Hello, @aelsabbahy !
Thank you for PR. When you planning to release it? It would available on 0.4.7?

Reopening issue until the release happens. Yes, this will be part of the next goss release.

I should look into automating the trivy checks. 🤔

Released 0.4.7 which should fix this. Feel free to re-open ticket if it doesn't resolve this finding.

Many thanks @aelsabbahy ! Will test it :)

Checked, it's passing CVE testing, closing this issue :) thanks @aelsabbahy

Thanks for reporting. If you don't mind.. can you show me how to reproduce the failing result on the old version? This way I can look into automating this at a future time.

Sure, we using Trivy GitHub action on CI which testing our docker image (our open source project is docker image), results you can see here. After update goss version on 0.4.7 CI became green

we just added few lines of code on our CI

@aelsabbahy I think you can use such command: trivy repo --tag v0.4.6 https://github.com/goss-org/goss

P.S. docs here

Perfect, yeah that worked, thanks! Will check out the github actions too.

I tried trivy fs goss-binary and got no results earlier, figured I was doing something wrong.

I also will try yet another time restart this step on CI, they updating CVE database every day, existing small chance that they can reclassify CVE.

We had last release 3 days ago probably something changed in their db during this time

Oh, I just meant it doesn't detect it if you scan the binary directory but does if you scan the repo.

I was confused earlier since I couldn't reproduce your results (due to scanning binary), scanning repo works just fine and I might set up a weekly scan.

Thanks again, this should improve the security posture of Goss!

The scan with trivy GitHub action of goss docker file I had also added to:

• Add pipeline for build goss docker image #909

Awesome, thanks for all the clarifications, closing.