fix(deps): add 7-day stabilization delay and cover all Dockerfile tool versions

eFAILution · eFAILution · commit 3a822f9f8b57 · 2026-04-11T16:44:01.000-04:00
Supply chain policy: Renovate minimumReleaseAge set to 7 days.
New releases must age before PRs are opened, reducing exposure to
compromised releases caught within the first week.

Renovate now tracks all Dockerfile ARG versions:
- TRIVY_VERSION, GRYPE_VERSION, SYFT_VERSION, GITLEAKS_VERSION
  (previously only OPENGREP, ACTIONLINT, ZIZMOR were tracked)

Dependabot config updated with supply chain policy documentation.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -1,6 +1,11 @@
 # Dependabot configuration for automated dependency updates
 # Groups updates by semantic version level (major, minor, patch) to reduce PR noise
 # See: https://docs.github.com/github/administering-a-repository/configuration-options-for-dependency-updates
+#
+# SUPPLY CHAIN POLICY: Weekly schedule provides natural delay. Dependabot lacks
+# minimumReleaseAge (Renovate has this for tool versions). Manual review required
+# before merging — check release age and community reports for new versions.
+# Ref: Trivy supply chain attack GHSA-69fq-xp46-6x23, March 2026.
 
 version: 2
 updates:
diff --git a/renovate.yaml b/renovate.yaml
@@ -1,6 +1,10 @@
 # Renovate configuration for dependencies Dependabot can't track.
 # Dependabot handles: GitHub Actions SHAs, npm, pip, Dockerfile FROM.
-# Renovate handles: image tags in Python source, tool versions in shell scripts.
+# Renovate handles: image tags in Python source, tool versions in shell scripts/Dockerfiles.
+#
+# SUPPLY CHAIN POLICY: All updates are delayed 7 days after release.
+# This provides a stabilization window to catch compromised releases
+# (ref: Trivy supply chain attack GHSA-69fq-xp46-6x23, March 2026).
 
 extends:
   - config:recommended
@@ -21,53 +25,66 @@ schedule:
 
 timezone: America/New_York
 
+# 7-day stabilization window — do not propose updates until a release
+# has been published for at least 7 days. Reduces exposure to supply
+# chain attacks that are caught and reverted within the first week.
+minimumReleaseAge: 7 days
+
 # ──────────────────────────────────────────────────
 # Regex managers — match version strings in non-standard files
 # ──────────────────────────────────────────────────
 
 regexManagers:
 
-  # Official container image tags pinned in argus/containers.py
-  # e.g. "aquasec/trivy:0.58.0" → detects trivy, checks Docker Hub
+  # Container image tags pinned in argus/containers.py
+  # e.g. "aquasec/trivy:0.69.3" → detects trivy, checks Docker Hub/GHCR
   - description: Container image tags in argus/containers.py
     fileMatch:
       - argus/containers\.py
     matchStrings:
       - '"(?<depName>[a-z0-9./-]+):(?<currentValue>[^"]+)"'
     datasourceTemplate: docker
 
-  # Tool versions pinned as shell variables in composite actions
-  # e.g. OPENGREP_VERSION=1.18.0, ZIZMOR_VERSION=1.23.1
-  - description: Tool versions pinned in GitHub Actions (TOOL_VERSION= pattern)
+  # Tool versions pinned as ARG in Dockerfiles
+  # e.g. ARG TRIVY_VERSION=0.69.3
+  - description: Tool versions in Dockerfiles (ARG pattern)
     fileMatch:
-      - \.github/actions/.+/action\.yml
+      - docker/Dockerfile\..+
     matchStrings:
-      - (?<depName>OPENGREP)_VERSION[=:]\s*['"]?(?<currentValue>[\d.]+)['"]?
-      - (?<depName>ACTIONLINT)_VERSION[=:]\s*['"]?(?<currentValue>[\d.]+)['"]?
-      - (?<depName>ZIZMOR)_VERSION[=:]\s*['"]?(?<currentValue>[\d.]+)['"]?
+      - ARG (?<depName>TRIVY)_VERSION=(?<currentValue>[\d.]+)
+      - ARG (?<depName>GRYPE)_VERSION=(?<currentValue>[\d.]+)
+      - ARG (?<depName>SYFT)_VERSION=(?<currentValue>[\d.]+)
+      - ARG (?<depName>GITLEAKS)_VERSION=(?<currentValue>[\d.]+)
+      - ARG (?<depName>ACTIONLINT)_VERSION=(?<currentValue>[\d.]+)
+      - ARG (?<depName>OPENGREP)_VERSION=(?<currentValue>[\d.]+)
+      - ARG (?<depName>ZIZMOR)_VERSION=(?<currentValue>[\d.]+)
     datasourceTemplate: github-releases
     lookupNameTemplate: >-
-      {{#if (equals depName 'OPENGREP')}}opengrep/opengrep{{/if}}
+      {{#if (equals depName 'TRIVY')}}aquasecurity/trivy{{/if}}
+      {{#if (equals depName 'GRYPE')}}anchore/grype{{/if}}
+      {{#if (equals depName 'SYFT')}}anchore/syft{{/if}}
+      {{#if (equals depName 'GITLEAKS')}}gitleaks/gitleaks{{/if}}
       {{#if (equals depName 'ACTIONLINT')}}rhysd/actionlint{{/if}}
+      {{#if (equals depName 'OPENGREP')}}opengrep/opengrep{{/if}}
       {{#if (equals depName 'ZIZMOR')}}woodruffw/zizmor{{/if}}
 
-  # Tool versions in custom Dockerfiles (ARG pattern)
-  # e.g. ARG OPENGREP_VERSION=1.18.0
-  - description: Tool versions in custom Dockerfiles
+  # Tool versions pinned as shell variables in composite actions
+  # e.g. OPENGREP_VERSION=1.18.0
+  - description: Tool versions pinned in GitHub Actions (TOOL_VERSION= pattern)
     fileMatch:
-      - docker/Dockerfile\..+
+      - \.github/actions/.+/action\.yml
     matchStrings:
-      - ARG (?<depName>OPENGREP)_VERSION=(?<currentValue>[\d.]+)
-      - ARG (?<depName>ACTIONLINT)_VERSION=(?<currentValue>[\d.]+)
-      - ARG (?<depName>ZIZMOR)_VERSION=(?<currentValue>[\d.]+)
+      - (?<depName>OPENGREP)_VERSION[=:]\s*['"]?(?<currentValue>[\d.]+)['"]?
+      - (?<depName>ACTIONLINT)_VERSION[=:]\s*['"]?(?<currentValue>[\d.]+)['"]?
+      - (?<depName>ZIZMOR)_VERSION[=:]\s*['"]?(?<currentValue>[\d.]+)['"]?
     datasourceTemplate: github-releases
     lookupNameTemplate: >-
       {{#if (equals depName 'OPENGREP')}}opengrep/opengrep{{/if}}
       {{#if (equals depName 'ACTIONLINT')}}rhysd/actionlint{{/if}}
       {{#if (equals depName 'ZIZMOR')}}woodruffw/zizmor{{/if}}
 
 # ──────────────────────────────────────────────────
-# Grouping — reduce PR noise
+# Grouping and policies
 # ──────────────────────────────────────────────────
 
 packageRules:
