AST-108828 - Fix 10 security vulnerabilities (AST-108828,AST-116271,AST-120967,AST-123298,AST-123300,AST-123302,AST-123980,AST-123981,AST-132239,AST-134898)

[cx-adar-zandberg]

Summary

Addresses 10 security vulnerability tickets by updating transitive dependencies via replace directives and adding scanner exclusions for unfixable CVEs.

Fixed via replace directives (8 CVEs):

Ticket	CVE	Package	Version Change
AST-120967	CVE-2024-25621	containerd/v2	v2.1.4 → v2.1.5
AST-123980	CVE-2025-64329	containerd/v2	v2.1.4 → v2.1.5
AST-123298	CVE-2025-52881	runc	v1.2.3 → v1.3.3 (existing)
AST-123300	CVE-2025-52565	runc	v1.2.3 → v1.3.3 (existing)
AST-123302	CVE-2025-31133	runc	v1.2.3 → v1.3.3 (existing)
AST-108828	CVE-2025-46569	OPA	v0.70.0 → v1.14.0
AST-134898	CVE-2026-25934	go-git/v5	v5.14.0 → v5.16.5
AST-132239	CVE-2026-24137	sigstore	v1.8.15 → v1.10.4

Added to .trivyignore (2 CVEs):

Ticket	CVE	Package	Reason
AST-123981	CVE-2019-25210	helm	WONTFIX by upstream — we don't use --dry-run
AST-116271	CVE-2025-27144	go-jose v2	No v2 patch exists; transitive from k8s.io/apiserver

Notes

• OPA, sigstore, and go-jose v2 are transitive dependencies not directly imported by this module
• go-git/v5 is used transitively via anchore/syft
• Build and tests pass locally

Test plan

• go build ./... passes
• go test ./... passes
• go list -m all shows correct replacement versions
• CI checks pass

Made with Cursor

[cx-shaked-karta]

Checkmarx One – Scan Summary & Details – 5a260e72-f650-457f-b5d1-6b532bb1967e

Great job! No new security vulnerabilities introduced in this pull request

---

Use @Checkmarx to interact with Checkmarx PR Assistant.
Examples:
@Checkmarx how are you able to help me?
@Checkmarx rescan this PR