fix: support docker hardened images

[parker-snyk]

Pull Request Submission Checklist

• Follows CONTRIBUTING guidelines
• Commit messages are release-note ready, emphasizing what was changed, not how.
• Includes detailed description of changes
• Contains risk assessment (Low)
• Highlights breaking API changes (if applicable) n/a
• Links to automated tests covering new functionality
• Includes manual testing instructions (if necessary) n/a
• Updates relevant GitBook documentation (PR link: ___) n/a
• Includes product update to be announced in the next stable release notes

What does this PR do?

Updates snyk-docker-plugin to version 8.12.0 to add support for Docker Hardened Images (DHI) package identification. DHI packages now use the dhi namespace in their PURLs instead of the distro namespace (debian), allowing the vulnerability service to correctly match vulnerabilities to the package.

Example PURL change:

• Before: pkg:deb/debian/curl@7.88.1-10+deb12u8?distro=debian-bookworm
• After: pkg:deb/dhi/curl@7.88.1-10+deb12u8?distro=debian-bookworm

This prevents false positives from matching DHI's patched packages against vulnerability data for unpatched distro packages.

Where should the reviewer start?

1. Review the new acceptance tests in test/tap/cli-test/cli-test.docker-dhi.spec.ts to understand the expected behavior
2. Check the package.json dependency update for snyk-docker-plugin
3. Verify the tests validate that CLI correctly passes through DHI PURLs from the plugin to the backend

The actual DHI detection logic (parsing the Maintainer field from dpkg database) lives in snyk-docker-plugin - this PR just integrates that change.

What's the product update that needs to be communicated to CLI users?

The CLI now correctly identifies Docker Hardened Images (DHI) packages through snyk-docker-plugin. This prevents false positive vulnerability reports on DHI's patched packages. No action required from users - the detection happens automatically when scanning DHI containers.

Risk assessment (Low)?

Low

• Change is contained to snyk-docker-plugin dependency update
• DHI detection uses existing dpkg Maintainer field parsing
• Non-DHI images are unaffected
• CLI code doesn't change - it just passes through PURL data from the plugin

Any background context you want to provide?

Docker Hardened Images patches binaries in their container images to fix vulnerabilities. Without namespace differentiation, Snyk was incorrectly matching these patched packages against the standard distro vulnerability feed, causing false positives.

The vulnerability service maintains a separate feed for DHI packages, but needs the PURL namespace (dhi vs debian) to determine which feed to query.

What are the relevant tickets?

CN-488

snyk-docker-plugin diff

snyk/snyk-docker-plugin@v8.10.2...main
Only a few lines changed, the rest of the changes are test fixures and tests

[github-actions]

	Warnings
⚠️	Looks like you added a new Tap test. Consider making it a Jest test instead. See files in test/jest/(unit|acceptance) for examples. Files found: test/tap/cli-test/cli-test.docker-dhi.spec.ts

Generated by 🚫 dangerJS against c7a64ee

[j-luong]

@parker-snyk before merging, please can this be

• Rebased
• Commits squashed
• Update commit from feat: ... to fix: ... (if you want to include this in the next hotfix)

[github-actions]

Your PR has not had any activity for 30 days. In 2 days I'll close it. Make some activity to remove this.