From fd8d711dd9c82c88dea5ce318765484916839106 Mon Sep 17 00:00:00 2001
From: Ashir Amin <ashir.amin@cortex.io>
Date: Sat, 14 Mar 2026 13:13:17 -0500
Subject: [PATCH 1/2] Fix Trivy CI: upgrade OS packages to patch linux-libc-dev
 vulnerabilities

Add apt-get upgrade -y to both builder and runtime stages of the
Dockerfile to pick up security patches for OS-level packages.
All 9 CRITICAL/HIGH CVEs (linux-libc-dev) are fixed by upgrading
to the latest patched versions from Debian stable.

Also switch from apt to apt-get for proper non-interactive usage.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker/Dockerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index 9b9c9c2..b6a40c5 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -1,7 +1,7 @@
 # Stage 1: Build the Go agent binary
 FROM debian:stable-slim AS builder
 
-RUN apt update && apt install -y protobuf-compiler git wget build-essential
+RUN apt-get update && apt-get upgrade -y && apt-get install -y protobuf-compiler git wget build-essential
 
 ENV GOLANG_VERSION=1.26.1
 RUN wget -q "https://dl.google.com/go/go${GOLANG_VERSION}.linux-$(dpkg --print-architecture).tar.gz" -O /tmp/go.tar.gz \
@@ -22,7 +22,7 @@ FROM debian:stable-slim
 WORKDIR /agent
 
 # Install dependencies
-RUN apt update && apt install -y protobuf-compiler git python3 python3-venv wget build-essential openssl jq
+RUN apt-get update && apt-get upgrade -y && apt-get install -y protobuf-compiler git python3 python3-venv wget build-essential openssl jq
 
 # Install NodeJS and Snyk Broker
 ENV NODE_VERSION=20

From acc02691fb61738d014881c35f553a4e5d68ef3b Mon Sep 17 00:00:00 2001
From: Ashir Amin <ashir.amin@cortex.io>
Date: Sat, 14 Mar 2026 13:21:05 -0500
Subject: [PATCH 2/2] Use apt-get consistently for nodejs install
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Switch remaining apt → apt-get on line 31 for consistency
with the rest of the Dockerfile.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 docker/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/docker/Dockerfile b/docker/Dockerfile
index b6a40c5..afe2dc6 100644
--- a/docker/Dockerfile
+++ b/docker/Dockerfile
@@ -28,7 +28,7 @@ RUN apt-get update && apt-get upgrade -y && apt-get install -y protobuf-compiler
 ENV NODE_VERSION=20
 
 ARG SNYK_BROKER_VERSION=v1.0.7-axon
-RUN wget -q -O - https://deb.nodesource.com/setup_${NODE_VERSION}.x | bash - && apt install -y nodejs
+RUN wget -q -O - https://deb.nodesource.com/setup_${NODE_VERSION}.x | bash - && apt-get install -y nodejs
 RUN npm install --global npm@latest typescript@4.9.3
 RUN git clone https://github.com/cortexapps/snyk-broker.git /tmp/snyk-broker && \
     cd /tmp/snyk-broker && \