deps: update module github.com/anchore/grype to v0.104.1 [security]

[renovate]

This PR contains the following updates:

Package	Change	Age	Confidence
github.com/anchore/grype	v0.91.0 → v0.104.1

GitHub Vulnerability Alerts

CVE-2025-65965

A credential disclosure vulnerability was found in Grype, affecting versions v0.68.0 through v0.104.0. If registry credentials are defined and the output of grype is written using the --file or --output json=<file> option, the registry credentials will be included unsanitized in the output file.

Impact

In Grype versions v0.68.0 through v0.104.0, when registry authentication is configured, those credentials can be incorrectly included in the output of a Grype scan (regardless of whether those credentials are actively being used for the current scan). Users that do not have registry authentication configured are not affected by this issue.

Registry credentials can be set via the Grype configuration file (e.g. registry.auth[].username, registry.auth[].password, registry.auth[].token) or environment variables (e.g., GRYPE_REGISTRY_AUTH_USERNAME, GRYPE_REGISTRY_AUTH_PASSWORD, GRYPE_REGISTRY_AUTH_TOKEN).

In order for the authentication details to be improperly included, the Grype file output format must be set to json with output target set to a file. For example --output json=file.json or --output json --file file.json. When these conditions are met, the configured credentials are not sanitized as they should be in the resulting JSON output file.

The authentication details could also be leaked via a malformed Grype Template. A Grype Template that includes the Descriptor.Registry.Auth fields would also include the unsanitized registry credentials. There are no known templates that include these fields.

Patches

The patch has been released in v0.104.1.

Workaround

Users running affected versions of grype can work around this vulnerability by redirecting stdout to a file instead of using the --file or --output options.

For example, replacing the command:

# using `--output json=path` (or `--file`) leaks credentials
grype --output json=test.json alpine:latest

with

# no use of `--output json=path` or `--file`. Output is sanitized...
grype --output json alpine:latest > test.json

...results in the same test.json output, but the credentials will be properly sanitized.

Resources

Patch pull request: https://github.com/anchore/grype/pull/3068

---

Release Notes

anchore/grype (github.com/anchore/grype)

v0.104.1

Compare Source

Bug Fixes

• Redact during file output [#​3068 @​kzantow]
• Unaffected match table does not filter results if CPE matching is enabled [#​3056 #​3066 @​kzantow]

Additional Changes

• Migrate grype to use mholt/archives instead of anchore fork [#​3036 @​joonas]

(Full Changelog)

v0.104.0

Compare Source

Added Features

• Add --from flag [#​3035 @​wagoodman]
• Let a suppression expire to prevent that one will forget to resolve a vulnerability [#​3031]

Bug Fixes

• Unnormalized fix version triggers false-positive in mssql-jdbc [#​3042 #​3034 @​jamestexas]

Additional Changes

• junit template use CDATA block to prevent XML parse errors [#​3019 @​nvtkaszpir]
• Keep nested loggers labeled [#​3040 @​wagoodman]

(Full Changelog)

v0.103.0

Compare Source

Added Features

• Allow hyphen in version string [#​3021 @​willmurphyscode]
• Respect rpmmod PURL qualifier [#​3020 @​willmurphyscode]

(Full Changelog)

v0.102.0

Compare Source

Added Features

• Use Alma Linux specific advisories for Alma Linux scans [#​2745 #​2939 @​willmurphyscode]

Bug Fixes

• Bitnami packages with CPEs are not matched against CPE-based vulnerabilities [#​2997]

Additional Changes

• add markdown template [#​2987 @​sebdanielsson]

(Full Changelog)

v0.101.1

Compare Source

Bug Fixes

• Panic error scanning images with v0.101.0 on some java dependencies [#​3002]

(Full Changelog)

v0.101.0

Compare Source

Added Features

• Add cyclonedx to RpmMetadata [#​2935 @​sfc-gh-rmaj]
• grype db search can filter by fixed state [#​2968 @​willmurphyscode]
• Support using VEX documents with directory scans and SBOMs [#​2471 #​2811 @​alegrey91]

Bug Fixes

• Issue installing Grype using documented curl command [#​2985]
• Advisory ID blank in JSON output [#​2965]

Additional Changes

• update flags with v3 to not use default config [#​3000 @​spiffcs]
• fix Cosign documentation URL in installer [#​2995 @​lime]
• set advisory id again [#​2979 @​willmurphyscode]
• add db schema validation [#​2962 @​willmurphyscode]

(Full Changelog)

v0.100.0

Compare Source

Added Features

• Add unaffected package and CPE stores [#​2888 @​wagoodman]
• use unaffected match table to remove appropriate vulns [#​2886 @​CrosleyZack]

(Full Changelog)

v0.99.1

Compare Source

Bug Fixes

• Present fix available version in grype JSON output [#​2905 @​wagoodman]
• detect patch numbers in fuzzy version comparison [#​2844 @​willmurphyscode]
• Make timestamp in output configurable (so that results are more reproducible) [#​522 #​2724 @​gabetrau]
• Grype .98 misidentifies the container package version [#​2884]

(Full Changelog)

v0.99.0

Compare Source

Added Features

• Add fix availability information to DB schema [#​2862 @​wagoodman]
• Add support vulnerability matching for raspbian [#​2893 @​westonsteimel]
• Add Vex CSAF support [#​1826 @​juan131]

Bug Fixes

• include channel in grype db search output [#​2873 @​willmurphyscode]
• add UnmarshalJSON to fix availability blob [#​2889 @​willmurphyscode]
• Grype misdetect Grafana version [#​2783]

Breaking Changes

• CSAF support [#​1826 @​juan131]

(Full Changelog)

v0.98.0

Compare Source

Added Features

• move debian 13 (trixie) to released and debian 14 (forky) to testing/sid/unstable [#​2861 @​westonsteimel]

(Full Changelog)

v0.97.2

Compare Source

Grype v0.97.2

Added Features

• new syft version adds binary classifier for hashicorp vault [#​4121 @​willmurphyscode]

Bug Fixes

• fix: update syft's nondeterministic Java archive purl and improve groupID for better matching [#​3521 #​4118 @​kzantow]

(Full Changelog)

v0.97.1

Compare Source

Bug Fixes

• Multiple EUS advisories where only some are fixed result in unexpected vulnerabilities [#​2840 #​2841 @​kzantow]

(Full Changelog)

v0.97.0

Compare Source

Added Features

• Add support for RHEL EUS [#​2446 #​2787 @​wagoodman]

Bug Fixes

• Error scanning snap "unsupported source: source.SnapMetadata" [#​2819 #​2821 @​kzantow]

Additional Changes

• add channel to os / distro [#​2782 @​wagoodman]

(Full Changelog)

v0.96.1

Compare Source

Syft Improvments

• Update to latest version of syft v1.29.0

Performance Improvements

• Create ignore regex objects conditionally[#​2805 @​wagoodman ]

(Full Changelog)

v0.96.0

Compare Source

Added Features

• Added the EPSS score and KEV indications as CycloneDX vulnerabilities.ratings entries [#​2695 #​2765 @​AlinaPodoba]

Bug Fixes

• The go run and go install broken due to useless redirect directive in go.mod [#​2777 #​2780 @​stefanb]
• EPSS implementation using percentile instead of percent probability [#​2778 #​2785 @​wagoodman]
• Latest version of grype with V6 schema lists incorrect URL for v6 database [#​2513]

Additional Changes

• Add more detail around cataloging and DB load log statements [#​2779 @​wagoodman]
• add version set and combined constraint [#​2763 @​wagoodman]
• add v6 OS store [#​2766 @​wagoodman]

(Full Changelog)

v0.95.0

Compare Source

Added Features

• Add string severity to db search json results [#​2730 @​wagoodman]
• Add package specifier overrides for kb, dpkg, and apkg [#​2742 @​westonsteimel]

Bug Fixes

• show related NVD records for non-NVD matches [#​2755 @​kzantow]
• assume that a vulnerability with no ranges is always vulnerable [#​2759 @​wagoodman]
• DB should hydrate for when the client has new features [#​2758 @​wagoodman]
• show relationship back to NVD for all CVE ids [#​2756 @​westonsteimel]
• properly escape CPE segments [#​2731 @​kzantow]
• msrc matcher should search by package ecosystem, not by distro [#​2748 @​westonsteimel]
• Grype does not report any vulnerabilities for CPEs with target_sw field set to value that does not correspond to known package type [#​2768 #​2772 @​willmurphyscode]
• malformed CPE in grype db search output [#​2767 #​2769 @​westonsteimel]
• vex documents from the --vex flag do get processed or applied to the output correctly [#​1836 #​2741 @​willmurphyscode]

Additional Changes

• replace deprecated GoReleaser configurations [#​2729 @​emmanuel-ferdman]
• specify types for all match details [#​2762 @​wagoodman]
• Refactor the version package [#​2735 @​wagoodman]

(Full Changelog)

v0.94.0

Compare Source

Added Features

• Add echo os to grype [#​2647 @​orizerah]

Bug Fixes

• Nonroot can't load local docker image with docker socket bind [#​2721 #​2723 @​kzantow]
• "Harden Container Runtime with Non-Root User" breaks --output usage [#​2720 #​2723 @​kzantow]

(Full Changelog)

v0.93.0

Compare Source

Added Features

• Add support for MinimOS [#​2627 @​Daniel-Wachter]
• Use the upstream Bitmani vulndb data for matching [#​1609 #​2538 @​juan131]
• Support rubygems specific version comparision [#​2646 #​2712 @​willmurphyscode]

Bug Fixes

• Harden Container Runtime with Non-Root User [#​2716 @​wagoodman]
• valid cpes in db search output [#​2706 @​westonsteimel]
• Always show results with json output for db search commands [#​2692 @​wagoodman]
• False positive: CVE-2025-5702 reported with High severity on glibc 2.34 (wrong severity and affected version) [#​2718]

(Full Changelog)

v0.92.2

Compare Source

Bug Fixes

• unpin dockerfile base images to prevent wget TLS errors [#​2671 @​spiffcs]
• Parse java group ID and artifact ID from PURL when missing [#​2675 @​wagoodman]
• Grype can't update DB in docker volume (regression) [#​2517 #​2672 @​willmurphyscode]

Additional Changes

• Remove getDB() from the v6 DB reader [#​2669 @​wagoodman]

(Full Changelog)

v0.92.1

Compare Source

(Full Changelog)

v0.92.0

Compare Source

Added Features

• improve html template [#​2635 @​OnceUponALoop]
• Add EPSS metrics to grype results [#​1973 #​2587 @​wagoodman]
• Show indication of known exploited vulnerabilities (from CISA) [#​1511 #​2587 @​wagoodman]

Bug Fixes

• adjust namespace translation logic to be v5 compatible [#​2634 @​westonsteimel]
• fall back to fuzzy constraint units [#​2651 @​willmurphyscode]
• adjust version prefix check when excluding overlapping packages [#​2653 @​westonsteimel]
• Dropping group from npm package names leads to false positives [#​2554 #​2645 @​kzantow]
• Potential regression in CVE detection from 0.87.0 (v5 schema) to 0.88.0 (v6 schema) for go-module detection [#​2642]
• Removal of temporary files not working on Windows [#​2233 #​2657 @​popey]
• @​jridgewell/gen-mapping incorrectly attributed GHSA-8rmg-jf7p-4p22 [#​1886 #​2645 @​kzantow]
• Vulnerability reported on @​group/name dependency when actual vulnerability exists on name dependency [#​1701 #​2645 @​kzantow]
• Grype false negatives in versions v0.88.0 and later leading to missed critical vulnerabilities [#​2628 #​2645 @​kzantow]
• PHP pecl redis mixes with redis project itself and creates false positive cve [#​1804]
• False Positive: Openssl CVE-2022-2068, CVE-2022-1292, CVE-2021-3711 in SUSE Enterprise 15 SP5 [#​1729]
• Grype does not handle purl file input with packages from different distributions [#​2630 #​2639 @​chovanecadam]
• grype pkg:golang/k8s.io/ingress-nginx@​v1.11.2 does not show cve [#​2580 #​2586 @​goatwu1993]

(Full Changelog)

v0.91.2

Compare Source

Bug Fixes

• Various false positives starting with 0.91.1 [#​2618 #​2621 @​willmurphyscode]

(Full Changelog)

v0.91.1

Compare Source

Bug Fixes

• Assume that empty versions should match on all possible versions [#​2591 @​wagoodman]
• Fix severity field in db search vuln [#​2589 @​wagoodman]
• Recover from panic within a matcher [#​2590 @​wagoodman]
• Should only check maven central if pom info is missing [#​2216 #​2547 @​tdunlap607]
• grype db search GHSA-mrrh-fwg8-r2c3 doesn't return results [#​2530]
• Grype stopped reporting vulnerabilities after upgrade [#​2608 #​2610 @​willmurphyscode]
• Grype does not handle cache-dir containing ~ correctly [#​2599 #​2600 @​kzantow]
• Grype should expand ~ in paths in config file [#​2024 #​2600 @​kzantow]
• False Positive: Multiple old CVEs in chromium 134.0.6998.117 for apk ecosystem [#​2581]
• Missing grype DB update from 2025041 [#​2593]
• Does not fill in the Level field of the SARIF result object [#​2511 #​2571 @​bdovaz]

Additional Changes

• add timing info to log output [#​2597 @​kzantow]
• Replace os.ReadDir with afero.ReadDir for consistency [#​2579 @​joe-ton]

(Full Changelog)

---

Configuration

📅 Schedule: Branch creation - "" in timezone Europe/Berlin, Automerge - At any time (no schedule defined).

🚦 Automerge: Enabled.

♻ Rebasing: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox.

🔕 Ignore: Close this PR and you won't be reminded about this update again.

---

• If you want to rebase/retry this PR, check this box

---

This PR was generated by Mend Renovate. View the repository job log.

[renovate]

ℹ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 94 additional dependencies were updated

Details:

Package	Change
github.com/anchore/stereoscope	v0.1.3 -> v0.1.13
github.com/anchore/syft	v1.22.0 -> v1.38.0
github.com/sirupsen/logrus	v1.9.3 -> v1.9.4-0.20230606125235-dd1b4c2e81af
github.com/spf13/cobra	v1.9.1 -> v1.10.1
github.com/stretchr/testify	v1.10.0 -> v1.11.1
cel.dev/expr	v0.23.1 -> v0.24.0
cloud.google.com/go/auth	v0.15.0 -> v0.16.2
cloud.google.com/go/monitoring	v1.24.1 -> v1.24.2
dario.cat/mergo	v1.0.1 -> v1.0.2
github.com/AdamKorcz/go-118-fuzz-build	v0.0.0-20231105174938-2b5cbb29f3e2 -> v0.0.0-20250520111509-a70c2aa677fa
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp	v1.27.0 -> v1.29.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric	v0.51.0 -> v0.53.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping	v0.51.0 -> v0.53.0
github.com/Masterminds/semver/v3	v3.3.1 -> v3.4.0
github.com/Microsoft/hcsshim	v0.12.9 -> v0.13.0
github.com/STARRY-S/zip	v0.2.2 -> v0.2.3
github.com/anchore/clio	v0.0.0-20250401141128-4c1d6bd1e872 -> v0.0.0-20250715152405-a0fa658e5084
github.com/anchore/fangs	v0.0.0-20250402135612-96e29e45f3fe -> v0.0.0-20250716230140-94c22408c232
github.com/anchore/go-collections	v0.0.0-20241211140901-567f400e9a46 -> v0.0.0-20251016125210-a3c352120e8c
github.com/bitnami/go-version	v0.0.0-20250324202741-04b9d491e744 -> v0.0.0-20250505154626-452e8c5ee607
github.com/bodgit/sevenzip	v1.6.0 -> v1.6.1
github.com/charmbracelet/colorprofile	v0.3.0 -> v0.3.1
github.com/charmbracelet/x/ansi	v0.8.0 -> v0.10.1
github.com/containerd/containerd/api	v1.8.0 -> v1.9.0
github.com/cyphar/filepath-securejoin	v0.4.1 -> v0.6.0
github.com/github/go-spdx/v2	v2.3.2 -> v2.3.4
github.com/go-viper/mapstructure/v2	v2.2.1 -> v2.4.0
github.com/google/pprof	v0.0.0-20250403155104-27863c87afa6 -> v0.0.0-20250630185457-6e76a2b096b5
github.com/gookit/color	v1.5.4 -> v1.6.0
github.com/hashicorp/hcl/v2	v2.23.0 -> v2.24.0
github.com/mattn/go-runewidth	v0.0.16 -> v0.0.19
github.com/mholt/archives	v0.1.1 -> v0.1.5
github.com/minio/minlz	v1.0.0 -> v1.0.1
github.com/nwaples/rardecode/v2	v2.1.1 -> v2.2.0
github.com/opencontainers/selinux	v1.12.0 -> v1.13.0
github.com/openvex/go-vex	v0.2.5 -> v0.2.7
github.com/pelletier/go-toml/v2	v2.2.3 -> v2.2.4
github.com/sorairolake/lzip-go	v0.3.7 -> v0.3.8
github.com/zclconf/go-cty	v1.16.2 -> v1.16.3
go.opentelemetry.io/contrib/detectors/gcp	v1.35.0 -> v1.37.0
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	v0.60.0 -> v0.62.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.60.0 -> v0.62.0
go.opentelemetry.io/otel	v1.35.0 -> v1.37.0
go.opentelemetry.io/otel/metric	v1.35.0 -> v1.37.0
go.opentelemetry.io/otel/sdk	v1.35.0 -> v1.37.0
go.opentelemetry.io/otel/sdk/metric	v1.35.0 -> v1.37.0
go.opentelemetry.io/otel/trace	v1.35.0 -> v1.37.0
golang.org/x/exp	v0.0.0-20250305212735-054e65f0b394 -> v0.0.0-20250711185948-6ae5c78190dc
golang.org/x/tools	v0.31.0 -> v0.39.0
google.golang.org/genproto/googleapis/api	v0.0.0-20250404141209-ee84b53bf3d0 -> v0.0.0-20250715232539-7130f93afb79
google.golang.org/genproto/googleapis/rpc	v0.0.0-20250404141209-ee84b53bf3d0 -> v0.0.0-20250715232539-7130f93afb79
cloud.google.com/go	v0.120.0 -> v0.121.3
cloud.google.com/go/compute/metadata	v0.6.0 -> v0.7.0
cloud.google.com/go/iam	v1.5.0 -> v1.5.2
cloud.google.com/go/storage	v1.51.0 -> v1.55.0
github.com/CycloneDX/cyclonedx-go	v0.9.2 -> v0.9.3
github.com/ProtonMail/go-crypto	v1.1.6 -> v1.3.0
github.com/andybalholm/brotli	v1.1.1 -> v1.2.0
github.com/bmatcuk/doublestar/v4	v4.8.1 -> v4.9.1
github.com/cloudflare/circl	v1.6.0 -> v1.6.1
github.com/containerd/containerd	v1.7.27 -> v1.7.29
github.com/docker/cli	v28.0.4+incompatible -> v28.5.2+incompatible
github.com/docker/docker	v28.0.4+incompatible -> v28.5.2+incompatible
github.com/docker/docker-credential-helpers	v0.9.3 -> v0.9.4
github.com/docker/go-connections	v0.5.0 -> v0.6.0
github.com/gabriel-vasile/mimetype	v1.4.8 -> v1.4.11
github.com/go-logr/logr	v1.4.2 -> v1.4.3
github.com/google/go-containerregistry	v0.20.3 -> v0.20.6
github.com/googleapis/gax-go/v2	v2.14.1 -> v2.15.0
github.com/pjbgf/sha1cd	v0.3.2 -> v0.4.0
github.com/sergi/go-diff	v1.3.2-0.20230802210424-5b0b94c5c0d3 -> v1.4.0
github.com/sylabs/sif/v2	v2.21.1 -> v2.22.0
github.com/ulikunitz/xz	v0.5.12 -> v0.5.15
github.com/vbatts/go-mtree	v0.5.4 -> v0.6.0
golang.org/x/crypto	v0.36.0 -> v0.45.0
golang.org/x/mod	v0.24.0 -> v0.30.0
golang.org/x/net	v0.38.0 -> v0.47.0
golang.org/x/oauth2	v0.29.0 -> v0.30.0
golang.org/x/sync	v0.13.0 -> v0.18.0
golang.org/x/term	v0.31.0 -> v0.37.0
golang.org/x/time	v0.11.0 -> v0.14.0
google.golang.org/api	v0.228.0 -> v0.242.0
google.golang.org/genproto	v0.0.0-20250404141209-ee84b53bf3d0 -> v0.0.0-20250715232539-7130f93afb79
google.golang.org/grpc	v1.71.1 -> v1.74.0
gorm.io/gorm	v1.25.12 -> v1.31.1
modernc.org/libc	v1.62.1 -> v1.66.10
modernc.org/memory	v1.9.1 -> v1.11.0
modernc.org/sqlite	v1.37.0 -> v1.40.0
github.com/go-git/go-git/v5	v5.14.0 -> v5.16.3
github.com/spf13/afero	v1.14.0 -> v1.15.0
github.com/spf13/cast	v1.7.1 -> v1.9.2
github.com/spf13/pflag	v1.0.6 -> v1.0.9
golang.org/x/sys	v0.32.0 -> v0.38.0
golang.org/x/text	v0.24.0 -> v0.31.0

[renovate]

ℹ️ Artifact update notice

File name: go.mod

In order to perform the update(s) described in the table above, Renovate ran the go get command, which resulted in the following additional change(s):

• 94 additional dependencies were updated

Details:

Package	Change
github.com/anchore/stereoscope	v0.1.3 -> v0.1.13
github.com/anchore/syft	v1.22.0 -> v1.38.0
github.com/sirupsen/logrus	v1.9.3 -> v1.9.4-0.20230606125235-dd1b4c2e81af
github.com/spf13/cobra	v1.9.1 -> v1.10.1
github.com/stretchr/testify	v1.10.0 -> v1.11.1
cel.dev/expr	v0.23.1 -> v0.24.0
cloud.google.com/go/auth	v0.15.0 -> v0.16.2
cloud.google.com/go/monitoring	v1.24.1 -> v1.24.2
dario.cat/mergo	v1.0.1 -> v1.0.2
github.com/AdamKorcz/go-118-fuzz-build	v0.0.0-20231105174938-2b5cbb29f3e2 -> v0.0.0-20250520111509-a70c2aa677fa
github.com/GoogleCloudPlatform/opentelemetry-operations-go/detectors/gcp	v1.27.0 -> v1.29.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/exporter/metric	v0.51.0 -> v0.53.0
github.com/GoogleCloudPlatform/opentelemetry-operations-go/internal/resourcemapping	v0.51.0 -> v0.53.0
github.com/Masterminds/semver/v3	v3.3.1 -> v3.4.0
github.com/Microsoft/hcsshim	v0.12.9 -> v0.13.0
github.com/STARRY-S/zip	v0.2.2 -> v0.2.3
github.com/anchore/clio	v0.0.0-20250401141128-4c1d6bd1e872 -> v0.0.0-20250715152405-a0fa658e5084
github.com/anchore/fangs	v0.0.0-20250402135612-96e29e45f3fe -> v0.0.0-20250716230140-94c22408c232
github.com/anchore/go-collections	v0.0.0-20241211140901-567f400e9a46 -> v0.0.0-20251016125210-a3c352120e8c
github.com/bitnami/go-version	v0.0.0-20250324202741-04b9d491e744 -> v0.0.0-20250505154626-452e8c5ee607
github.com/bodgit/sevenzip	v1.6.0 -> v1.6.1
github.com/charmbracelet/colorprofile	v0.3.0 -> v0.3.1
github.com/charmbracelet/x/ansi	v0.8.0 -> v0.10.1
github.com/containerd/containerd/api	v1.8.0 -> v1.9.0
github.com/cyphar/filepath-securejoin	v0.4.1 -> v0.6.0
github.com/github/go-spdx/v2	v2.3.2 -> v2.3.4
github.com/go-viper/mapstructure/v2	v2.2.1 -> v2.4.0
github.com/google/pprof	v0.0.0-20250403155104-27863c87afa6 -> v0.0.0-20250630185457-6e76a2b096b5
github.com/gookit/color	v1.5.4 -> v1.6.0
github.com/hashicorp/hcl/v2	v2.23.0 -> v2.24.0
github.com/mattn/go-runewidth	v0.0.16 -> v0.0.19
github.com/mholt/archives	v0.1.1 -> v0.1.5
github.com/minio/minlz	v1.0.0 -> v1.0.1
github.com/nwaples/rardecode/v2	v2.1.1 -> v2.2.0
github.com/opencontainers/selinux	v1.12.0 -> v1.13.0
github.com/openvex/go-vex	v0.2.5 -> v0.2.7
github.com/pelletier/go-toml/v2	v2.2.3 -> v2.2.4
github.com/sorairolake/lzip-go	v0.3.7 -> v0.3.8
github.com/zclconf/go-cty	v1.16.2 -> v1.16.3
go.opentelemetry.io/contrib/detectors/gcp	v1.35.0 -> v1.37.0
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc	v0.60.0 -> v0.62.0
go.opentelemetry.io/contrib/instrumentation/net/http/otelhttp	v0.60.0 -> v0.62.0
go.opentelemetry.io/otel	v1.35.0 -> v1.37.0
go.opentelemetry.io/otel/metric	v1.35.0 -> v1.37.0
go.opentelemetry.io/otel/sdk	v1.35.0 -> v1.37.0
go.opentelemetry.io/otel/sdk/metric	v1.35.0 -> v1.37.0
go.opentelemetry.io/otel/trace	v1.35.0 -> v1.37.0
golang.org/x/exp	v0.0.0-20250305212735-054e65f0b394 -> v0.0.0-20250711185948-6ae5c78190dc
golang.org/x/tools	v0.31.0 -> v0.39.0
google.golang.org/genproto/googleapis/api	v0.0.0-20250404141209-ee84b53bf3d0 -> v0.0.0-20250715232539-7130f93afb79
google.golang.org/genproto/googleapis/rpc	v0.0.0-20250404141209-ee84b53bf3d0 -> v0.0.0-20250715232539-7130f93afb79
cloud.google.com/go	v0.120.0 -> v0.121.3
cloud.google.com/go/compute/metadata	v0.6.0 -> v0.7.0
cloud.google.com/go/iam	v1.5.0 -> v1.5.2
cloud.google.com/go/storage	v1.51.0 -> v1.55.0
github.com/CycloneDX/cyclonedx-go	v0.9.2 -> v0.9.3
github.com/ProtonMail/go-crypto	v1.1.6 -> v1.3.0
github.com/andybalholm/brotli	v1.1.1 -> v1.2.0
github.com/bmatcuk/doublestar/v4	v4.8.1 -> v4.9.1
github.com/cloudflare/circl	v1.6.0 -> v1.6.1
github.com/containerd/containerd	v1.7.27 -> v1.7.29
github.com/docker/cli	v28.0.4+incompatible -> v28.5.2+incompatible
github.com/docker/docker	v28.0.4+incompatible -> v28.5.2+incompatible
github.com/docker/docker-credential-helpers	v0.9.3 -> v0.9.4
github.com/docker/go-connections	v0.5.0 -> v0.6.0
github.com/gabriel-vasile/mimetype	v1.4.8 -> v1.4.11
github.com/go-logr/logr	v1.4.2 -> v1.4.3
github.com/google/go-containerregistry	v0.20.3 -> v0.20.6
github.com/googleapis/gax-go/v2	v2.14.1 -> v2.15.0
github.com/pjbgf/sha1cd	v0.3.2 -> v0.4.0
github.com/sergi/go-diff	v1.3.2-0.20230802210424-5b0b94c5c0d3 -> v1.4.0
github.com/sylabs/sif/v2	v2.21.1 -> v2.22.0
github.com/ulikunitz/xz	v0.5.12 -> v0.5.15
github.com/vbatts/go-mtree	v0.5.4 -> v0.6.0
golang.org/x/crypto	v0.36.0 -> v0.45.0
golang.org/x/mod	v0.24.0 -> v0.30.0
golang.org/x/net	v0.38.0 -> v0.47.0
golang.org/x/oauth2	v0.29.0 -> v0.30.0
golang.org/x/sync	v0.13.0 -> v0.18.0
golang.org/x/term	v0.31.0 -> v0.37.0
golang.org/x/time	v0.11.0 -> v0.14.0
google.golang.org/api	v0.228.0 -> v0.242.0
google.golang.org/genproto	v0.0.0-20250404141209-ee84b53bf3d0 -> v0.0.0-20250715232539-7130f93afb79
google.golang.org/grpc	v1.71.1 -> v1.74.0
gorm.io/gorm	v1.25.12 -> v1.31.1
modernc.org/libc	v1.62.1 -> v1.66.10
modernc.org/memory	v1.9.1 -> v1.11.0
modernc.org/sqlite	v1.37.0 -> v1.40.0
github.com/go-git/go-git/v5	v5.14.0 -> v5.16.3
github.com/spf13/afero	v1.14.0 -> v1.15.0
github.com/spf13/cast	v1.7.1 -> v1.9.2
github.com/spf13/pflag	v1.0.6 -> v1.0.9
golang.org/x/sys	v0.32.0 -> v0.38.0
golang.org/x/text	v0.24.0 -> v0.31.0