CVE Monitor: fixable vulnerabilities in ci-tools

[github-actions]

CVE Monitor Alert

The scheduled Trivy scan found fixable CRITICAL or HIGH vulnerabilities
in the published image ghcr.io/knight-owl-dev/ci-tools:latest.

Next Steps

1. Review the workflow run that triggered this alert
2. Build and scan the image locally to investigate findings
3. Update the base image or affected packages in images/ci-tools/Dockerfile
4. Cut a new release — the publish workflow re-scans before publishing

See docs/supply-chain-security.md
for scanning policy details.

[lex57ukr]

Investigated the scan findings from the workflow run. Both CVEs are Go stdlib issues in upstream binaries — no actionable fix on our side yet.

CVE	Severity	Binary	Go Version	Fixed In
CVE-2026-25679	HIGH	actionlint v1.7.11, yq v4.52.4	1.25.7, 1.26.0	Go 1.26.1
CVE-2026-27137	HIGH	yq v4.52.4	1.26.0	Go 1.26.1

• CVE-2026-25679 — net/url IPv6 host literal parsing
• CVE-2026-27137 — crypto/x509 email constraint enforcement

Neither is exploitable in offline lint/formatting tools. Suppressed in .trivyignore with context; will remove once upstream ships builds on Go >= 1.26.1.