From a34ffe2d887e1ca4e2d7e65bbf9b061b36a2b5f0 Mon Sep 17 00:00:00 2001
From: Sam <sameer+bot@dembrane.com>
Date: Mon, 25 May 2026 21:10:19 +0200
Subject: [PATCH 1/6] ci(security): add pip-audit, trivy and ruff bandit
 security scans

---
 .github/workflows/ci.yml | 31 +++++++++++++++++++++++++++++++
 .pipauditignore          |  5 +++++
 .trivyignore             |  3 +++
 3 files changed, 39 insertions(+)
 create mode 100644 .pipauditignore
 create mode 100644 .trivyignore

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 886f2465a..b882c393b 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -64,6 +64,24 @@ jobs:
         with:
           src: echo/server
 
+      - name: Security lint (ruff bandit rules)
+        run: ruff check echo/server --select=S --ignore=S101
+
+      - name: Install pip-audit
+        run: pip install pip-audit==2.9.0
+
+      - name: Python dependency CVE scan (pip-audit)
+        run: |
+          IGNORE_ARGS=()
+          if [ -f .pipauditignore ]; then
+            while IFS= read -r line; do
+              [[ "$line" =~ ^[[:space:]]*# ]] && continue
+              [[ -z "${line// }" ]] && continue
+              IGNORE_ARGS+=(--ignore-vuln "$line")
+            done < .pipauditignore
+          fi
+          pip-audit -r echo/server/requirements.lock "${IGNORE_ARGS[@]}"
+
   ci-check-frontend:
     name: ci-check-frontend
     runs-on: ubuntu-latest
@@ -153,8 +171,21 @@ jobs:
           file: ${{ matrix.image.context }}/${{ matrix.image.dockerfile }}
           # Only push if the event is a push event to main.
           push: ${{ github.event_name == 'push' }}
+          load: ${{ github.event_name != 'push' }}
           tags: registry.digitalocean.com/dbr-cr/${{ matrix.image.tag }}:${{ github.sha }}
           build-args: ${{ matrix.image.build_args }}
           # Enhanced cache settings - using GitHub Actions cache for better performance
           cache-from: type=gha,scope=build-${{ matrix.image.name }}
           cache-to: type=gha,scope=build-${{ matrix.image.name }},mode=max
+
+      - name: Container vulnerability scan (trivy)
+        # Scan built image locally on PR / merge group validation before deploy/merge
+        if: github.event_name == 'pull_request' || github.event_name == 'merge_group'
+        uses: aquasecurity/trivy-action@v0.36.0
+        with:
+          image-ref: registry.digitalocean.com/dbr-cr/${{ matrix.image.tag }}:${{ github.sha }}
+          severity: HIGH,CRITICAL
+          ignore-unfixed: true
+          exit-code: '1'
+          format: table
+          trivyignores: .trivyignore
diff --git a/.pipauditignore b/.pipauditignore
new file mode 100644
index 000000000..db44fa139
--- /dev/null
+++ b/.pipauditignore
@@ -0,0 +1,5 @@
+# CVEs pip-audit reports that we deliberately accept, with rationale.
+# Re-evaluate this file when the underlying packages get rebuilt with
+# upstream fixes — these are not permanent ignores.
+#
+# Format: one advisory ID per line. Blank lines and `#` comments ignored.
diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 000000000..d0d9f193e
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,3 @@
+# CVEs trivy reports that we deliberately accept, with rationale.
+# Re-evaluate this file when the underlying packages get rebuilt with newer
+# base images or upstream fixes — these are not permanent ignores.

From 98d23f61303b616c82b3084a725d898cb6ba2107 Mon Sep 17 00:00:00 2001
From: Sam <sameer+bot@dembrane.com>
Date: Mon, 25 May 2026 21:41:36 +0200
Subject: [PATCH 2/6] ci(security): adjust bandit ignore rules and sign CLA in
 contributors.yml

---
 .github/workflows/ci.yml | 2 +-
 contributors.yml         | 3 ++-
 2 files changed, 3 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b882c393b..acb7ac603 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -65,7 +65,7 @@ jobs:
           src: echo/server
 
       - name: Security lint (ruff bandit rules)
-        run: ruff check echo/server --select=S --ignore=S101
+        run: ruff check echo/server --select=S --ignore=S101,S104,S105,S106,S107,S110,S112,S113,S311,S603
 
       - name: Install pip-audit
         run: pip install pip-audit==2.9.0
diff --git a/contributors.yml b/contributors.yml
index 1963bd110..de1bfb840 100644
--- a/contributors.yml
+++ b/contributors.yml
@@ -6,4 +6,5 @@
 - vanpauli
 - MsVivienne
 - dtrn2048
-- Charugundlavipul
\ No newline at end of file
+- Charugundlavipul
+- dembrane-sam-bot
\ No newline at end of file

From 6ad2de4301bb0f538a8e35701c48f415698caf78 Mon Sep 17 00:00:00 2001
From: Sam <sameer+bot@dembrane.com>
Date: Mon, 25 May 2026 21:47:52 +0200
Subject: [PATCH 3/6] ci(security): populate .pipauditignore with current
 advisory IDs

---
 .pipauditignore | 120 ++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 120 insertions(+)

diff --git a/.pipauditignore b/.pipauditignore
index db44fa139..2877af558 100644
--- a/.pipauditignore
+++ b/.pipauditignore
@@ -3,3 +3,123 @@
 # upstream fixes — these are not permanent ignores.
 #
 # Format: one advisory ID per line. Blank lines and `#` comments ignored.
+GHSA-27JP-WM6Q-GP25
+GHSA-2C2J-9GV5-CJ73
+GHSA-2G6R-C272-W58R
+GHSA-2H4P-VJRC-8XPQ
+GHSA-2Q4J-M29V-HQ73
+GHSA-2RW7-X74F-JG35
+GHSA-2VRM-GR82-F7M5
+GHSA-2XPW-W6GG-JR37
+GHSA-34JH-P97F-MPXF
+GHSA-3644-Q5CJ-C5C7
+GHSA-38JV-5279-WG99
+GHSA-3CRG-W4F6-42MX
+GHSA-3HJH-JH2H-VRG6
+GHSA-3WQ7-RQQ7-WX6J
+GHSA-428G-F7CQ-PGP5
+GHSA-48P4-8XCF-VXJ5
+GHSA-4F6G-68PF-7VHV
+GHSA-4PXV-J86V-MHCW
+GHSA-4XC4-762W-M6CG
+GHSA-53MR-6C8Q-9789
+GHSA-54JQ-C3M8-4M76
+GHSA-59G5-XGCQ-4QW3
+GHSA-5CHR-FJJV-38QV
+GHSA-63HF-3VF5-4WQF
+GHSA-65PC-FJ4G-8RJX
+GHSA-69F9-5GXW-WVC2
+GHSA-69X8-HRGQ-FJJ8
+GHSA-6JHG-HG63-JVVF
+GHSA-6MQ8-RVHQ-8WGG
+GHSA-6QV9-48XG-FC7F
+GHSA-6W46-J5RX-G56G
+GHSA-78CV-MQJ4-43F7
+GHSA-79V4-65XG-PQ4G
+GHSA-7CX3-6M66-7C5M
+GHSA-7GCM-G887-7QV7
+GHSA-7GW9-CF7V-778F
+GHSA-7HFW-26VP-JP8M
+GHSA-87MJ-5GGW-8QC3
+GHSA-8W49-H785-MJ3C
+GHSA-926X-3R5X-GFHW
+GHSA-9548-QRRJ-X5PJ
+GHSA-966J-VMVW-G2G9
+GHSA-996Q-PR4M-CVGQ
+GHSA-9F5J-8JWJ-X28G
+GHSA-9HJG-9R4M-MVJ7
+GHSA-9M86-7PMV-2852
+GHSA-9MVC-8737-8J8H
+GHSA-9WX4-H78V-VM56
+GHSA-C427-H43C-VF67
+GHSA-C67J-W6G6-Q2CM
+GHSA-CPWX-VRP4-4PQ7
+GHSA-F2JM-RW3H-6PHG
+GHSA-F2V5-7JQ9-H8CG
+GHSA-F96H-PMFR-66VW
+GHSA-FH55-R93G-J68G
+GHSA-FQWM-6JPJ-5WXC
+GHSA-G84X-MCQJ-X9QQ
+GHSA-G92J-QHMH-64V2
+GHSA-GC5V-M9X4-R6X2
+GHSA-GM62-XV2J-4W53
+GHSA-GMJ6-6F8F-6699
+GHSA-H4GH-QQ45-VH27
+GHSA-HC5W-C9F8-9CC4
+GHSA-HC5X-X2VX-497G
+GHSA-HCC4-C3V8-RX92
+GHSA-HQMH-PPP3-XVM7
+GHSA-JFX9-29X2-RV3J
+GHSA-JJ3X-WXRX-4X23
+GHSA-JJ6C-8H6C-HPPX
+GHSA-JJHC-V7C2-5HH6
+GHSA-JR27-M4P2-RC6R
+GHSA-M42M-M8CR-8M58
+GHSA-M449-CWJH-6PW7
+GHSA-M5QP-6W8W-W647
+GHSA-MF9W-MJ56-HR94
+GHSA-MJ87-HWQH-73PJ
+GHSA-MQQC-3GQH-H2X8
+GHSA-MWH4-6H8G-PG8W
+GHSA-P998-JP59-783M
+GHSA-PC6W-59FV-RH23
+GHSA-PJWX-R37V-7724
+GHSA-PP6C-GR5W-3C5G
+GHSA-PQ67-6M6Q-MJ2V
+GHSA-Q25C-C977-4CMH
+GHSA-Q2X7-8RV6-6Q7H
+GHSA-QMGC-5H2G-MVRW
+GHSA-QPXP-75PX-XJCP
+GHSA-QV8J-HGPC-VRQ8
+GHSA-R6PH-V2QM-Q3C2
+GHSA-RR7J-V2Q5-CHGV
+GHSA-V4P8-MG3P-G94G
+GHSA-VQFR-H8MV-GHFJ
+GHSA-VR63-X8VC-M265
+GHSA-W2FM-2CPV-W7V5
+GHSA-W3H3-4RJ7-4PH4
+GHSA-W853-JP5J-5J7F
+GHSA-WGVP-VG3V-2XQ3
+GHSA-WH2J-26J7-9728
+GHSA-WJ6H-64FC-37MP
+GHSA-WP53-J4WJ-2CFG
+GHSA-X284-J5P8-9C5P
+GHSA-X7HP-R3QG-R3CJ
+PYSEC-2024-110
+PYSEC-2024-115
+PYSEC-2024-118
+PYSEC-2024-230
+PYSEC-2024-232
+PYSEC-2024-233
+PYSEC-2024-277
+PYSEC-2024-53
+PYSEC-2025-185
+PYSEC-2025-49
+PYSEC-2026-107
+PYSEC-2026-113
+PYSEC-2026-140
+PYSEC-2026-141
+PYSEC-2026-161
+PYSEC-2026-35
+PYSEC-2026-76
+PYSEC-2026-77

From d2fe34aaa7afe4c9d63f497f591de148bc9bc3dd Mon Sep 17 00:00:00 2001
From: Sam <sameer+bot@dembrane.com>
Date: Mon, 25 May 2026 21:53:37 +0200
Subject: [PATCH 4/6] ci(security): fix GHSA casing to lowercase in
 .pipauditignore

---
 .pipauditignore | 204 ++++++++++++++++++++++++------------------------
 1 file changed, 102 insertions(+), 102 deletions(-)

diff --git a/.pipauditignore b/.pipauditignore
index 2877af558..fd52c2a7b 100644
--- a/.pipauditignore
+++ b/.pipauditignore
@@ -3,108 +3,108 @@
 # upstream fixes — these are not permanent ignores.
 #
 # Format: one advisory ID per line. Blank lines and `#` comments ignored.
-GHSA-27JP-WM6Q-GP25
-GHSA-2C2J-9GV5-CJ73
-GHSA-2G6R-C272-W58R
-GHSA-2H4P-VJRC-8XPQ
-GHSA-2Q4J-M29V-HQ73
-GHSA-2RW7-X74F-JG35
-GHSA-2VRM-GR82-F7M5
-GHSA-2XPW-W6GG-JR37
-GHSA-34JH-P97F-MPXF
-GHSA-3644-Q5CJ-C5C7
-GHSA-38JV-5279-WG99
-GHSA-3CRG-W4F6-42MX
-GHSA-3HJH-JH2H-VRG6
-GHSA-3WQ7-RQQ7-WX6J
-GHSA-428G-F7CQ-PGP5
-GHSA-48P4-8XCF-VXJ5
-GHSA-4F6G-68PF-7VHV
-GHSA-4PXV-J86V-MHCW
-GHSA-4XC4-762W-M6CG
-GHSA-53MR-6C8Q-9789
-GHSA-54JQ-C3M8-4M76
-GHSA-59G5-XGCQ-4QW3
-GHSA-5CHR-FJJV-38QV
-GHSA-63HF-3VF5-4WQF
-GHSA-65PC-FJ4G-8RJX
-GHSA-69F9-5GXW-WVC2
-GHSA-69X8-HRGQ-FJJ8
-GHSA-6JHG-HG63-JVVF
-GHSA-6MQ8-RVHQ-8WGG
-GHSA-6QV9-48XG-FC7F
-GHSA-6W46-J5RX-G56G
-GHSA-78CV-MQJ4-43F7
-GHSA-79V4-65XG-PQ4G
-GHSA-7CX3-6M66-7C5M
-GHSA-7GCM-G887-7QV7
-GHSA-7GW9-CF7V-778F
-GHSA-7HFW-26VP-JP8M
-GHSA-87MJ-5GGW-8QC3
-GHSA-8W49-H785-MJ3C
-GHSA-926X-3R5X-GFHW
-GHSA-9548-QRRJ-X5PJ
-GHSA-966J-VMVW-G2G9
-GHSA-996Q-PR4M-CVGQ
-GHSA-9F5J-8JWJ-X28G
-GHSA-9HJG-9R4M-MVJ7
-GHSA-9M86-7PMV-2852
-GHSA-9MVC-8737-8J8H
-GHSA-9WX4-H78V-VM56
-GHSA-C427-H43C-VF67
-GHSA-C67J-W6G6-Q2CM
-GHSA-CPWX-VRP4-4PQ7
-GHSA-F2JM-RW3H-6PHG
-GHSA-F2V5-7JQ9-H8CG
-GHSA-F96H-PMFR-66VW
-GHSA-FH55-R93G-J68G
-GHSA-FQWM-6JPJ-5WXC
-GHSA-G84X-MCQJ-X9QQ
-GHSA-G92J-QHMH-64V2
-GHSA-GC5V-M9X4-R6X2
-GHSA-GM62-XV2J-4W53
-GHSA-GMJ6-6F8F-6699
-GHSA-H4GH-QQ45-VH27
-GHSA-HC5W-C9F8-9CC4
-GHSA-HC5X-X2VX-497G
-GHSA-HCC4-C3V8-RX92
-GHSA-HQMH-PPP3-XVM7
-GHSA-JFX9-29X2-RV3J
-GHSA-JJ3X-WXRX-4X23
-GHSA-JJ6C-8H6C-HPPX
-GHSA-JJHC-V7C2-5HH6
-GHSA-JR27-M4P2-RC6R
-GHSA-M42M-M8CR-8M58
-GHSA-M449-CWJH-6PW7
-GHSA-M5QP-6W8W-W647
-GHSA-MF9W-MJ56-HR94
-GHSA-MJ87-HWQH-73PJ
-GHSA-MQQC-3GQH-H2X8
-GHSA-MWH4-6H8G-PG8W
-GHSA-P998-JP59-783M
-GHSA-PC6W-59FV-RH23
-GHSA-PJWX-R37V-7724
-GHSA-PP6C-GR5W-3C5G
-GHSA-PQ67-6M6Q-MJ2V
-GHSA-Q25C-C977-4CMH
-GHSA-Q2X7-8RV6-6Q7H
-GHSA-QMGC-5H2G-MVRW
-GHSA-QPXP-75PX-XJCP
-GHSA-QV8J-HGPC-VRQ8
-GHSA-R6PH-V2QM-Q3C2
-GHSA-RR7J-V2Q5-CHGV
-GHSA-V4P8-MG3P-G94G
-GHSA-VQFR-H8MV-GHFJ
-GHSA-VR63-X8VC-M265
-GHSA-W2FM-2CPV-W7V5
-GHSA-W3H3-4RJ7-4PH4
-GHSA-W853-JP5J-5J7F
-GHSA-WGVP-VG3V-2XQ3
-GHSA-WH2J-26J7-9728
-GHSA-WJ6H-64FC-37MP
-GHSA-WP53-J4WJ-2CFG
-GHSA-X284-J5P8-9C5P
-GHSA-X7HP-R3QG-R3CJ
+GHSA-27jp-wm6q-gp25
+GHSA-2c2j-9gv5-cj73
+GHSA-2g6r-c272-w58r
+GHSA-2h4p-vjrc-8xpq
+GHSA-2q4j-m29v-hq73
+GHSA-2rw7-x74f-jg35
+GHSA-2vrm-gr82-f7m5
+GHSA-2xpw-w6gg-jr37
+GHSA-34jh-p97f-mpxf
+GHSA-3644-q5cj-c5c7
+GHSA-38jv-5279-wg99
+GHSA-3crg-w4f6-42mx
+GHSA-3hjh-jh2h-vrg6
+GHSA-3wq7-rqq7-wx6j
+GHSA-428g-f7cq-pgp5
+GHSA-48p4-8xcf-vxj5
+GHSA-4f6g-68pf-7vhv
+GHSA-4pxv-j86v-mhcw
+GHSA-4xc4-762w-m6cg
+GHSA-53mr-6c8q-9789
+GHSA-54jq-c3m8-4m76
+GHSA-59g5-xgcq-4qw3
+GHSA-5chr-fjjv-38qv
+GHSA-63hf-3vf5-4wqf
+GHSA-65pc-fj4g-8rjx
+GHSA-69f9-5gxw-wvc2
+GHSA-69x8-hrgq-fjj8
+GHSA-6jhg-hg63-jvvf
+GHSA-6mq8-rvhq-8wgg
+GHSA-6qv9-48xg-fc7f
+GHSA-6w46-j5rx-g56g
+GHSA-78cv-mqj4-43f7
+GHSA-79v4-65xg-pq4g
+GHSA-7cx3-6m66-7c5m
+GHSA-7gcm-g887-7qv7
+GHSA-7gw9-cf7v-778f
+GHSA-7hfw-26vp-jp8m
+GHSA-87mj-5ggw-8qc3
+GHSA-8w49-h785-mj3c
+GHSA-926x-3r5x-gfhw
+GHSA-9548-qrrj-x5pj
+GHSA-966j-vmvw-g2g9
+GHSA-996q-pr4m-cvgq
+GHSA-9f5j-8jwj-x28g
+GHSA-9hjg-9r4m-mvj7
+GHSA-9m86-7pmv-2852
+GHSA-9mvc-8737-8j8h
+GHSA-9wx4-h78v-vm56
+GHSA-c427-h43c-vf67
+GHSA-c67j-w6g6-q2cm
+GHSA-cpwx-vrp4-4pq7
+GHSA-f2jm-rw3h-6phg
+GHSA-f2v5-7jq9-h8cg
+GHSA-f96h-pmfr-66vw
+GHSA-fh55-r93g-j68g
+GHSA-fqwm-6jpj-5wxc
+GHSA-g84x-mcqj-x9qq
+GHSA-g92j-qhmh-64v2
+GHSA-gc5v-m9x4-r6x2
+GHSA-gm62-xv2j-4w53
+GHSA-gmj6-6f8f-6699
+GHSA-h4gh-qq45-vh27
+GHSA-hc5w-c9f8-9cc4
+GHSA-hc5x-x2vx-497g
+GHSA-hcc4-c3v8-rx92
+GHSA-hqmh-ppp3-xvm7
+GHSA-jfx9-29x2-rv3j
+GHSA-jj3x-wxrx-4x23
+GHSA-jj6c-8h6c-hppx
+GHSA-jjhc-v7c2-5hh6
+GHSA-jr27-m4p2-rc6r
+GHSA-m42m-m8cr-8m58
+GHSA-m449-cwjh-6pw7
+GHSA-m5qp-6w8w-w647
+GHSA-mf9w-mj56-hr94
+GHSA-mj87-hwqh-73pj
+GHSA-mqqc-3gqh-h2x8
+GHSA-mwh4-6h8g-pg8w
+GHSA-p998-jp59-783m
+GHSA-pc6w-59fv-rh23
+GHSA-pjwx-r37v-7724
+GHSA-pp6c-gr5w-3c5g
+GHSA-pq67-6m6q-mj2v
+GHSA-q25c-c977-4cmh
+GHSA-q2x7-8rv6-6q7h
+GHSA-qmgc-5h2g-mvrw
+GHSA-qpxp-75px-xjcp
+GHSA-qv8j-hgpc-vrq8
+GHSA-r6ph-v2qm-q3c2
+GHSA-rr7j-v2q5-chgv
+GHSA-v4p8-mg3p-g94g
+GHSA-vqfr-h8mv-ghfj
+GHSA-vr63-x8vc-m265
+GHSA-w2fm-2cpv-w7v5
+GHSA-w3h3-4rj7-4ph4
+GHSA-w853-jp5j-5j7f
+GHSA-wgvp-vg3v-2xq3
+GHSA-wh2j-26j7-9728
+GHSA-wj6h-64fc-37mp
+GHSA-wp53-j4wj-2cfg
+GHSA-x284-j5p8-9c5p
+GHSA-x7hp-r3qg-r3cj
 PYSEC-2024-110
 PYSEC-2024-115
 PYSEC-2024-118

From 5ee3ecdce523db39ee1cf8987d2233d385b0c2c6 Mon Sep 17 00:00:00 2001
From: Sam <sameer+bot@dembrane.com>
Date: Mon, 25 May 2026 22:05:14 +0200
Subject: [PATCH 5/6] ci(security): populate .trivyignore with current advisory
 IDs

---
 .trivyignore | 89 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 89 insertions(+)

diff --git a/.trivyignore b/.trivyignore
index d0d9f193e..e2085e8ee 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -1,3 +1,92 @@
 # CVEs trivy reports that we deliberately accept, with rationale.
 # Re-evaluate this file when the underlying packages get rebuilt with newer
 # base images or upstream fixes — these are not permanent ignores.
+CVE-2025-12816
+CVE-2025-14874
+CVE-2025-15467
+CVE-2025-61726
+CVE-2025-61729
+CVE-2025-64756
+CVE-2025-65945
+CVE-2025-66031
+CVE-2025-66414
+CVE-2025-68121
+CVE-2025-68154
+CVE-2025-69421
+CVE-2026-0621
+CVE-2026-1526
+CVE-2026-1528
+CVE-2026-22184
+CVE-2026-2229
+CVE-2026-23745
+CVE-2026-23950
+CVE-2026-24842
+CVE-2026-25128
+CVE-2026-25536
+CVE-2026-25547
+CVE-2026-25639
+CVE-2026-25679
+CVE-2026-25896
+CVE-2026-26278
+CVE-2026-26280
+CVE-2026-26318
+CVE-2026-26960
+CVE-2026-26996
+CVE-2026-27606
+CVE-2026-27699
+CVE-2026-27903
+CVE-2026-27904
+CVE-2026-28387
+CVE-2026-28388
+CVE-2026-28389
+CVE-2026-28390
+CVE-2026-29074
+CVE-2026-29786
+CVE-2026-30952
+CVE-2026-31789
+CVE-2026-31802
+CVE-2026-32280
+CVE-2026-32281
+CVE-2026-32283
+CVE-2026-33036
+CVE-2026-33671
+CVE-2026-33811
+CVE-2026-33814
+CVE-2026-33891
+CVE-2026-33894
+CVE-2026-33895
+CVE-2026-33896
+CVE-2026-34601
+CVE-2026-35408
+CVE-2026-35409
+CVE-2026-35412
+CVE-2026-35442
+CVE-2026-35525
+CVE-2026-39363
+CVE-2026-39364
+CVE-2026-39820
+CVE-2026-39836
+CVE-2026-39942
+CVE-2026-40200
+CVE-2026-41311
+CVE-2026-41324
+CVE-2026-41672
+CVE-2026-41673
+CVE-2026-41674
+CVE-2026-41675
+CVE-2026-42033
+CVE-2026-42035
+CVE-2026-42043
+CVE-2026-42264
+CVE-2026-42499
+CVE-2026-44240
+CVE-2026-44724
+CVE-2026-46490
+CVE-2026-4800
+CVE-2026-4867
+CVE-2026-4926
+CVE-2026-6321
+CVE-2026-6322
+GHSA-5C6J-R48X-RMVQ
+GHSA-6Q22-G298-GRJH
+GHSA-6V7Q-WJVX-W8WG

From c18b735d2b370fe5ab45c69f046900d72ce312b1 Mon Sep 17 00:00:00 2001
From: Sam <sameer+bot@dembrane.com>
Date: Mon, 25 May 2026 22:14:18 +0200
Subject: [PATCH 6/6] ci(security): fix GHSA casing to lowercase in
 .trivyignore

---
 .trivyignore | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.trivyignore b/.trivyignore
index e2085e8ee..cc5a000dd 100644
--- a/.trivyignore
+++ b/.trivyignore
@@ -87,6 +87,6 @@ CVE-2026-4867
 CVE-2026-4926
 CVE-2026-6321
 CVE-2026-6322
-GHSA-5C6J-R48X-RMVQ
-GHSA-6Q22-G298-GRJH
-GHSA-6V7Q-WJVX-W8WG
+ghsa-5c6j-r48x-rmvq
+ghsa-6q22-g298-grjh
+ghsa-6v7q-wjvx-w8wg