fix: add .trivyignore for base-image CVEs and document security

- Add .trivyignore with known base-image vulnerabilities (ubuntu, node, dotnet, go)
  and expiration dates for re-evaluation on runner upgrades
- Use --ignorefile .trivyignore in validate workflow and builder.sh trivy scan
- Document inherited base-image vulns and .trivyignore in README (base image + Security)

Co-authored-by: Cursor <cursoragent@cursor.com>

Author: miragecentury

.github/workflows/validate.yaml

@@ -90,6 +90,7 @@ jobs:
           IMAGE_NAME: ${{ steps.manifest.outputs.image_name }}
         run: |
           trivy image \
+            --ignorefile .trivyignore \
             --severity HIGH,CRITICAL \
             --exit-code 1 \
             "${IMAGE_NAME}:test"

.trivyignore

@@ -0,0 +1,33 @@
+# Base-image vulnerabilities inherited from ghcr.io/actions/actions-runner.
+# These cannot be fixed in this repo; they are tracked here until the upstream
+# runner image is updated. See README "Security" and RUNNER_VERSION in manifest.yaml.
+# Expiration causes Trivy to re-report after the date so we re-evaluate when
+# upgrading the base image (e.g. via Renovate).
+#
+# Ubuntu (linux-libc-dev / kernel)
+CVE-2024-35870 exp:2026-08-19T00:00:00Z
+CVE-2024-53179 exp:2026-08-19T00:00:00Z
+CVE-2025-37849 exp:2026-08-19T00:00:00Z
+CVE-2025-37899 exp:2026-08-19T00:00:00Z
+CVE-2025-38118 exp:2026-08-19T00:00:00Z
+#
+# Node (runner externals/node20)
+CVE-2024-21538 exp:2026-08-19T00:00:00Z
+CVE-2025-64756 exp:2026-08-19T00:00:00Z
+CVE-2026-26996 exp:2026-08-19T00:00:00Z
+CVE-2026-23745 exp:2026-08-19T00:00:00Z
+CVE-2026-23950 exp:2026-08-19T00:00:00Z
+CVE-2026-24842 exp:2026-08-19T00:00:00Z
+CVE-2026-26960 exp:2026-08-19T00:00:00Z
+#
+# .NET (Runner.Plugins / Runner.Sdk deps)
+CVE-2024-38095 exp:2026-08-19T00:00:00Z
+#
+# Go binaries (containerd, containerd-shim-runc-v2, docker-buildx – stdlib)
+CVE-2025-68121 exp:2026-08-19T00:00:00Z
+CVE-2025-47907 exp:2026-08-19T00:00:00Z
+CVE-2025-58183 exp:2026-08-19T00:00:00Z
+CVE-2025-61726 exp:2026-08-19T00:00:00Z
+CVE-2025-61728 exp:2026-08-19T00:00:00Z
+CVE-2025-61729 exp:2026-08-19T00:00:00Z
+CVE-2025-61730 exp:2026-08-19T00:00:00Z

README.md

@@ -6,7 +6,7 @@ Container image based on the [GitHub Actions Runner](https://github.com/actions/
 
 ### Base image
 
-`ghcr.io/actions/actions-runner` (GitHub Actions Runner)
+`ghcr.io/actions/actions-runner` (GitHub Actions Runner). Vulnerability scan results include components inherited from this base (Ubuntu, Node runner externals, .NET runner deps, containerd, docker-buildx). These cannot be fixed in this repo; we track them in [`.trivyignore`](.trivyignore) with expiration dates and rely on upstream runner image upgrades. Base image version is controlled by `RUNNER_VERSION` in [manifest.yaml](manifest.yaml) and is kept up to date by [Renovate](renovate.json). When upgrading the runner version, review Trivy output and remove or extend entries in `.trivyignore` as fixes become available.
 
 ### Python
 
@@ -199,6 +199,10 @@ git commit -m "WIP"
     └── login_skopeo.sh                  # Registry authentication helper
 ```
 
+## Security
+
+This image is based on [actions/actions-runner](https://github.com/actions/runner). Trivy scans report vulnerabilities in the base image (OS packages, Node runner externals, .NET runner deps, containerd, docker-buildx) that cannot be patched in this repository. Known base-image findings are listed in [`.trivyignore`](.trivyignore) with expiration dates so they are re-evaluated when the base is upgraded. Keep `RUNNER_VERSION` in [manifest.yaml](manifest.yaml) up to date (Renovate opens PRs) and review or remove `.trivyignore` entries when upgrading.
+
 ## License
 
 [MIT](LICENSE)

scripts/builder.sh

@@ -288,6 +288,7 @@ trivy_scan () {
     set +e
     trivy_scan_exec=$(\
             trivy image \
+            --ignorefile .trivyignore \
             --input ${BUILD_DIR}/${IMAGE_NAME}-${IMAGE_TAG}.tar \
             --format github \
             --severity HIGH,CRITICAL \