What happened:
The Trivy vulnerability scan in CI fails for all service images that use registry.access.redhat.com/ubi9/ubi-minimal:9.6 as their Docker base image. Three HIGH-severity CVEs with available fixes are detected, causing the build workflow to exit with code 1.
Affected Dockerfiles:
- chaoscenter/graphql/server/Dockerfile
- chaoscenter/authentication/Dockerfile
- chaoscenter/subscriber/Dockerfile
- chaoscenter/event-tracker/Dockerfile
CVEs detected:
| Package |
CVE |
Severity |
Installed |
Fixed |
| gnupg2 |
CVE-2025-68973 |
HIGH |
2.3.3-4.el9 |
2.3.3-5.el9_7 |
| openssl-libs |
CVE-2025-15467 |
HIGH |
1:3.2.2-6.el9_5.1 |
1:3.5.1-7.el9_7 |
| sqlite-libs |
CVE-2025-6965 |
HIGH |
3.34.1-8.el9_6 |
3.34.1-9.el9_7 |
What you expected to happen:
The Trivy scan should pass with 0 HIGH/CRITICAL findings so that CI builds succeed on all branches.
Where can this issue be corrected? (optional)
Bump the base image tag in all four Dockerfiles listed above:
FROM registry.access.redhat.com/ubi9/ubi-minimal:9.6 → FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7
How to reproduce it (as minimally and precisely as possible):
You can look at the docker-build-graphql-server check in current CI on PRs
Anything else we need to know?:
All three CVE fixes ship in el9_7 packages, which are included in ubi9/ubi-minimal:9.7.
Bumping the tag to 9.7 was verified locally — Trivy reports 0 CRITICAL, 0 HIGH on the rebuilt image (exit code 0).
The Go binary layer is unaffected (0 findings).
I can open a PR for this, please assign this issue to me, here is the local run
What happened:
The Trivy vulnerability scan in CI fails for all service images that use
registry.access.redhat.com/ubi9/ubi-minimal:9.6as their Docker base image. Three HIGH-severity CVEs with available fixes are detected, causing the build workflow to exit with code 1.Affected Dockerfiles:
CVEs detected:
What you expected to happen:
The Trivy scan should pass with 0 HIGH/CRITICAL findings so that CI builds succeed on all branches.
Where can this issue be corrected? (optional)
Bump the base image tag in all four Dockerfiles listed above:
FROM registry.access.redhat.com/ubi9/ubi-minimal:9.6 → FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7
How to reproduce it (as minimally and precisely as possible):
You can look at the docker-build-graphql-server check in current CI on PRs
Anything else we need to know?:
All three CVE fixes ship in el9_7 packages, which are included in ubi9/ubi-minimal:9.7.
Bumping the tag to 9.7 was verified locally — Trivy reports 0 CRITICAL, 0 HIGH on the rebuilt image (exit code 0).
The Go binary layer is unaffected (0 findings).
I can open a PR for this, please assign this issue to me, here is the local run