Dependency Dashboard

[renovate]

This issue lists Renovate updates and detected dependencies. Read the Dependency Dashboard docs to learn more.
View this repository on the Mend.io Web Portal.

Config Migration Needed

• Select this checkbox to let Renovate create an automated Config Migration PR.

Rate-Limited

The following updates are currently rate-limited. To force their creation now, click on a checkbox below.

• deps:chore - update dependency go to 1.26
• deps:chore - update module github.com/bmatcuk/doublestar/v4 to v4.10.0
• deps:chore - update module github.com/briandowns/spinner to v1.23.2
• deps:chore - update module github.com/go-enry/go-enry/v2 to v2.9.6
• deps:chore - update module github.com/google/uuid to v1.6.0
• deps:chore - update module github.com/iancoleman/strcase to v0.3.0
• deps:chore - update module github.com/magefile/mage to v1.17.2
• deps:chore - update module github.com/opencontainers/image-spec to v1.1.1
• deps:chore - update module github.com/sirupsen/logrus to v1.9.4
• deps:chore - update module github.com/spf13/cobra to v1.10.2
• deps:chore - update module github.com/spf13/viper to v1.21.0
• deps:chore - update module github.com/stretchr/testify to v1.11.1
• deps:chore - update php Docker tag to v8.5
• deps:chore - update ruby Docker tag to v3.4
• deps:chore - update actions/checkout action to v6
• deps:chore - update actions/setup-go action to v6
• deps:chore - update azul/zulu-openjdk-alpine Docker tag to v25
• deps:chore - update crazy-max/ghaction-import-gpg action to v7
• deps:chore - update dev-drprasad/delete-tag-and-release action to v1
• deps:chore - update docker Docker tag to v29
• deps:chore - update docker/build-push-action action to v7
• deps:chore - update docker/login-action action to v4
• deps:chore - update docker/setup-buildx-action action to v4
• deps:chore - update docker/setup-qemu-action action to v4
• deps:chore - update EndBug/add-and-commit action to v10
• deps:chore - update goreleaser/goreleaser-action action to v7
• deps:chore - update mcr.microsoft.com/dotnet/sdk Docker tag to v10
• deps:chore - update module github.com/docker/docker to v28
• deps:chore - update module github.com/onsi/ginkgo to v2
• deps:chore - update Node.js to v24
• deps:chore - update ruby Docker tag to v4
• deps:chore - update softprops/action-gh-release action to v3
• 🔐 Create all rate-limited PRs at once 🔐

---

Warning

Renovate failed to look up the following dependencies: Failed to look up github-tags package ZupIT/zup-dco-validator: no-result.

Files affected: .github/workflows/dco.yaml

---

Open

The following updates have all been created. To force a retry/rebase of any, click on a checkbox below.

• deps:chore - update github.com/gocarina/gocsv digest to c264028
• deps:chore - update azul/zulu-openjdk-alpine Docker tag to v17.0.19
• deps:chore - update module github.com/docker/docker to v20.10.27+incompatible
• deps:chore - update module github.com/spf13/pflag to v1.0.10
• deps:chore - update module github.com/ZupIT/horusec-engine to v1.0.2
• deps:chore - update alpine Docker tag to v3.23.4
• deps:chore - update elixir Docker tag to v1.19
• deps:chore - update golang Docker tag
• deps:chore - update module github.com/onsi/gomega to v1.41.0
• deps:chore - update zricethezav/gitleaks Docker tag to v8.30.1
• Click on this checkbox to rebase all open PRs at once

Detected Dependencies

dockerfile (15)

deployments/Dockerfile (2)

• golang 1.17-alpine → [Updates: 1.26-alpine]
• docker 20.10-dind → [Updates: 29.5-dind]

deployments/Dockerfile-gorelease-amd64 (1)

• horuszup/docker-amd64 20.10-git

deployments/Dockerfile-gorelease-arm64 (1)

• horuszup/docker-arm64 20.10-git

internal/services/formatters/c/deployments/Dockerfile (1)

• python 3.10.4-alpine3.14

internal/services/formatters/csharp/deployments/Dockerfile (1)

• mcr.microsoft.com/dotnet/sdk 6.0-alpine → [Updates: 10.0-alpine]

internal/services/formatters/elixir/deployments/Dockerfile (1)

• elixir 1.13-alpine → [Updates: 1.19-alpine]

internal/services/formatters/generic/deployments/Dockerfile (2)

• azul/zulu-openjdk-alpine 17 → [Updates: 17.0.19, 25.0.3]
• python 3.10.4-alpine3.14

internal/services/formatters/go/deployments/Dockerfile (1)

• golang 1.17.8-alpine → [Updates: 1.26.3-alpine]

internal/services/formatters/hcl/deployments/Dockerfile (1)

• python 3.10.4-alpine3.14

internal/services/formatters/javascript/deployments/Dockerfile (1)

• node 17.6.0-alpine → [Updates: 24.16.0-alpine]

internal/services/formatters/leaks/deployments/Dockerfile (1)

• zricethezav/gitleaks v8.8.7 → [Updates: v8.30.1]

internal/services/formatters/php/deployments/Dockerfile (1)

• php 8.1-alpine → [Updates: 8.5-alpine]

internal/services/formatters/python/deployments/Dockerfile (1)

• python 3.10.4-alpine3.14

internal/services/formatters/ruby/deployments/Dockerfile (1)

• ruby 3.1-alpine → [Updates: 3.4-alpine, 4.0-alpine]

internal/services/formatters/shell/deployments/Dockerfile (1)

• alpine 3.16.0 → [Updates: 3.23.4]

github-actions (26)

.github/workflows/build.yaml (4)

• actions/checkout v3 → [Updates: v6]
• actions/setup-go v3 → [Updates: v6]
• goreleaser/goreleaser-action v2 → [Updates: v7]
• go 1.17 → [Updates: 1.26]

.github/workflows/coverage.yml (3)

• actions/checkout v3 → [Updates: v6]
• actions/setup-go v3 → [Updates: v6]
• go 1.17 → [Updates: 1.26]

.github/workflows/dco.yaml (1)

• ZupIT/zup-dco-validator v1.1

.github/workflows/deploy-cli-language.yml (4)

• actions/setup-go v3 → [Updates: v6]
• actions/checkout v3 → [Updates: v6]
• EndBug/add-and-commit v8 → [Updates: v10]
• go 1.17 → [Updates: 1.26]

.github/workflows/e2e.yml (3)

• actions/checkout v3 → [Updates: v6]
• actions/setup-go v3 → [Updates: v6]
• docker-practice/actions-setup-docker v1

.github/workflows/go-tidy.yml (3)

• actions/checkout v3 → [Updates: v6]
• actions/setup-go v3 → [Updates: v6]
• go 1.17 → [Updates: 1.26]

.github/workflows/license.yaml (3)

• actions/checkout v3 → [Updates: v6]
• actions/setup-go v3 → [Updates: v6]
• go 1.17 → [Updates: 1.26]

.github/workflows/lint.yml (3)

• actions/checkout v3 → [Updates: v6]
• actions/setup-go v3 → [Updates: v6]
• go 1.17 → [Updates: 1.26]

.github/workflows/release-alpha.yml (12)

• actions/checkout v3 → [Updates: v6]
• actions/setup-go v3 → [Updates: v6]
• docker/login-action v1 → [Updates: v4]
• docker/setup-buildx-action v1 → [Updates: v4]
• docker/setup-qemu-action v1 → [Updates: v4]
• sigstore/cosign-installer main
• crazy-max/ghaction-import-gpg v4 → [Updates: v7]
• docker/build-push-action v3 → [Updates: v7]
• goreleaser/goreleaser-action v2 → [Updates: v7]
• dev-drprasad/delete-tag-and-release v0.2.1 → [Updates: v1.1]
• softprops/action-gh-release v1 → [Updates: v3]
• go 1.17 → [Updates: 1.26]

.github/workflows/release-beta.yml (7)

• actions/checkout v3 → [Updates: v6]
• actions/setup-go v3 → [Updates: v6]
• docker/login-action v1 → [Updates: v4]
• sigstore/cosign-installer main
• crazy-max/ghaction-import-gpg v4 → [Updates: v7]
• goreleaser/goreleaser-action v2 → [Updates: v7]
• go 1.17 → [Updates: 1.26]

.github/workflows/release-final.yml (7)

• actions/checkout v3 → [Updates: v6]
• actions/setup-go v3 → [Updates: v6]
• docker/login-action v1 → [Updates: v4]
• sigstore/cosign-installer main
• crazy-max/ghaction-import-gpg v4 → [Updates: v7]
• goreleaser/goreleaser-action v2 → [Updates: v7]
• go 1.17 → [Updates: 1.26]

.github/workflows/release-rc.yml (7)

• actions/checkout v3 → [Updates: v6]
• actions/setup-go v3 → [Updates: v6]
• docker/login-action v1 → [Updates: v4]
• sigstore/cosign-installer main
• crazy-max/ghaction-import-gpg v4 → [Updates: v7]
• goreleaser/goreleaser-action v2 → [Updates: v7]
• go 1.17 → [Updates: 1.26]

.github/workflows/security.yml (1)

• actions/checkout v3 → [Updates: v6]

.github/workflows/test.yml (3)

• actions/checkout v3 → [Updates: v6]
• actions/setup-go v3 → [Updates: v6]
• docker-practice/actions-setup-docker v1

.github/workflows/update-horusec-c.yml (4)

• actions/checkout v3 → [Updates: v6]
• sigstore/cosign-installer main
• docker/login-action v1 → [Updates: v4]
• docker/build-push-action v3 → [Updates: v7]

.github/workflows/update-horusec-csharp.yml (4)

• actions/checkout v3 → [Updates: v6]
• sigstore/cosign-installer main
• docker/login-action v1 → [Updates: v4]
• docker/build-push-action v3 → [Updates: v7]

.github/workflows/update-horusec-elixir.yml (4)

• actions/checkout v3 → [Updates: v6]
• sigstore/cosign-installer main
• docker/login-action v1 → [Updates: v4]
• docker/build-push-action v3 → [Updates: v7]

.github/workflows/update-horusec-generic.yml (4)

• actions/checkout v3 → [Updates: v6]
• sigstore/cosign-installer main
• docker/login-action v1 → [Updates: v4]
• docker/build-push-action v3 → [Updates: v7]

.github/workflows/update-horusec-go.yml (4)

• actions/checkout v3 → [Updates: v6]
• sigstore/cosign-installer main
• docker/login-action v1 → [Updates: v4]
• docker/build-push-action v3 → [Updates: v7]

.github/workflows/update-horusec-hcl.yml (4)

• actions/checkout v3 → [Updates: v6]
• sigstore/cosign-installer main
• docker/login-action v1 → [Updates: v4]
• docker/build-push-action v3 → [Updates: v7]

.github/workflows/update-horusec-js.yml (4)

• actions/checkout v3 → [Updates: v6]
• sigstore/cosign-installer main
• docker/login-action v1 → [Updates: v4]
• docker/build-push-action v3 → [Updates: v7]

.github/workflows/update-horusec-leaks.yml (4)

• actions/checkout v3 → [Updates: v6]
• sigstore/cosign-installer main
• docker/login-action v1 → [Updates: v4]
• docker/build-push-action v3 → [Updates: v7]

.github/workflows/update-horusec-php.yml (4)

• actions/checkout v3 → [Updates: v6]
• sigstore/cosign-installer main
• docker/login-action v1 → [Updates: v4]
• docker/build-push-action v3 → [Updates: v7]

.github/workflows/update-horusec-python.yml (4)

• actions/checkout v3 → [Updates: v6]
• sigstore/cosign-installer main
• docker/login-action v1 → [Updates: v4]
• docker/build-push-action v3 → [Updates: v7]

.github/workflows/update-horusec-ruby.yml (4)

• actions/checkout v3 → [Updates: v6]
• sigstore/cosign-installer main
• docker/login-action v1 → [Updates: v4]
• docker/build-push-action v3 → [Updates: v7]

.github/workflows/update-horusec-shell.yml (4)

• actions/checkout v3 → [Updates: v6]
• sigstore/cosign-installer main
• docker/login-action v1 → [Updates: v4]
• docker/build-push-action v3 → [Updates: v7]

gomod (1)

go.mod (21)

• go 1.17
• github.com/ZupIT/horusec-devkit v1.0.24
• github.com/ZupIT/horusec-engine v1.0.1 → [Updates: v1.0.2]
• github.com/bmatcuk/doublestar/v4 v4.0.2 → [Updates: v4.10.0]
• github.com/briandowns/spinner v1.18.0 → [Updates: v1.23.2]
• github.com/docker/docker v20.10.9+incompatible → [Updates: v20.10.27+incompatible, v28.5.2+incompatible]
• github.com/go-enry/go-enry/v2 v2.8.2 → [Updates: v2.9.6]
• github.com/go-ozzo/ozzo-validation/v4 v4.3.0
• github.com/gocarina/gocsv v0.0.0-20220304222734-caabc5f00d30@caabc5f00d30 → [Updates: v0.0.0-20260523204920-c264028e67ea]
• github.com/google/uuid v1.3.0 → [Updates: v1.6.0]
• github.com/iancoleman/strcase v0.2.0 → [Updates: v0.3.0]
• github.com/magefile/mage v1.13.0 → [Updates: v1.17.2]
• github.com/manifoldco/promptui v0.9.0
• github.com/onsi/ginkgo v1.16.5 → [Updates: v2.29.0]
• github.com/onsi/gomega v1.18.1 → [Updates: v1.41.0]
• github.com/opencontainers/image-spec v1.0.2 → [Updates: v1.1.1]
• github.com/sirupsen/logrus v1.8.1 → [Updates: v1.9.4]
• github.com/spf13/cobra v1.4.0 → [Updates: v1.10.2]
• github.com/spf13/pflag v1.0.5 → [Updates: v1.0.10]
• github.com/spf13/viper v1.10.1 → [Updates: v1.21.0]
• github.com/stretchr/testify v1.7.3 → [Updates: v1.11.1]

---

• Check this box to trigger a request for Renovate to run again on this repository

[threat-modeling-appsec]

Contexto Insuficiente

• Resumo: A entrada fornece uma visão detalhada das dependências e workflows CI/CD em uso, mas não apresenta contexto suficiente sobre a arquitetura, fluxos do sistema, ativos, controles e ambientes que são necessários para uma modelagem de ameaças completa.
• Missing context:
• Não há informações sobre fluxos de dados ou processos do sistema
• Faltam detalhes sobre ativos críticos da aplicação
• Ausência de descrição de controles de segurança existentes
• Não há detalhes sobre a arquitetura da aplicação
• Não há informações sobre permissões dos workflows
• Não estão presentes detalhes específicos dos ambientes onde as dependências são utilizadas
• Faltam informações sobre o escopo do projeto, contexto de negócio e ameaças relevantes
• Sugestão: Forneça informações sobre os fluxos de dados do sistema, ativos críticos, arquitetura, controles de segurança implementados, permissões dos workflows, bem como o contexto de negócio e possíveis ameaças que deseja analisar.
• Contexto recebido:
• lista de dependências
• detecção de versões desatualizadas
• ações e workflows do GitHub Actions
• instruções de atualização automatizada
• relato de falhas em lookup de dependências

[threat-modeling-appsec]

Resultado:
NEEDS_CONTEXT

json {
"status": "NEEDS_CONTEXT",
"confidence": "0.95",
"missingContext": "A entrada não especifica qual recurso, documento ou informação deve ser lida. Também não apresenta detalhes sobre o objetivo ou escopo da análise, contexto do sistema, atores envolvidos, fluxos de dados, ativos, ameaças ou requisitos de segurança.",
"summary": "A solicitação é genérica ('Leia este None') e não fornece informações suficientes para análise ou modelagem de ameaças.",
"contextPack": []
}