NHSDigital · anthony-nhs · Mar 10, 2026 · Mar 9, 2026 · Mar 9, 2026 · Mar 9, 2026
diff --git a/.github/workflows/build_multi_arch_image.yml b/.github/workflows/build_multi_arch_image.yml
@@ -66,7 +66,7 @@ jobs:
       - name: setup trivy
         uses: aquasecurity/setup-trivy@3fb12ec12f41e471780db15c232d5dd185dcb514
         with:
-          version: v0.69.1
+          version: v0.69.3
       - name: setup node
         uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238
         with:

diff --git a/.tool-versions b/.tool-versions
@@ -5,5 +5,5 @@ shellcheck 0.11.0
 direnv 2.37.1
 actionlint 1.7.10
 ruby 3.3.0
-trivy 0.69.1
+trivy 0.69.3
 yq 4.52.2
diff --git a/src/base/.devcontainer/.tool-versions b/src/base/.devcontainer/.tool-versions
@@ -2,5 +2,5 @@ shellcheck 0.11.0
 direnv 2.37.1
 actionlint 1.7.10
 ruby 3.3.0
-trivy 0.69.1
+trivy 0.69.3
 yq 4.52.2
diff --git a/src/common/.trivyignore.yaml b/src/common/.trivyignore.yaml
@@ -323,3 +323,40 @@ vulnerabilities:
     purls:
       - "pkg:golang/stdlib@v1.25.6"
     expired_at: 2026-08-13
+  - id: CVE-2025-15558
+    statement: "docker/cli: Docker CLI for Windows: Privilege escalation via malicious plugin binaries"
+    purls:
+      - "pkg:golang/github.com/docker/cli@v28.5.1%2Bincompatible"
+      - "pkg:golang/github.com/docker/cli@v29.0.3%2Bincompatible"
+      - "pkg:golang/github.com/docker/cli@v29.1.1%2Bincompatible"
+    expired_at: 2026-09-09
+  - id: CVE-2026-24051
+    statement: "OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking"
+    purls:
+      - "pkg:golang/go.opentelemetry.io/otel/sdk@v1.36.0"
+    expired_at: 2026-09-09
+  - id: CVE-2024-35870
+    statement: "kernel: smb: client: fix UAF in smb2_reconnect_server()"
+    purls:
+      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04"
+    expired_at: 2026-09-09
+  - id: CVE-2024-53179
+    statement: "kernel: smb: client: fix use-after-free of signing key"
+    purls:
+      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04"
+    expired_at: 2026-09-09
+  - id: CVE-2025-21780
+    statement: "kernel: drm/amdgpu: avoid buffer overflow attach in smu_sys_set_pp_table()"
+    purls:
+      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04"
+    expired_at: 2026-09-09
+  - id: CVE-2025-37899
+    statement: "kernel: ksmbd: fix use-after-free in session logoff"
+    purls:
+      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04"
+    expired_at: 2026-09-09
+  - id: CVE-2025-38118
+    statement: "kernel: Linux kernel: Bluetooth MGMT use-after-free vulnerability allows privilege escalation"
+    purls:
+      - "pkg:deb/ubuntu/linux-libc-dev@5.15.0-170.180?arch=amd64&distro=ubuntu-22.04"
+    expired_at: 2026-09-09
diff --git a/src/common_node_24/.trivyignore.yaml b/src/common_node_24/.trivyignore.yaml
@@ -53,3 +53,8 @@ vulnerabilities:
       - "pkg:npm/minimatch@10.0.3"
       - "pkg:npm/minimatch@9.0.5"
     expired_at: 2026-08-27
+  - id: CVE-2026-29786
+    statement: "node-tar is a full-featured Tar for Node.js. Prior to version 7.5.10,  ..."
+    purls:
+      - "pkg:npm/tar@7.5.1"
+    expired_at: 2026-09-09
diff --git a/src/projects/eps-storage-terraform/.trivyignore.yaml b/src/projects/eps-storage-terraform/.trivyignore.yaml
@@ -105,3 +105,8 @@ vulnerabilities:
     purls:
       - "pkg:deb/ubuntu/firefox@147.0.4%2Bbuild1-0ubuntu0.22.04.1~mt1?arch=amd64&distro=ubuntu-22.04"
     expired_at: 2026-08-16
+  - id: CVE-2026-24051
+    statement: "OpenTelemetry Go SDK Vulnerable to Arbitrary Code Execution via PATH Hijacking"
+    purls:
+      - "pkg:golang/go.opentelemetry.io/otel/sdk@v1.38.0"
+    expired_at: 2026-09-10