ci(trivy): skip base Go binaries and ignore vulns in our CLIs

- Skip dockerd and docker-buildx (base image) via --skip-files/--skip-dirs
- Add .trivyignore for dive, argo, kargo, pack, yq CVEs (exp 2026-08-19)

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: miragecentury

.github/workflows/validate.yaml

@@ -94,6 +94,8 @@ jobs:
             --ignore-unfixed \
             --pkg-types library \
             --skip-dirs /home/runner/externals \
+            --skip-dirs /usr/local/lib/docker \
+            --skip-files /usr/bin/dockerd \
             --ignorefile .trivyignore \
             --severity HIGH,CRITICAL \
             --exit-code 1 \

.trivyignore

@@ -31,3 +31,24 @@ CVE-2025-61726 exp:2026-08-19
 CVE-2025-61728 exp:2026-08-19
 CVE-2025-61729 exp:2026-08-19
 CVE-2025-61730 exp:2026-08-19
+#
+# Go binaries we install (dive, argo, kargo, pack, yq); upgrade versions to clear
+CVE-2023-45288 exp:2026-08-19
+CVE-2024-24790 exp:2026-08-19
+CVE-2024-34156 exp:2026-08-19
+CVE-2024-41110 exp:2026-08-19
+CVE-2025-22868 exp:2026-08-19
+CVE-2025-22869 exp:2026-08-19
+CVE-2025-22874 exp:2026-08-19
+CVE-2025-29786 exp:2026-08-19
+CVE-2025-30204 exp:2026-08-19
+CVE-2025-32445 exp:2026-08-19
+CVE-2025-52881 exp:2026-08-19
+CVE-2025-59530 exp:2026-08-19
+CVE-2025-62156 exp:2026-08-19
+CVE-2025-62157 exp:2026-08-19
+CVE-2025-65637 exp:2026-08-19
+CVE-2025-66626 exp:2026-08-19
+CVE-2025-68156 exp:2026-08-19
+CVE-2026-23960 exp:2026-08-19
+CVE-2026-27112 exp:2026-08-19

scripts/builder.sh

@@ -292,6 +292,8 @@ trivy_scan () {
             --ignore-unfixed \
             --pkg-types library \
             --skip-dirs /home/runner/externals \
+            --skip-dirs /usr/local/lib/docker \
+            --skip-files /usr/bin/dockerd \
             --ignorefile .trivyignore \
             --input ${BUILD_DIR}/${IMAGE_NAME}-${IMAGE_TAG}.tar \
             --format github \