From 2b32aeed8b20b08faf9c887e7f56aa8bb1cf2fc3 Mon Sep 17 00:00:00 2001
From: Andre Nogueira <aanogueira@protonmail.com>
Date: Tue, 26 May 2026 10:07:41 +0100
Subject: [PATCH] fix(ci): ignore CVE-2026-34986 in transitive go-jose dep

Trivy started failing the docker-validate job on a newly-published
HIGH CVE in github.com/go-jose/go-jose/v3 v3.0.4, pulled in
transitively by the caddy:alpine runtime image.

Caddy itself uses go-jose v4 directly; v3 comes from some
sub-dependency in its module graph and hasn't been bumped upstream
yet. The affected JOSE code path is not exercised by serving static
files, so the risk in our deployment is nil.

.trivyignore is the right surgical knob here; drop the entry once
Caddy ships an image with go-jose/v3 >= v3.0.5.

Signed-off-by: Andre Nogueira <aanogueira@protonmail.com>
---
 .trivyignore | 8 ++++++++
 1 file changed, 8 insertions(+)
 create mode 100644 .trivyignore

diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 0000000..a93fbeb
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,8 @@
+# Transitive dependency of caddy:alpine (the runtime image we use).
+# Upstream Caddy has migrated its direct dependency to go-jose v4, but
+# something still pulls v3.0.4 into the final binary. Tracking until
+# Caddy releases an image with go-jose/v3 >= v3.0.5.
+#
+# Not exploitable in our deployment: the blog serves static files only;
+# the JOSE code path is not reached at runtime.
+CVE-2026-34986