chore(deps): bump github.com/aquasecurity/trivy from 0.70.0 to 0.71.1 in the trivy group across 1 directory

[dependabot]

Bumps the trivy group with 1 update in the / directory: github.com/aquasecurity/trivy.

Updates github.com/aquasecurity/trivy from 0.70.0 to 0.71.1

Release notes

Sourced from github.com/aquasecurity/trivy's releases.

v0.71.0

⚡ Highlights ⚡

👉 aquasecurity/trivy#10767

Changelog

https://github.com/aquasecurity/trivy/blob/main/CHANGELOG.md#0710-2026-06-01

Changelog

Sourced from github.com/aquasecurity/trivy's changelog.

0.71.1 (2026-06-10)

Bug Fixes

• forward ospkg detector options through ospkg.NewScanner [backport: release/v0.71] (#10825) (3dd9847)
• oci: validate artifact filename (a72d9a4)
• surface the original analysis error instead of context cancellation [backport: release/v0.71] (#10812) (43d1d26)
• vex: load VEX documents from within the repository directory [backport: release/v0.71] (#10821) (a62cbe4)

0.71.0 (2026-06-01)

Features

• add WithDriver and WithProvider options to ospkg detector (#10740) (f8a6ddb)
• java: support <mirrors> from settings.xml (#10692) (c080ce3)
• sbom: support for CycloneDX 1.7 (#10715) (04f739e)
• seal: add vendor support for language file detection. (#10297) (b08bf6a)
• secret: add a way to customize skipped folders, files and exts (#10550) (e4325b1)
• secret: add Azure secret detection rules (#10562) (69dcd18)
• secret: add Maven rules to detect passwords and passphrases in settings.xml and settings-security.xml files (#10704) (9ad901d)
• spdx: add SHA-512 hash algorithm support to SPDX serializer (#10719) (f2a1237)
• ubuntu: detect Ubuntu 26.04 LTS (#10592) (a61feac)

Bug Fixes

• cloudformation: propagate AWS::EC2::Instance MetadataOptions (#10731) (ac2f3d7)
• image: correctly reconstruct RUN instructions built without BuildKit (#10714) (519eac9)
• java: surface 429 from a remote Maven repository as a fatal error when scanning pom.xml files (#10693) (f8fdb93)
• misconf: fix rendering of nested values in terraform plan lists (#10746) (9c1cf65)
• misconf: make identifiers in ignore rules case-insensitive (#10375) (a75a468)
• misconf: prevent path traversal in Terraform filesystem functions (#10664) (9d91b88)
• misconf: reject nil plays during playbook parsing (#10273) (0bc5c6d)
• misconf: skip null cty values in AsMapValue to prevent panic (#10723) (f080e1e)
• misconf: skip resources with no after changes (#10352) (f099dc4)
• nodejs: handle legacy license formats in npm lockfile parser (#10684) (451fd99)
• nodejs: silently skip subdirectory package.json files with invalid names (#10609) (0e4dc66)
• overwrite OS packages PURLs after overwrite OS (#10298) (39a28ed)
• pull instead of clone when test repo already exists (#10636) (3a2f7fb)
• report: don't produce trailing comma in gitlab.tpl links array (#10728) (69e78e2)
• secret: correctly skip secret-scanner config file from scanning (#10666) (fc1e46f)

Commits

• 164b383 release: v0.71.1 [release/v0.71] (#10818)
• a72d9a4 fix(oci): validate artifact filename
• 3dd9847 fix: forward ospkg detector options through ospkg.NewScanner [backport: relea...
• a62cbe4 fix(vex): load VEX documents from within the repository directory [backport: ...
• 43d1d26 fix: surface the original analysis error instead of context cancellation [bac...
• ac7696c ci: expect GitHub App bot as backport PR author [backport: release/v0.71] (#1...
• 9b49920 release: v0.71.0 [main] (#10638)
• 35cefae ci: use only the first line of commit message in release-please workflow (#10...
• f8a6ddb feat: add WithDriver and WithProvider options to ospkg detector (#10740)
• 3ea80c0 chore(deps): bump github.com/google/go-containerregistry to v0.21.6 (#10741)
• Additional commits viewable in compare view

Most Recent Ignore Conditions Applied to This Pull Request

Dependency Name	Ignore Conditions
github.com/aquasecurity/trivy	[>= 0.50.2.a, < 0.50.3]
github.com/aquasecurity/trivy	[< 0.51, > 0.50.1]