ci(trivy): ignore unfixed vulns and scan only library packages

- Add --ignore-unfixed and --pkg-types library to Trivy in builder and validate workflow
- Do not report base-image OS packages; keep .trivyignore for any remaining base-origin library findings
- Simplify .trivyignore expiration format (date only)
- Update README base image, pipeline, and Security sections

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: miragecentury

.github/workflows/validate.yaml

@@ -90,6 +90,8 @@ jobs:
           IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
         run: |
           trivy image \
+            --ignore-unfixed \
+            --pkg-types library \
             --ignorefile .trivyignore \
             --severity HIGH,CRITICAL \
             --exit-code 1 \

.trivyignore

@@ -5,29 +5,29 @@
 # upgrading the base image (e.g. via Renovate).
 #
 # Ubuntu (linux-libc-dev / kernel)
-CVE-2024-35870 exp:2026-08-19T00:00:00+0000
-CVE-2024-53179 exp:2026-08-19T00:00:00+0000
-CVE-2025-37849 exp:2026-08-19T00:00:00+0000
-CVE-2025-37899 exp:2026-08-19T00:00:00+0000
-CVE-2025-38118 exp:2026-08-19T00:00:00+0000
+CVE-2024-35870 exp:2026-08-19
+CVE-2024-53179 exp:2026-08-19
+CVE-2025-37849 exp:2026-08-19
+CVE-2025-37899 exp:2026-08-19
+CVE-2025-38118 exp:2026-08-19
 #
 # Node (runner externals/node20)
-CVE-2024-21538 exp:2026-08-19T00:00:00+0000
-CVE-2025-64756 exp:2026-08-19T00:00:00+0000
-CVE-2026-26996 exp:2026-08-19T00:00:00+0000
-CVE-2026-23745 exp:2026-08-19T00:00:00+0000
-CVE-2026-23950 exp:2026-08-19T00:00:00+0000
-CVE-2026-24842 exp:2026-08-19T00:00:00+0000
-CVE-2026-26960 exp:2026-08-19T00:00:00+0000
+CVE-2024-21538 exp:2026-08-19
+CVE-2025-64756 exp:2026-08-19
+CVE-2026-26996 exp:2026-08-19
+CVE-2026-23745 exp:2026-08-19
+CVE-2026-23950 exp:2026-08-19
+CVE-2026-24842 exp:2026-08-19
+CVE-2026-26960 exp:2026-08-19
 #
 # .NET (Runner.Plugins / Runner.Sdk deps)
-CVE-2024-38095 exp:2026-08-19T00:00:00+0000
+CVE-2024-38095 exp:2026-08-19
 #
 # Go binaries (containerd, containerd-shim-runc-v2, docker-buildx – stdlib)
-CVE-2025-68121 exp:2026-08-19T00:00:00+0000
-CVE-2025-47907 exp:2026-08-19T00:00:00+0000
-CVE-2025-58183 exp:2026-08-19T00:00:00+0000
-CVE-2025-61726 exp:2026-08-19T00:00:00+0000
-CVE-2025-61728 exp:2026-08-19T00:00:00+0000
-CVE-2025-61729 exp:2026-08-19T00:00:00+0000
-CVE-2025-61730 exp:2026-08-19T00:00:00+0000
+CVE-2025-68121 exp:2026-08-19
+CVE-2025-47907 exp:2026-08-19
+CVE-2025-58183 exp:2026-08-19
+CVE-2025-61726 exp:2026-08-19
+CVE-2025-61728 exp:2026-08-19
+CVE-2025-61729 exp:2026-08-19
+CVE-2025-61730 exp:2026-08-19

README.md

@@ -6,7 +6,7 @@ Container image based on the [GitHub Actions Runner](https://github.com/actions/
 
 ### Base image
 
-`ghcr.io/actions/actions-runner` (GitHub Actions Runner). Vulnerability scan results include components inherited from this base (Ubuntu, Node runner externals, .NET runner deps, containerd, docker-buildx). These cannot be fixed in this repo; we track them in [`.trivyignore`](.trivyignore) with expiration dates and rely on upstream runner image upgrades. Base image version is controlled by `RUNNER_VERSION` in [manifest.yaml](manifest.yaml) and is kept up to date by [Renovate](renovate.json). When upgrading the runner version, review Trivy output and remove or extend entries in `.trivyignore` as fixes become available.
+`ghcr.io/actions/actions-runner` (GitHub Actions Runner). Trivy is run with `--pkg-types library` and `--ignore-unfixed`, so OS packages from the base image (Ubuntu, containerd, docker-buildx, etc.) are not reported. Any remaining base-origin library findings can be listed in [`.trivyignore`](.trivyignore) with expiration dates. Base image version is controlled by `RUNNER_VERSION` in [manifest.yaml](manifest.yaml) and is kept up to date by [Renovate](renovate.json).
 
 ### Python
 
@@ -65,7 +65,7 @@ When a new version is determined, the release workflow:
 3. Validates the Containerfile with hadolint
 4. Builds the image with `buildah` (OCI format, squashed layers)
 5. Runs `dive` filesystem efficiency scan
-6. Runs `trivy` vulnerability scan (HIGH/CRITICAL)
+6. Runs `trivy` vulnerability scan (library packages only, HIGH/CRITICAL, unfixed ignored)
 7. Pushes to GHCR with semver tags: `1.2.3`, `1.2`, `1`, `latest`
 
 ### Image tags
@@ -201,7 +201,7 @@ git commit -m "WIP"
 
 ## Security
 
-This image is based on [actions/actions-runner](https://github.com/actions/runner). Trivy scans report vulnerabilities in the base image (OS packages, Node runner externals, .NET runner deps, containerd, docker-buildx) that cannot be patched in this repository. Known base-image findings are listed in [`.trivyignore`](.trivyignore) with expiration dates so they are re-evaluated when the base is upgraded. Keep `RUNNER_VERSION` in [manifest.yaml](manifest.yaml) up to date (Renovate opens PRs) and review or remove `.trivyignore` entries when upgrading.
+This image is based on [actions/actions-runner](https://github.com/actions/runner). Trivy is configured to scan only library packages and to ignore unfixed vulnerabilities, so base-image OS packages are not reported. Any remaining base-origin findings can be listed in [`.trivyignore`](.trivyignore) with expiration dates. Keep `RUNNER_VERSION` in [manifest.yaml](manifest.yaml) up to date (Renovate opens PRs) and review or remove `.trivyignore` entries when upgrading.
 
 ## License
 

scripts/builder.sh

@@ -288,6 +288,8 @@ trivy_scan () {
     set +e
     trivy_scan_exec=$(\
             trivy image \
+            --ignore-unfixed \
+            --pkg-types library \
             --ignorefile .trivyignore \
             --input ${BUILD_DIR}/${IMAGE_NAME}-${IMAGE_TAG}.tar \
             --format github \