chore(deps): bump github.com/aquasecurity/trivy from 0.70.0 to 0.71.0

[dependabot]

Bumps github.com/aquasecurity/trivy from 0.70.0 to 0.71.0.

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.71.0

⚡ Highlights ⚡

👉 aquasecurity/trivy#10767

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0710-2026-06-01

Changelog

Sourced from github.com/aquasecurity/trivy's changelog.

0.71.0 (2026-06-01)

Features

• add WithDriver and WithProvider options to ospkg detector (#10740) (f8a6ddb)
• java: support <mirrors> from settings.xml (#10692) (c080ce3)
• sbom: support for CycloneDX 1.7 (#10715) (04f739e)
• seal: add vendor support for language file detection. (#10297) (b08bf6a)
• secret: add a way to customize skipped folders, files and exts (#10550) (e4325b1)
• secret: add Azure secret detection rules (#10562) (69dcd18)
• secret: add Maven rules to detect passwords and passphrases in settings.xml and settings-security.xml files (#10704) (9ad901d)
• spdx: add SHA-512 hash algorithm support to SPDX serializer (#10719) (f2a1237)
• ubuntu: detect Ubuntu 26.04 LTS (#10592) (a61feac)

Bug Fixes

• cloudformation: propagate AWS::EC2::Instance MetadataOptions (#10731) (ac2f3d7)
• image: correctly reconstruct RUN instructions built without BuildKit (#10714) (519eac9)
• java: surface 429 from a remote Maven repository as a fatal error when scanning pom.xml files (#10693) (f8fdb93)
• misconf: fix rendering of nested values in terraform plan lists (#10746) (9c1cf65)
• misconf: make identifiers in ignore rules case-insensitive (#10375) (a75a468)
• misconf: prevent path traversal in Terraform filesystem functions (#10664) (9d91b88)
• misconf: reject nil plays during playbook parsing (#10273) (0bc5c6d)
• misconf: skip null cty values in AsMapValue to prevent panic (#10723) (f080e1e)
• misconf: skip resources with no after changes (#10352) (f099dc4)
• nodejs: handle legacy license formats in npm lockfile parser (#10684) (451fd99)
• nodejs: silently skip subdirectory package.json files with invalid names (#10609) (0e4dc66)
• overwrite OS packages PURLs after overwrite OS (#10298) (39a28ed)
• pull instead of clone when test repo already exists (#10636) (3a2f7fb)
• report: don't produce trailing comma in gitlab.tpl links array (#10728) (69e78e2)
• secret: correctly skip secret-scanner config file from scanning (#10666) (fc1e46f)

Commits

• 9b49920 release: v0.71.0 [main] (#10638)
• 35cefae ci: use only the first line of commit message in release-please workflow (#10...
• f8a6ddb feat: add WithDriver and WithProvider options to ospkg detector (#10740)
• 3ea80c0 chore(deps): bump github.com/google/go-containerregistry to v0.21.6 (#10741)
• 203dd94 refactor(secret): normalize configPath once in Init (#10702)
• 9ad901d feat(secret): add Maven rules to detect passwords and passphrases in settings...
• 8f049df chore(deps): bump the common group across 1 directory with 25 updates (#10758)
• 900ffcb chore: migrate from gomodguard to gomodguard_v2 (#10739)
• 3d5bc38 chore(deps): bump the docker group across 1 directory with 2 updates (#10709)
• 1c515db chore(deps): bump github.com/aws/aws-sdk-go-v2/service/ec2 from 1.302.0 to 1....
• Additional commits viewable in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 duplication

Metric	Results
Duplication	0

View in Codacy

AI Reviewer: first review requested successfully. AI can make mistakes. Always validate suggestions.

_{TIP This summary will be updated as you push new changes.}

[codacy-production]

Pull Request Overview

This PR updates the aquasecurity/trivy dependency and the Go toolchain. While the core dependency updates are correct, there are two significant issues that should be addressed before merging:

1. Incomplete Configuration: An explicit requirement in the source code to update .circle/config.yml alongside Trivy bumps has not been met. This risks version drift between the local environment and CI/CD.
2. Security Vulnerability: The selected Go version (1.26.3) is vulnerable to CVE-2026-42504. Since this PR already upgrades the toolchain, it should target version 1.26.4 to ensure a secure runtime.

Codacy analysis indicates the changes are otherwise up to standards, with several existing issues resolved.

About this PR

• The Go version bump to 1.26.3 is significant and may require updates to build runners, Dockerfiles, or other CI environments not captured in this PR. Please verify that all infrastructure supports this version.

Test suggestions

• Verify the project builds and existing integration tests pass with Trivy v0.71.0 and the Go 1.26.3 toolchain.

Prompt proposal for missing tests

Consider implementing these tests if applicable:
1. Verify the project builds and existing integration tests pass with Trivy v0.71.0 and the Go 1.26.3 toolchain.

_{TIP Improve review quality by adding custom instructions
TIP How was this review? Give us feedback}

[codacy-production]

_{🔴 HIGH RISK}

The Go version 1.26.3 contains several security vulnerabilities, including a high-severity issue (CVE-2026-42504) where a maliciously-crafted MIME header can cause issues during decoding. Since the goal of this PR is to update dependencies, you should move directly to Go 1.26.4 to address these security findings.

Suggested change

	go 1.26.3
	go 1.26.4

See Issue in Codacy
See Issue in Codacy
See Issue in Codacy

[codacy-production]

_{🟡 MEDIUM RISK}

The comment on this line explicitly states that .circle/config.yml must also be updated when Trivy is bumped. Failing to do so can lead to version drift where CI tests or scans run against a different version of the tool than what is specified in the dependencies. Please ensure the CI configuration is updated to match version 0.71.0.

Try running the following prompt in your coding agent:

Update .circle/config.yml to use Trivy version 0.71.0.