From a8212753aad6e54c52ab270c5d7738226451c2e1 Mon Sep 17 00:00:00 2001
From: Anthony LC <anthony.le-courric@mail.numerique.gouv.fr>
Date: Wed, 25 Feb 2026 10:35:23 +0100
Subject: [PATCH] =?UTF-8?q?=F0=9F=A9=BA(trivy)=20add=20trivyignore=20file?=
 =?UTF-8?q?=20and=20add=20minimatch=20CVE?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

We added a .trivyignore file to ignore the
CVE-2026-26996 vulnerability coming from the y-provider
image.
We also updated the docker-hub.yml workflow to
use this .trivyignore file when scanning our
Docker images with Trivy.
---
 .github/.trivyignore             | 1 +
 .github/workflows/docker-hub.yml | 6 ++++++
 CHANGELOG.md                     | 1 +
 3 files changed, 8 insertions(+)
 create mode 100644 .github/.trivyignore

diff --git a/.github/.trivyignore b/.github/.trivyignore
new file mode 100644
index 00000000..bbafe562
--- /dev/null
+++ b/.github/.trivyignore
@@ -0,0 +1 @@
+CVE-2026-26996
diff --git a/.github/workflows/docker-hub.yml b/.github/workflows/docker-hub.yml
index 0784c279..9ac20003 100644
--- a/.github/workflows/docker-hub.yml
+++ b/.github/workflows/docker-hub.yml
@@ -16,6 +16,9 @@ on:
 env:
   DOCKER_USER: 1001:127
 
+permissions:
+  contents: read
+
 jobs:
   build-and-push-backend:
     runs-on: ubuntu-latest
@@ -42,6 +45,7 @@ jobs:
         with:
           docker-build-args: "--target backend-production -f Dockerfile"
           docker-image-name: "docker.io/lasuite/impress-backend:${{ github.sha }}"
+          trivyignores: ./.github/.trivyignore
       - name: Build and push
         uses: docker/build-push-action@v6
         with:
@@ -83,6 +87,7 @@ jobs:
         with:
           docker-build-args: "-f src/frontend/Dockerfile --target frontend-production"
           docker-image-name: "docker.io/lasuite/impress-frontend:${{ github.sha }}"
+          trivyignores: ./.github/.trivyignore
       - name: Build and push
         uses: docker/build-push-action@v6
         with:
@@ -124,6 +129,7 @@ jobs:
         with:
           docker-build-args: "-f src/frontend/servers/y-provider/Dockerfile --target y-provider"
           docker-image-name: "docker.io/lasuite/impress-y-provider:${{ github.sha }}"
+          trivyignores: ./.github/.trivyignore
       - name: Build and push
         uses: docker/build-push-action@v6
         with:
diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9eae6da7..9def0fed 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -16,6 +16,7 @@ and this project adheres to
 - 👷(CI) add GHCR workflow for forked repo testing #1851
 - ✨(backend) allow the duplication of subpages #1893
 - ✨(backend) Onboarding docs for new users #1891
+- 🩺(trivy) add trivyignore file and add minimatch CVE #1915
 
 ### Changed