chore: merge to main for release 2026_01

actions/DAST/cryptolyzer/action.yaml

@@ -42,7 +42,7 @@ inputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12'
+  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2026_01'
   entrypoint: '/entrypoints/entrypoint_cryptolyzer.sh'
   env:
     TARGET: ${{ inputs.target }}

actions/DAST/drheader/action.yaml

@@ -45,7 +45,7 @@ inputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12'
+  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2026_01'
   entrypoint: '/entrypoints/entrypoint_drheader.sh'
   env:
     TARGET: ${{ inputs.target }}

actions/DAST/zap/action.yaml

@@ -46,7 +46,7 @@ inputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/secobserve/secobserve-scanners-zap:2025_12'
+  image: 'docker://ghcr.io/secobserve/secobserve-scanners-zap:2026_01'
   entrypoint: '/entrypoints/entrypoint_zap.sh'
   env:
     TARGET: ${{ inputs.target }}

actions/SAST/bandit/action.yaml

@@ -46,7 +46,7 @@ inputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12'
+  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2026_01'
   entrypoint: '/entrypoints/entrypoint_bandit.sh'
   env:
     TARGET: ${{ inputs.target }}

actions/SAST/checkov/action.yaml

@@ -46,7 +46,7 @@ inputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12'
+  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2026_01'
   entrypoint: '/entrypoints/entrypoint_checkov.sh'
   env:
     TARGET: ${{ inputs.target }}

actions/SAST/eslint/action.yaml

@@ -46,7 +46,7 @@ inputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12'
+  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2026_01'
   entrypoint: '/entrypoints/entrypoint_eslint.sh'
   env:
     TARGET: ${{ inputs.target }}

actions/SAST/kics/action.yaml

@@ -50,7 +50,7 @@ inputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12'
+  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2026_01'
   entrypoint: '/entrypoints/entrypoint_kics.sh'
   env:
     TARGET: ${{ inputs.target }}

actions/SAST/semgrep/action.yaml

@@ -50,7 +50,7 @@ inputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12'
+  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2026_01'
   entrypoint: '/entrypoints/entrypoint_semgrep.sh'
   env:
     TARGET: ${{ inputs.target }}

actions/SAST/tfsec/action.yaml

@@ -46,7 +46,7 @@ inputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12'
+  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2026_01'
   entrypoint: '/entrypoints/entrypoint_tfsec.sh'
   env:
     TARGET: ${{ inputs.target }}

actions/SAST/trivy_config/action.yaml

@@ -46,7 +46,7 @@ inputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12'
+  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2026_01'
   entrypoint: '/entrypoints/entrypoint_trivy_config.sh'
   env:
     TARGET: ${{ inputs.target }}

actions/SCA/grype_image/action.yaml

@@ -45,7 +45,7 @@ inputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12'
+  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2026_01'
   entrypoint: '/entrypoints/entrypoint_grype_image.sh'
   env:
     TARGET: ${{ inputs.target }}

actions/SCA/grype_sbom/action.yaml

@@ -45,7 +45,7 @@ inputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12'
+  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2026_01'
   entrypoint: '/entrypoints/entrypoint_grype_sbom.sh'
   env:
     TARGET: ${{ inputs.target }}

actions/SCA/trivy_filesystem/action.yaml

@@ -50,7 +50,7 @@ inputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12'
+  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2026_01'
   entrypoint: '/entrypoints/entrypoint_trivy_filesystem.sh'
   env:
     TARGET: ${{ inputs.target }}

actions/SCA/trivy_image/action.yaml

@@ -46,7 +46,7 @@ inputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12'
+  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2026_01'
   entrypoint: '/entrypoints/entrypoint_trivy_image.sh'
   env:
     TARGET: ${{ inputs.target }}

actions/check_security_gate/action.yaml

@@ -15,7 +15,7 @@ inputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12'
+  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2026_01'
   entrypoint: 'check_security_gate.sh'
   env:
     SO_API_BASE_URL: ${{ inputs.so_api_base_url }}

actions/importer/action.yaml

@@ -41,7 +41,7 @@ inputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12'
+  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2026_01'
   entrypoint: 'file_upload_observations.sh'
   env:
     SO_UPLOAD: ${{ inputs.so_upload }}

actions/secrets/gitleaks/action.yaml

@@ -42,7 +42,7 @@ inputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12'
+  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2026_01'
   entrypoint: '/entrypoints/entrypoint_gitleaks.sh'
   env:
     REPORT_NAME: ${{ inputs.report_name }}

actions/secrets/trivy_filesystem_secrets/action.yaml

@@ -46,7 +46,7 @@ inputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12'
+  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2026_01'
   entrypoint: '/entrypoints/entrypoint_trivy_filesystem_secrets.sh'
   env:
     TARGET: ${{ inputs.target }}

actions/secrets/trivy_image_secrets/action.yaml

@@ -42,7 +42,7 @@ inputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12'
+  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2026_01'
   entrypoint: '/entrypoints/entrypoint_trivy_image_secrets.sh'
   env:
     TARGET: ${{ inputs.target }}

actions/upload_observations/action.yaml

@@ -30,7 +30,7 @@ inputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12'
+  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2026_01'
   entrypoint: 'file_upload_observations.sh'
   env:
     SO_API_BASE_URL: ${{ inputs.so_api_base_url }}

actions/upload_sbom/action.yaml

@@ -24,7 +24,7 @@ inputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12'
+  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2026_01'
   entrypoint: 'file_upload_observations.sh'
   env:
     SO_API_BASE_URL: ${{ inputs.so_api_base_url }}

actions/vulnerability_scanner/action.yaml

@@ -12,7 +12,7 @@ inputs:
 
 runs:
   using: 'docker'
-  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2025_12'
+  image: 'docker://ghcr.io/secobserve/secobserve-scanners:2026_01'
   entrypoint: '/entrypoints/entrypoint_vulnerability_scanner.sh'
   env:
     SO_CONFIGURATION: ${{ inputs.so_configuration }}

docker/Dockerfile

@@ -12,9 +12,9 @@ COPY docker/requirements_checkov.txt .
 RUN pip wheel --wheel-dir /usr/src/app/wheels_checkov -r ./requirements_checkov.txt
 
 # Go build stage for KICS
-FROM golang:1.25.5-alpine AS go-build-stage
+FROM golang:1.25.6-alpine AS go-build-stage
 
-ARG KICS_VERSION=2.1.17
+ARG KICS_VERSION=2.1.19
 
 # Install kics from GitHub
 WORKDIR /usr/local/kics
@@ -27,9 +27,9 @@ RUN wget --no-verbose https://github.com/Checkmarx/kics/archive/refs/tags/v${KIC
 FROM python:3.13-alpine AS python-run-stage
 
 ARG GITLEAKS_VERSION=8.30.0
-ARG GRYPE_VERSION=0.104.2
-ARG KICS_VERSION=2.1.17
-ARG TRIVY_VERSION=0.68.1
+ARG GRYPE_VERSION=0.106.0
+ARG KICS_VERSION=2.1.19
+ARG TRIVY_VERSION=0.68.2
 ARG TFSEC_VERSION=1.28.14
 
 ARG CREATED

docker/requirements.txt

@@ -1,15 +1,15 @@
 # Bandit
 # ----------------------------------------------------------------
-bandit==1.9.2  # https://github.com/PyCQA/bandit
+bandit==1.9.3  # https://github.com/PyCQA/bandit
 bandit-sarif-formatter==1.1.1  # https://github.com/microsoft/bandit-sarif-formatter
 
 # Semgrep
 # ----------------------------------------------------------------
-semgrep==1.145.1  # https://github.com/returntocorp/semgrep
+semgrep==1.149.0  # https://github.com/returntocorp/semgrep
 
 # CryptoLyzer
 # ----------------------------------------------------------------
-CryptoLyzer==1.0.0  # https://gitlab.com/coroner/cryptolyzer
+CryptoLyzer==1.0.2  # https://gitlab.com/coroner/cryptolyzer
 
 # Importer
 # ----------------------------------------------------------------

docker/requirements_checkov.txt

@@ -1,3 +1,3 @@
 # Checkov
 # ----------------------------------------------------------------
-checkov==3.2.495  # https://github.com/bridgecrewio/checkov
+checkov==3.2.499  # https://github.com/bridgecrewio/checkov

templates/DAST/cryptolyzer.yml

@@ -1,6 +1,6 @@
 .cryptolyzer:
   image:
-    name: ghcr.io/secobserve/secobserve-scanners:2025_12
+    name: ghcr.io/secobserve/secobserve-scanners:2026_01
   stage: post_deploy
   variables:
     GIT_STRATEGY: none

templates/DAST/drheader.yml

@@ -1,6 +1,6 @@
 .drheader:
   image:
-    name: ghcr.io/secobserve/secobserve-scanners:2025_12
+    name: ghcr.io/secobserve/secobserve-scanners:2026_01
   stage: post_deploy
   variables:
     GIT_STRATEGY: none

templates/DAST/zap.yml

@@ -1,6 +1,6 @@
 .zap:
   image:
-    name: ghcr.io/secobserve/secobserve-scanners-zap:2025_12
+    name: ghcr.io/secobserve/secobserve-scanners-zap:2026_01
   stage: post_deploy
   variables:
     GIT_STRATEGY: none

templates/SAST/bandit.yml

@@ -1,6 +1,6 @@
 .bandit:
   image:
-    name: ghcr.io/secobserve/secobserve-scanners:2025_12
+    name: ghcr.io/secobserve/secobserve-scanners:2026_01
   stage: test
   variables:
     FURTHER_PARAMETERS: ""

templates/SAST/checkov.yml

@@ -1,6 +1,6 @@
 .checkov:
   image:
-    name: ghcr.io/secobserve/secobserve-scanners:2025_12
+    name: ghcr.io/secobserve/secobserve-scanners:2026_01
   stage: test
   variables:
     FURTHER_PARAMETERS: ""

templates/SAST/eslint.yml

@@ -1,6 +1,6 @@
 .eslint:
   image:
-    name: ghcr.io/secobserve/secobserve-scanners:2025_12
+    name: ghcr.io/secobserve/secobserve-scanners:2026_01
   stage: test
   variables:
     FURTHER_PARAMETERS: ""

templates/SAST/kics.yml

@@ -1,6 +1,6 @@
 .kics:
   image:
-    name: ghcr.io/secobserve/secobserve-scanners:2025_12
+    name: ghcr.io/secobserve/secobserve-scanners:2026_01
   stage: test
   variables:
     FURTHER_PARAMETERS: ""

templates/SAST/semgrep.yml

@@ -1,6 +1,6 @@
 .semgrep:
   image:
-    name: ghcr.io/secobserve/secobserve-scanners:2025_12
+    name: ghcr.io/secobserve/secobserve-scanners:2026_01
   stage: test
   variables:
     FURTHER_PARAMETERS: ""

templates/SAST/tfsec.yml

@@ -1,6 +1,6 @@
 .kics:
   image:
-    name: ghcr.io/secobserve/secobserve-scanners:2025_12
+    name: ghcr.io/secobserve/secobserve-scanners:2026_01
   stage: test
   variables:
     FURTHER_PARAMETERS: ""

templates/SAST/trivy_config.yml

@@ -1,6 +1,6 @@
 .kics:
   image:
-    name: ghcr.io/secobserve/secobserve-scanners:2025_12
+    name: ghcr.io/secobserve/secobserve-scanners:2026_01
   stage: test
   variables:
     FURTHER_PARAMETERS: ""

templates/SCA/grype_image.yml

@@ -1,6 +1,6 @@
 .grype_image:
   image:
-    name: ghcr.io/secobserve/secobserve-scanners:2025_12
+    name: ghcr.io/secobserve/secobserve-scanners:2026_01
   stage: test
   variables:
     GIT_STRATEGY: none

templates/SCA/grype_sbom.yml

@@ -1,6 +1,6 @@
 .grype_image:
   image:
-    name: ghcr.io/secobserve/secobserve-scanners:2025_12
+    name: ghcr.io/secobserve/secobserve-scanners:2026_01
   stage: test
   variables:
     FURTHER_PARAMETERS: ""

templates/SCA/trivy_filesystem.yml

@@ -1,6 +1,6 @@
 .trivy_filesystem:
   image:
-    name: ghcr.io/secobserve/secobserve-scanners:2025_12
+    name: ghcr.io/secobserve/secobserve-scanners:2026_01
   stage: test
   variables:
     FURTHER_PARAMETERS: ""

templates/SCA/trivy_image.yml

@@ -1,6 +1,6 @@
 .trivy_image:
   image:
-    name: ghcr.io/secobserve/secobserve-scanners:2025_12
+    name: ghcr.io/secobserve/secobserve-scanners:2026_01
   stage: test
   variables:
     GIT_STRATEGY: none

templates/check_security_gate.yml

@@ -1,6 +1,6 @@
 .check_security_gate:
   image:
-    name: ghcr.io/secobserve/secobserve-scanners:2025_12
+    name: ghcr.io/secobserve/secobserve-scanners:2026_01
   stage: post_test
   variables:
     GIT_STRATEGY: none

templates/importer.yml

@@ -1,6 +1,6 @@
 .importer:
   image:
-    name: ghcr.io/secobserve/secobserve-scanners:2025_12
+    name: ghcr.io/secobserve/secobserve-scanners:2026_01
   stage: upload
   variables:
     GIT_STRATEGY: none

templates/secrets/gitleaks.yml

@@ -1,6 +1,6 @@
 .gitleaks:
   image:
-    name: ghcr.io/secobserve/secobserve-scanners:2025_12
+    name: ghcr.io/secobserve/secobserve-scanners:2026_01
   stage: test
   variables:
     FURTHER_PARAMETERS: ""

templates/secrets/trivy_filesystem_secrets.yml

@@ -1,6 +1,6 @@
 .trivy_filesystem_secrets:
   image:
-    name: ghcr.io/secobserve/secobserve-scanners:2025_12
+    name: ghcr.io/secobserve/secobserve-scanners:2026_01
   stage: test
   variables:
     FURTHER_PARAMETERS: ""

templates/secrets/trivy_image_secrets.yml

@@ -1,6 +1,6 @@
 .trivy_image_secrets:
   image:
-    name: ghcr.io/secobserve/secobserve-scanners:2025_12
+    name: ghcr.io/secobserve/secobserve-scanners:2026_01
   stage: test
   variables:
     GIT_STRATEGY: none