Checkmarx · cx-adar-zandberg · Mar 8, 2026 · Mar 8, 2026
diff --git a/.trivyignore b/.trivyignore
@@ -0,0 +1,13 @@
+# CVE-2019-25210: Helm displays secret values with --dry-run flag.
+# WONTFIX by Helm maintainers — this is expected behavior by design.
+# We do not use the --dry-run flag with helm in this project.
+# Ref: https://nvd.nist.gov/vuln/detail/CVE-2019-25210
+CVE-2019-25210
+
+# CVE-2025-27144: DoS in go-jose v2 parsing (excessive memory via crafted JWT).
+# Transitive dependency from k8s.io/apiserver — no v2 patch exists (only v3/v4 patched).
+# This module does NOT use go-jose v2: `go mod why -m` confirms it is not needed.
+# It only appears in the module graph because k8s.io/apiserver lists it in its go.mod.
+# The vulnerable code is never compiled into our binary.
+# Ref: https://github.com/go-jose/go-jose/security/advisories/GHSA-c6gw-w398-hv78
+CVE-2025-27144
diff --git a/VULNERABILITY_FIXES.md b/VULNERABILITY_FIXES.md
diff --git a/go.mod b/go.mod
@@ -287,7 +287,10 @@ require (
 )
 
 replace (
-	github.com/containerd/containerd/v2 => github.com/containerd/containerd/v2 v2.1.4
+	github.com/containerd/containerd/v2 => github.com/containerd/containerd/v2 v2.1.5
+	github.com/go-git/go-git/v5 => github.com/go-git/go-git/v5 v5.16.5
+	github.com/open-policy-agent/opa => github.com/open-policy-agent/opa v1.14.0
 	github.com/opencontainers/runc => github.com/opencontainers/runc v1.3.3
+	github.com/sigstore/sigstore => github.com/sigstore/sigstore v1.10.4
 	google.golang.org/protobuf => google.golang.org/protobuf v1.33.0
 )
diff --git a/go.sum b/go.sum
@@ -366,8 +366,8 @@ github.com/go-git/go-billy/v5 v5.6.2 h1:6Q86EsPXMa7c3YZ3aLAQsMA0VlWmy43r6FHqa/UN
 github.com/go-git/go-billy/v5 v5.6.2/go.mod h1:rcFC2rAsp/erv7CMz9GczHcuD0D32fWzH+MJAU+jaUU=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399 h1:eMje31YglSBqCdIqdhKBW8lokaMrL3uTkpGYlE2OOT4=
 github.com/go-git/go-git-fixtures/v4 v4.3.2-0.20231010084843-55a94097c399/go.mod h1:1OCfN199q1Jm3HZlxleg+Dw/mwps2Wbk9frAWm+4FII=
-github.com/go-git/go-git/v5 v5.14.0 h1:/MD3lCrGjCen5WfEAzKg00MJJffKhC8gzS80ycmCi60=
-github.com/go-git/go-git/v5 v5.14.0/go.mod h1:Z5Xhoia5PcWA3NF8vRLURn9E5FRhSl7dGj9ItW3Wk5k=
+github.com/go-git/go-git/v5 v5.16.5 h1:mdkuqblwr57kVfXri5TTH+nMFLNUxIj9Z7F5ykFbw5s=
+github.com/go-git/go-git/v5 v5.16.5/go.mod h1:QOMLpNf1qxuSY4StA/ArOdfFR2TrKEjJiye2kel2m+M=
 github.com/go-gl/glfw v0.0.0-20190409004039-e6da0acd62b1/go.mod h1:vR7hzQXu2zJy9AVAgeJqvqgH9Q5CA+iKCZ2gyEVpxRU=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20191125211704-12ad95a8df72/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=
 github.com/go-gl/glfw/v3.3/glfw v0.0.0-20200222043503-6f7a984d4dc4/go.mod h1:tQ2UAYgL5IevRw8kRxooKSPJfGvJ9fJQFa0TUsXzTg8=