green)
- `govulncheck ./...` — **0 reachable** (was 6)
- `trivy fs --severity CRITICAL,HIGH,MEDIUM,LOW` — **0 findings** (was 1
HIGH)
- `trivy image simplecontainer/caddy:2026.5.14` — flagged 18; expected
~6 after Caddy 2.11.3 rebuild
- `trivy image simplecontainer/cloud-helpers:aws-2026.5.14` — flagged
17; expected ~0 after rebuild (AL2023 + Go 1.25.10)

## Follow-ups out of this PR's scope

- **aws-sdk-go v1 → v2 migration** — 3 `.go` files in
`pkg/clouds/{pulumi/,}aws/` use v1 cloudtrail / cloudwatch / session
APIs. The migration is a separate refactor PR; documented
false-positives in govulncheck suffice for the security signal.
- **`docker/docker` reachability re-check** — verify if PR #238's
moby/moby migration cleared the original CVE.
- **github-actions image bundled binaries** (pulumi, gcloud) — Track
upstream rebuilds with Go 1.26.3.
- **kubectl base bump** — Dependabot #244 will pick it up.

Refs HARDENING.md Phase 8 Scorecard climb plan; the SAST coverage audit
produced today is a separate follow-up.

---------

Signed-off-by: Dmitrii Creed <creeed22@gmail.com>