Update module github.com/aquasecurity/trivy to v0.70.0#50263
Open
renovate[bot] wants to merge 1 commit intomainfrom
Open
Update module github.com/aquasecurity/trivy to v0.70.0#50263renovate[bot] wants to merge 1 commit intomainfrom
renovate[bot] wants to merge 1 commit intomainfrom
Conversation
renovate
Bot
added
changelog/no-changelog
|
PRApprover will approve and merge this PR, FAQ, #dx-source-code-management 🛠️ PRApproval Status
➡️ Current phase: CI tests failed. Please fix the failing tests to continue. |
github-actions
Bot
added
the
short review
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: db64ea6919
ℹ️ About Codex in GitHub
Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".
| github.com/acobaugh/osrelease v0.1.0 | ||
| github.com/alecthomas/units v0.0.0-20240927000941-0f3dac36c52b | ||
| github.com/aquasecurity/trivy v0.63.0 | ||
| github.com/aquasecurity/trivy v0.70.0 |
There was a problem hiding this comment.
Updating github.com/aquasecurity/trivy to v0.70.0 here does not update the Trivy code we actually build, because go.mod still unconditionally replaces that module with github.com/DataDog/trivy v0.0.0-20260407220859-6cf8ddc1826c (line 1239). Since the replace target did not change, all builds continue using the same fork snapshot, so the expected fixes from the v0.70.0 upstream bump are not actually applied unless the fork reference is advanced too.
Useful? React with 👍 / 👎.
Contributor
|
🎯 Code Coverage (details) 🔗 Commit SHA: db64ea6 | Docs | Datadog PR Page | Give us feedback! |
Contributor
Files inventory check summaryFile checks results against ancestor bfe00b6f: Results for datadog-agent_7.80.0~devel.git.424.db64ea6.pipeline.111031710-1_amd64.deb:No change detected |
Contributor
Static quality checks✅ Please find below the results from static quality gates 30 successful checks with minimal change (< 2 KiB)
On-wire sizes (compressed)
|
Regression DetectorRegression Detector ResultsMetrics dashboard Baseline: 4e89908 Optimization Goals: ✅ Improvement(s) detected
|
| perf | experiment | goal | Δ mean % | Δ mean % CI | trials | links |
|---|---|---|---|---|---|---|
| ✅ | docker_containers_cpu | % cpu utilization | -6.09 | [-8.94, -3.24] | 1 | Logs |
Fine details of change detection per experiment
| perf | experiment | goal | Δ mean % | Δ mean % CI | trials | links |
|---|---|---|---|---|---|---|
| ✅ | tcp_syslog_to_blackhole | ingress throughput | +22.90 | [+22.67, +23.12] | 1 | Logs |
| ➖ | uds_dogstatsd_to_api | ingress throughput | +0.02 | [-0.18, +0.22] | 1 | Logs |
| ➖ | tcp_dd_logs_filter_exclude | ingress throughput | -0.00 | [-0.10, +0.10] | 1 | Logs |
| ➖ | uds_dogstatsd_to_api_v3 | ingress throughput | -0.01 | [-0.21, +0.19] | 1 | Logs |
| ➖ | file_to_blackhole_0ms_latency | egress throughput | -0.47 | [-1.13, +0.19] | 1 | Logs |
| ➖ | file_to_blackhole_100ms_latency | egress throughput | -0.48 | [-0.63, -0.33] | 1 | Logs |
| ➖ | file_to_blackhole_500ms_latency | egress throughput | -0.52 | [-0.93, -0.12] | 1 | Logs |
| ➖ | file_to_blackhole_1000ms_latency | egress throughput | -0.53 | [-0.95, -0.11] | 1 | Logs |
| ➖ | ddot_logs | memory utilization | -1.90 | [-1.97, -1.84] | 1 | Logs |
| ➖ | ddot_metrics_sum_cumulativetodelta_exporter | memory utilization | -2.08 | [-2.31, -1.85] | 1 | Logs |
| ➖ | docker_containers_memory | memory utilization | -2.22 | [-2.31, -2.12] | 1 | Logs |
| ➖ | ddot_metrics_sum_cumulative | memory utilization | -2.34 | [-2.50, -2.19] | 1 | Logs |
| ➖ | otlp_ingest_metrics | memory utilization | -2.99 | [-3.14, -2.84] | 1 | Logs |
| ➖ | quality_gate_idle_all_features | memory utilization | -3.02 | [-3.06, -2.98] | 1 | Logs bounds checks dashboard |
| ➖ | quality_gate_idle | memory utilization | -3.44 | [-3.49, -3.39] | 1 | Logs bounds checks dashboard |
| ➖ | uds_dogstatsd_20mb_12k_contexts_20_senders | memory utilization | -3.61 | [-3.66, -3.56] | 1 | Logs |
| ➖ | file_tree | memory utilization | -3.80 | [-3.85, -3.75] | 1 | Logs |
| ➖ | ddot_metrics | memory utilization | -3.81 | [-4.01, -3.62] | 1 | Logs |
| ➖ | otlp_ingest_logs | memory utilization | -3.95 | [-4.05, -3.84] | 1 | Logs |
| ➖ | ddot_metrics_sum_delta | memory utilization | -4.14 | [-4.32, -3.96] | 1 | Logs |
| ✅ | docker_containers_cpu | % cpu utilization | -6.09 | [-8.94, -3.24] | 1 | Logs |
| ✅ | quality_gate_metrics_logs | memory utilization | -8.88 | [-9.11, -8.65] | 1 | Logs bounds checks dashboard |
| ✅ | quality_gate_logs | % cpu utilization | -42.09 | [-42.88, -41.30] | 1 | Logs bounds checks dashboard |
Bounds Checks: ✅ Passed
| perf | experiment | bounds_check_name | replicates_passed | observed_value | links |
|---|---|---|---|---|---|
| ✅ | docker_containers_cpu | simple_check_run | 10/10 | 714 ≥ 26 | |
| ✅ | docker_containers_memory | memory_usage | 10/10 | 243.59MiB ≤ 370MiB | |
| ✅ | docker_containers_memory | simple_check_run | 10/10 | 694 ≥ 26 | |
| ✅ | file_to_blackhole_0ms_latency | memory_usage | 10/10 | 0.16GiB ≤ 1.20GiB | |
| ✅ | file_to_blackhole_0ms_latency | missed_bytes | 10/10 | 0B = 0B | |
| ✅ | file_to_blackhole_1000ms_latency | memory_usage | 10/10 | 0.21GiB ≤ 1.20GiB | |
| ✅ | file_to_blackhole_1000ms_latency | missed_bytes | 10/10 | 0B = 0B | |
| ✅ | file_to_blackhole_100ms_latency | memory_usage | 10/10 | 0.17GiB ≤ 1.20GiB | |
| ✅ | file_to_blackhole_100ms_latency | missed_bytes | 10/10 | 0B = 0B | |
| ✅ | file_to_blackhole_500ms_latency | memory_usage | 10/10 | 0.19GiB ≤ 1.20GiB | |
| ✅ | file_to_blackhole_500ms_latency | missed_bytes | 10/10 | 0B = 0B | |
| ✅ | quality_gate_idle | intake_connections | 10/10 | 3 ≤ 4 | bounds checks dashboard |
| ✅ | quality_gate_idle | memory_usage | 10/10 | 141.49MiB ≤ 147MiB | bounds checks dashboard |
| ✅ | quality_gate_idle_all_features | intake_connections | 10/10 | 3 ≤ 4 | bounds checks dashboard |
| ✅ | quality_gate_idle_all_features | memory_usage | 10/10 | 468.96MiB ≤ 495MiB | bounds checks dashboard |
| ✅ | quality_gate_logs | intake_connections | 10/10 | 4 ≤ 6 | bounds checks dashboard |
| ✅ | quality_gate_logs | memory_usage | 10/10 | 174.76MiB ≤ 195MiB | bounds checks dashboard |
| ✅ | quality_gate_logs | missed_bytes | 10/10 | 0B = 0B | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | cpu_usage | 10/10 | 351.79 ≤ 2000 | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | intake_connections | 10/10 | 4 ≤ 6 | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | memory_usage | 10/10 | 366.37MiB ≤ 430MiB | bounds checks dashboard |
| ✅ | quality_gate_metrics_logs | missed_bytes | 10/10 | 0B = 0B | bounds checks dashboard |
Explanation
Confidence level: 90.00%
Effect size tolerance: |Δ mean %| ≥ 5.00%
Performance changes are noted in the perf column of each table:
- ✅ = significantly better comparison variant performance
- ❌ = significantly worse comparison variant performance
- ➖ = no significant change in performance
A regression test is an A/B test of target performance in a repeatable rig, where "performance" is measured as "comparison variant minus baseline variant" for an optimization goal (e.g., ingress throughput). Due to intrinsic variability in measuring that goal, we can only estimate its mean value for each experiment; we report uncertainty in that value as a 90.00% confidence interval denoted "Δ mean % CI".
For each experiment, we decide whether a change in performance is a "regression" -- a change worth investigating further -- if all of the following criteria are true:
-
Its estimated |Δ mean %| ≥ 5.00%, indicating the change is big enough to merit a closer look.
-
Its 90.00% confidence interval "Δ mean % CI" does not contain zero, indicating that if our statistical model is accurate, there is at least a 90.00% chance there is a difference in performance between baseline and comparison variants.
-
Its configuration does not mark it "erratic".
CI Pass/Fail Decision
✅ Passed. All Quality Gates passed.
- quality_gate_idle_all_features, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_idle_all_features, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_idle, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_idle, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check cpu_usage: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_metrics_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check missed_bytes: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check memory_usage: 10/10 replicas passed. Gate passed.
- quality_gate_logs, bounds check intake_connections: 10/10 replicas passed. Gate passed.
renovate
Bot
changed the title
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This PR contains the following updates:
v0.63.0→v0.70.0Release Notes
aquasecurity/trivy (github.com/aquasecurity/trivy)
v0.70.0⚡ Highlights ⚡
👉 https://redirect.github.com/aquasecurity/trivy/discussions/10546
Changelog
https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0700-2026-04-16
v0.69.3Compare Source
Changelog
6fb20c8release: v0.69.3 [release/v0.69] (#10293)dabefecfix(deps): bump github.com/go-git/go-git/v5 from 5.16.4 to 5.16.5 [backport: release/v0.69] (#10291)v0.69.2Compare Source
Changelog
cfa322erelease: v0.69.2 [release/v0.69] (#10266)86debcefix(deps): bump go.opentelemetry.io/otel/sdk from 1.39.0 to 1.40.0 [backport: release/v0.69] (#10267)cf3d4cdfix(deps): bump github.com/cloudflare/circl from 1.6.1 to 1.6.3 [backport: release/v0.69] (#10264)6dfd3b0ci: remove apidiff workflowv0.69.1Compare Source
Changelog
123888brelease: v0.69.1 [release/v0.69] (#10145)29d3b06ci: add composite action for Go setup [backport: release/v0.69] (#10150)3b30cc7fix(misconf): apply check aliases when filtering results via .trivyignore [backport: release/v0.69] (#10143)a8e279bchore(deps): bump to alpine:3.23.3 and go-1.25.6 to fix CVEs [backport: release/v0.69] (#10135)v0.69.0Compare Source
👉 Trivy v0.69.0 release notes (click here)
⬇️ Download Trivy
🐳 New Docker Install option
docker pull get.trivy.dev/image/trivy:0.69.0Changelog
https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0690-2026-01-30
v0.68.2Compare Source
Changelog
0c40a8drelease: v0.68.2 [release/v0.68] (#9950)db28945fix(deps): bump alpine from3.22.1to3.23.0[backport: release/v0.68] (#9949)v0.68.1Compare Source
👉 Trivy v0.68.1 release notes (click here)
⬇️ Download Trivy
🐳 Docker Install
docker pull get.trivy.dev/image/trivy:0.68.1Changelog
https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0680-2025-12-02
v0.68.0Compare Source
v0.67.2Compare Source
Changelog
60c57adrelease: v0.67.2 [release/v0.67] (#9639)f3ee80cfix: Usefetch-level: 1to check out trivy-repo in the release workflow [backport: release/v0.67] (#9638)v0.67.1Compare Source
Changelog
cbed239release: v0.67.1 [release/v0.67] (#9614)1a84093fix: restore compatibility for google.protobuf.Value [backport: release/v0.67] (#9631)3bc1490fix: using SrcVersion instead of Version for echo detector [backport: release/v0.67] (#9629)542eee7fix: addbuildInfoforBlobInfoinrpcpackage [backport: release/v0.67] (#9615)f65dd05fix(vex): don't use reused BOM [backport: release/v0.67] (#9612)v0.67.0Compare Source
👉 Trivy v0.67.0 release notes (click here)
⬇️ Download Trivy
🐳 New Docker Install option
docker pull get.trivy.dev/image/trivy:0.67.0Changelog
https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0670-2025-09-30
v0.66.0Compare Source
👉 Trivy v.66.0 release notes (click here)
⬇️ Download Trivy
Full changelog
v0.65.0Compare Source
👉 Trivy v.65.0 release notes (click here)
⬇️ Download Trivy
Full changelog
v0.64.1Compare Source
Changelog
86ee3c1release: v0.64.1 [release/v0.64] (#9122)4e12722fix(misconf): skip rewriting expr if attr is nil [backport: release/v0.64] (#9127)9a7d384fix(cli): Add more non-sensitive flags to telemetry [backport: release/v0.64] (#9124)53adfbafix(rootio): check full version to detectroot.iopackages [backport: release/v0.64] (#9120)8cf1bf9fix(alma): parse epochs from rpmqa file [backport: release/v0.64] (#9119)v0.64.0Compare Source
👉 Trivy v.64.0 release notes (click here)
⬇️ Download Trivy
Full changelog
Configuration
📅 Schedule: (UTC)
* 0-4,22-23 * * 1-5)* * * * 0,6)🚦 Automerge: Disabled by config. Please merge this manually once you are satisfied.
♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.
🔕 Ignore: Close this PR and you won't be reminded about this update again.
This PR was generated by Mend Renovate. View the repository job log.