From c371b9a04f214383b0ec3593c1699211ec357793 Mon Sep 17 00:00:00 2001
From: Steve Dogiakos <dogiakos@gmail.com>
Date: Sun, 3 May 2026 09:35:38 -0600
Subject: [PATCH] ci: suppress 3 unfixed Debian CVEs via .trivyignore

CVE-2025-69720 (ncurses), CVE-2026-27135 (nghttp2), and CVE-2026-29111
(systemd) have no upstream fix available. .trivyignore suppresses them
so Trivy can still gate on all other CRITICAL/HIGH findings without
relying on the coarser ignore-unfixed flag in the workflow.
---
 .trivyignore | 11 +++++++++++
 1 file changed, 11 insertions(+)
 create mode 100644 .trivyignore

diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 0000000..8e9c2a2
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,11 @@
+# Unfixed OS-level vulnerabilities in Debian 13 (trixie) base image.
+# No fix available upstream as of 2026-04-27; revisit when patches land.
+
+# ncurses: buffer overflow (libncursesw6, libtinfo6, ncurses-base, ncurses-bin)
+CVE-2025-69720
+
+# nghttp2: DoS via malformed HTTP/2 frames after session termination (libnghttp2-14)
+CVE-2026-27135
+
+# systemd: arbitrary code execution / DoS via spurious IPC (libsystemd0, libudev1)
+CVE-2026-29111