elastic / cloudbeat / 25405204299
76%
main: 76%

LAST BUILD BRANCH: gh-readonly-queue/main/pr-5905-d03fd415d9e28cf3af24cfcbe837285545a05be6
DEFAULT BRANCH: main
Ran
Jobs 1
Files 235
Run time 1min
Badge
Embed ▾
README BADGES
x

If you need to use a raster PNG badge, change the '.svg' to '.png' in the link

Markdown

Textile

RDoc

HTML

Rst
coverage: 75.807%. Remained the same
25405204299

push

github

web-flow 
[9.4](backport #4380) chore: upgrade trivy to v0.69.3 with GOEXPERIMENT=jsonv2 (#5907)

## Summary

- Upgrades `github.com/aquasecurity/trivy` from `v0.66.0` to `v0.69.3`
- Adds `GOEXPERIMENT=jsonv2` to all build paths — required because trivy
v0.67+ imports Go's experimental `encoding/json/v2` packages which are
only available at compile time when this flag is set
- Removes transitive dependency on deprecated AWS SDK v1
(`github.com/aws/aws-sdk-go v1.55.8`) which was previously pulled in by
trivy v0.66.0
- Co-upgrades 22 transitive dependencies (trivy-checks, trivy-db, opa
v1.8→v1.11, helm v3.18→v3.19, k8s.io v0.33→v0.34, kustomize v0.19→v0.20,
and others)

## Why GOEXPERIMENT=jsonv2 is needed

Starting with trivy v0.67.0, trivy uses `encoding/json/v2` (Go's
experimental next-gen JSON library) via
`github.com/aquasecurity/trivy/pkg/x/json`. Without
`GOEXPERIMENT=jsonv2` set at **compile time**, any `go build` that
imports trivy fails with:
```
build constraints exclude all Go files in .../encoding/json/jsontext
```

Go 1.26.1 (already in use) satisfies the Go ≥ 1.25 requirement, but the
flag is still required as `encoding/json/v2` remains experimental.

## Files changed

| File | Change |
|------|--------|
| `go.mod` / `go.sum` | Bumped trivy + transitive deps |
| `magefile.go` | `args.Env["GOEXPERIMENT"] = "jsonv2"` in `Build()` and
`GolangCrossBuild()` |
| `.buildkite/scripts/package.sh` | `export GOEXPERIMENT=jsonv2` after
hermit activation |
| `.github/workflows/packaging.yml` | Added to top-level `env:` |
| `.github/workflows/ci-pull_request.yml` | New top-level `env:` block |
| `.github/workflows/binary-size-monitor.yml` | Added to `env:` |
| `.github/workflows/eks-ci.yml` | Added to `env:` |
| `.github/actions/docker-images/action.yml` | Added to `Build cloudbeat
binary` step `env:` |
| `justfile` | Inline `GOEXPERIMENT=jsonv2` on `go build` in
`build-binary` and `build-cloudbeat-debug` |

## Test plan

- [x] `GOEXPERIMENT=jsonv2 go build ./..... (continued)

9726 of 12830 relevant lines covered (75.81%)

16.4 hits per line

Jobs
ID Job ID Ran Files Coverage
1 25405204299.1 235
75.81
 GitHub Action Run
Source Files on build 25405204299