Skip to main content
Edition No. 1

The Git Gazette

Your weekly repo roundup

·aquasecurity/trivy·Last 7 days

Find vulnerabilities, misconfigurations, secrets, SBOM in containers, Kubernetes, code repositories, clouds and more

7 commits30 PRs5 issues5 releases
summarize

Here's What Matters This Week: 1 Critical Architecture Bug, 1 Major Maven Feature, Plus Security Fixes

Here's what matters this week: 1 critical architecture bug, 1 major Maven feature addition, and 3 security fixes you should know about. Let's get into it.

Critical Issue: #10409 reveals a fundamental problem where SeveritySource returns empty when severity falls back to trivy-db's top-level field. @JasonOA888's analysis shows trivy-db doesn't store origin metadata, breaking vulnerability source tracking. This affects anyone relying on severity provenance.

Major Feature Progress: Maven 4 support (#9908) is moving fast. @majiayu000 delivered implementation in #10430 with 3-tier precedence (global < project < user) and project-specific .mvn/settings.xml support. Java developers using Maven 4 will finally get proper Trivy scanning.

Security Fixes Applied: Three patches hit the stable branch — go-git bumped to 5.16.5 addressing vulnerabilities, OpenTelemetry SDK updated to 1.40.0, and Cloudflare CIRCL crypto library fixed from 1.6.1 to 1.6.3. All in v0.69.2 and v0.69.3.

Other Notable: @nikpivkin fixed wazero stdout interference (#10403), @DmitriyLewen elevated analyzer errors from DEBUG to WARN level (#10400), and @VedantMadane prepped for Go 1.26's version format changes (#10351).

Bottom line: Apply v0.69.3 for security fixes, watch #10409 for severity source fixes, and Maven 4 users should track #10430's merge.

Sources: #10409, #9908, #10430, #10403, #10400, #10351, #10296, #10378, #10291, #10267, #10264
Tone:
1 tone change remaining
theater_comedy
The Drama DeskBy Rita Conflictsón

DEVELOPING: Architecture Showdown Brewing as Maven 4 Support Sparks Cross-Repository Drama

BREAKING: The aquasecurity/trivy repository is witnessing some delicious technical theater this week, and folks, the plot twists are architectural!

Our star witness @DmitriyLewen opened proceedings in #10409 with what seemed like a simple severity bug. But hold onto your keyboards — @JasonOA888 swooped in with a devastating analysis revealing this isn't just a bug, it's an architectural crisis! The trivy-db doesn't store origin metadata, leaving SeveritySource hanging empty like a courtroom with no witnesses. The drama! The implications!

Meanwhile, in a parallel universe of #9908, Maven 4 support is turning into a collaborative masterpiece. @knqyf263 set the stage with a feature request, @DmitriyLewen provided the roadmap ("global < project < user" — poetry in technical specs!), and now @majiayu000 has stepped forward claiming they've "traced the root cause." Will our hero deliver the implementation we've all been waiting for?

But wait, there's more! In a surprise twist, @mattcarp12 volunteered for duty in #10401's Dockerfile pipefail saga, proving that sometimes the best drama is when someone actually wants to fix the problem.

Stay tuned, dear readers. With architecture debates, Maven mysteries, and volunteer heroes, this repository is serving up more plot twists than a legal thriller!

Sources: #10409, #9908, #10401
Tone:
1 tone change remaining
rate_review

A Study in Contrasts: From Wazero's Stdout Symphony to Maven's Renaissance

This week's exhibition from the Trivy galleries presents a fascinating tableau of merged masterpieces and pending compositions that reveals the full spectrum of contemporary software artistry.

The crown jewel of our merged collection must be @nikpivkin's exquisite fix in #10403 — a delicate surgical intervention addressing wazero's rather ungracious habit of commandeering stdout's file descriptor. One observes the elegance with which the author diagnosed that os.Stdout was being passed directly to wazero, causing the entire process to suffer from non-blocking stdout writes. The solution? Pure restraint. Chef's kiss.

Meanwhile, our pending gallery showcases @majiayu000's ambitious Maven 4 opus (#10430), which introduces project-specific settings.xml support with what the artist describes as "3-tier merge precedence." The technical virtuosity is undeniable — Maven 4's project-level settings via .mvn/settings.xml handled with the sophistication one expects from a seasoned practitioner of the Java arts.

Of particular note is @DmitriyLewen's thoughtful curation in #10400, elevating analyzer errors from the shadowy depths of DEBUG logging to the more respectable WARN level. As this critic has long maintained, meaningful parse failures deserve proper visibility — no longer shall they languish in debug purgatory.

The dependency updates flow like a gentle brook (#10408, #10407), while @dependabot continues its methodical march through the commons. Adequate.

Sources: #10403, #10430, #10400, #10408, #10407
Tone:
1 tone change remaining
sailing
The Shipping ForecastBy Captain Semver

Patch Squalls Continue as Trivy Charts Steady Course Through v0.69.x Waters

SHIPPING FORECAST, issued Wednesday 1200 UTC: Light patch-level activity persists across the Trivy security scanning fleet. The harbor master reports steady maintenance winds with v0.69.3 making port March 3rd, followed by v0.69.2 on the 1st.

Both vessels carried standard dependency repairs — the go-git library received a minor hull patch from 5.16.4 to 5.16.5 (#10291), while OpenTelemetry instrumentation was upgraded to SDK 1.40.0 (#10267). The Cloudflare CIRCL cryptographic library weathered a security repair, advancing from 1.6.1 to 1.6.3 (#10264). All changes classified as routine maintenance — no navigational hazards reported.

Scanning the horizon reveals moderate development activity: @nikpivkin has cleared stdout interference from the WASM module configuration (#10403), while @DmitriyLewen secured template file validation (#10296) and preserved Red Hat BuildInfo in SBOM operations (#10378). The Dependabot fleet continues its systematic supply chain maintenance with 22 dependency updates logged (#10408).

Notable: @VedantMadane has preemptively charted Go 1.26's experimental version format changes (#10351), and @knqyf263 reinforced Python requirements parsing for multiple version specifiers (#10361).

Conditions remain favorable for continued patch-level releases. No major storm systems detected on approach. All vessels maintaining standard security scanning operations. Next forecast: Thursday 0800 UTC.

Sources: #10293, #10291, #10267, #10264, #10403, #10296, #10378, #10408, #10351, #10361
Tone:
1 tone change remaining
group
Community PulseBy Flo Stargazer

Core Team Keeps the Fixes Flowing: 47 Unique Faces This Week

What a fascinating week in Trivy-land! While we saw a lighter PR count with just one merged this week, the community engagement tells a richer story — 47 unique contributors showed up across forks, stars, and comments. That's the kind of sustained interest that keeps a security project thriving!

Our core contributors continue to demonstrate why Trivy has earned its 33K+ stars. @nikpivkin cleaned up the wazero module configuration in #10403, while @DmitriyLewen was particularly active with two solid fixes: template file extension validation (#10296) and preserving Red Hat BuildInfo for SBOM scanning (#10378). And kudos to @VedantMadane for tackling the tricky Go 1.26 version format changes in #10351!

I'm always excited to see @dependabot[bot] keeping dependencies fresh with those bulk updates in #10408 and #10407 — it's the unglamorous but essential work that keeps security tools secure.

The activity mix this week — 42 new watchers and 6 fresh forks — shows Trivy's reputation is still drawing new eyes. While commit activity was focused on our veteran contributors, that's actually healthy for a mature security tool where stability matters as much as features. Sometimes the best community pulse is a steady, reliable heartbeat from trusted hands.

Sources: #10403, #10408, #10407, #10296, #10378, #10351, #10361
Tone:
1 tone change remaining
Git Gazette: aquasecurity/trivy — March 23, 2026 | The Git Gazette