Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions CHANGELOG.md
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,10 @@ Please choose versions by [Semantic Versioning](http://semver.org/).
* MINOR version when you add functionality in a backwards-compatible manner, and
* PATCH version when you make backwards-compatible bug fixes.

## Unreleased

- fix: checker templates exclude no-fix advisory GO-2026-5932 (`golang.org/x/crypto/openpgp`, unmaintained) — add it to `VULNCHECK_IGNORE` in `Makefile.library`/`Makefile.service`, and introduce a shared `TRIVY_IGNORE` baseline merged with any repo-local `.trivyignore` via a temp ignorefile, and align `Makefile.service`'s `trivy` target with `Makefile.library`'s full flag set (`--db-repository`, `--ignorefile`, `--secret-config`, `--skip-dirs vendor`). Propagates the exclusion to all consuming repos across both scanners.

## v0.30.0

- feat: rewrite `/coding:self-improve` Step 5 routing to artifact-first, CLAUDE.md-last — routing table now leads with existing artifacts (command/agent/skill repair, runbooks, guides) and demotes memory files to last resort with a mandatory "which artifacts were checked" justification; adds a −1 scoring signal for proposals that route to a `CLAUDE.md` an existing artifact could own. Counters the observed bias of every session proposing new memory rules.
Expand Down
16 changes: 14 additions & 2 deletions templates/Makefile.library
Original file line number Diff line number Diff line change
Expand Up @@ -54,8 +54,14 @@ errcheck:

# GO-2026-5037/5038/5039 are Go 1.26.3 stdlib vulns (crypto/x509, mime, net/textproto),
# fixed in 1.26.4 — remove from this list once all CI runners and base images are on 1.26.4+.
# GO-2026-5932: golang.org/x/crypto/openpgp is unmaintained (no fix will ship) — the advisory
# deprecates the package, it is not an exploitable call path. Revisit if the dependency is dropped.
VULNCHECK_IGNORE ?= GO-2026-4923 GO-2026-4514 GO-2022-0470 GO-2026-4772 GO-2026-4771 \
GO-2026-5037 GO-2026-5038 GO-2026-5039
GO-2026-5037 GO-2026-5038 GO-2026-5039 GO-2026-5932

# Shared trivy ignore baseline, merged with any repo-local .trivyignore in the trivy target.
# GO-2026-5932: see VULNCHECK_IGNORE note above (no-fix unmaintained x/crypto/openpgp).
TRIVY_IGNORE ?= GO-2026-5932

# Known-benign govulncheck failure modes we swallow. golang.org/x/tools v0.46.0
# panics on packages containing generic *types.TypeParam during SSA analysis
Expand Down Expand Up @@ -104,11 +110,17 @@ osv-scanner:
gosec:
go run github.com/securego/gosec/v2/cmd/gosec@$(GOSEC_VERSION) -exclude=G104 ./...

# Build an ignorefile = shared TRIVY_IGNORE baseline + any repo-local .trivyignore
# (repo dir, then $(ROOTDIR)), so the shared no-fix exclusions always apply on top of repo-local ones.
.PHONY: trivy
trivy:
@IGN=$$(mktemp); \
trap 'rm -f "$$IGN"' EXIT INT TERM; \
printf '%s\n' $(TRIVY_IGNORE) > "$$IGN"; \
for f in .trivyignore $(ROOTDIR)/.trivyignore; do [ -f "$$f" ] && cat "$$f" >> "$$IGN"; done; \
trivy fs \
--db-repository ghcr.io/aquasecurity/trivy-db \
$(if $(wildcard .trivyignore),--ignorefile .trivyignore,$(if $(wildcard $(ROOTDIR)/.trivyignore),--ignorefile $(ROOTDIR)/.trivyignore,)) \
--ignorefile "$$IGN" \
$(if $(wildcard .trivy-secret.yaml),--secret-config .trivy-secret.yaml,$(if $(wildcard $(ROOTDIR)/.trivy-secret.yaml),--secret-config $(ROOTDIR)/.trivy-secret.yaml,)) \
--scanners vuln,secret \
--skip-dirs vendor \
Expand Down
25 changes: 23 additions & 2 deletions templates/Makefile.service
Original file line number Diff line number Diff line change
Expand Up @@ -61,8 +61,14 @@ errcheck:

# GO-2026-5037/5038/5039 are Go 1.26.3 stdlib vulns (crypto/x509, mime, net/textproto),
# fixed in 1.26.4 — remove from this list once all CI runners and base images are on 1.26.4+.
# GO-2026-5932: golang.org/x/crypto/openpgp is unmaintained (no fix will ship) — the advisory
# deprecates the package, it is not an exploitable call path. Revisit if the dependency is dropped.
VULNCHECK_IGNORE ?= GO-2026-4923 GO-2026-4514 GO-2022-0470 GO-2026-4772 GO-2026-4771 \
GO-2026-5037 GO-2026-5038 GO-2026-5039
GO-2026-5037 GO-2026-5038 GO-2026-5039 GO-2026-5932

# Shared trivy ignore baseline, merged with any repo-local .trivyignore in the trivy target.
# GO-2026-5932: see VULNCHECK_IGNORE note above (no-fix unmaintained x/crypto/openpgp).
TRIVY_IGNORE ?= GO-2026-5932

# Known-benign govulncheck failure modes we swallow. golang.org/x/tools v0.46.0
# panics on packages containing generic *types.TypeParam during SSA analysis
Expand Down Expand Up @@ -111,9 +117,24 @@ osv-scanner:
gosec:
go run github.com/securego/gosec/v2/cmd/gosec@$(GOSEC_VERSION) -exclude=G104 ./...

# Build an ignorefile = shared TRIVY_IGNORE baseline + any repo-local .trivyignore
# (repo dir, then $(ROOTDIR)), so the shared no-fix exclusions always apply on top of repo-local ones.
.PHONY: trivy
trivy:
trivy fs --scanners vuln,secret --quiet --no-progress --disable-telemetry --exit-code 1 .
@IGN=$$(mktemp); \
trap 'rm -f "$$IGN"' EXIT INT TERM; \
printf '%s\n' $(TRIVY_IGNORE) > "$$IGN"; \
for f in .trivyignore $(ROOTDIR)/.trivyignore; do [ -f "$$f" ] && cat "$$f" >> "$$IGN"; done; \
trivy fs \
--db-repository ghcr.io/aquasecurity/trivy-db \
--ignorefile "$$IGN" \
$(if $(wildcard .trivy-secret.yaml),--secret-config .trivy-secret.yaml,$(if $(wildcard $(ROOTDIR)/.trivy-secret.yaml),--secret-config $(ROOTDIR)/.trivy-secret.yaml,)) \
--scanners vuln,secret \
--skip-dirs vendor \
--quiet \
--no-progress \
--disable-telemetry \
--exit-code 1 .

.PHONY: addlicense
addlicense:
Expand Down
Loading