fix(deps): bump buildkit to v0.28.1 (CVE-2026-33747/33748) via kubescape fork

[devantler]

What

Bumps github.com/moby/buildkit from v0.26.3 → v0.28.1, which carries the fixes for two HIGH advisories that are reachable in KSail:

• GO-2026-4858 / CVE-2026-33747 — a malicious custom frontend can write files outside the BuildKit state directory.
• GO-2026-4859 / CVE-2026-33748 — a Git URL #ref:subdir fragment can access restricted files outside the checked-out repo root.

Both are reachable transitively via kubescape's image-patch (copa) path: pkg/client/kubescape → kubescape/v3/core/core → docker/buildx/build → moby/buildkit.

Supersedes #4615 (the stale Dependabot bump, CONFLICTING/DIRTY for ~3.5 weeks with all required checks red). Closes the buildkit half of the govulncheck backlog tracked in #4894; the golang.org/x/{crypto,net,image} half was handled in #4951.

Why #4615 was stuck (genuine API break, not merge rot)

This is a hard dependency-resolution problem, not conflict rot:

1. The two advisories are fixed only in buildkit v0.28.1+ — no v0.27.x backport (confirmed via OSV: introduced 0, fixed 0.28.1).
2. buildkit v0.28.0 removed authprovider.DockerAuthProviderConfig.ConfigFile.
3. kubescape v3.0.48 (the latest v3 tag) still uses that field in core/core/patch.go, and KSail imports core/core (only for core.NewKubescape), so the package must compile → unknown field ConfigFile. That is exactly what reddened chore(deps): Bump github.com/moby/buildkit from 0.26.3 to 0.28.1 #4615's Build / Test / golangci-lint checks.
4. Every kubescape build that fixes patch.go (master and the tagged v4.0.x) also bumps docker/buildx → v0.33.0, which migrates to the github.com/moby/moby/client split module universe.
5. KSail deliberately pins the docker monolith universe (docker/cli → v28.3.1) because k3d v5.9.0-rc.0 requires monolith types (documented in the go.mod replace block). The two universes are mutually exclusive, and 52 KSail source files + k3d depend on the monolith.

So there is no buildkit version that both fixes the CVE and keeps the API kubescape v3.0.48 needs, and no kubescape release that fixes the API without forcing the k3d-incompatible split universe.

The fix

Pin kubescape to a minimal fork via a go.mod replace:

github.com/kubescape/kubescape/v3 => github.com/devantler/kubescape/v3 v3.0.49-0.20260529230755-084b6f1ebcc8

The fork (devantler/kubescape, branch ksail/buildkit-v0.28-compat) is v3.0.48 + a single one-line change — the exact upstream-master fix to patch.go:

- cfg := authprovider.DockerAuthProviderConfig{ConfigFile: dockerConfig}
+ cfg := authprovider.DockerAuthProviderConfig{AuthConfigProvider: authprovider.LoadAuthConfig(dockerConfig)}

This keeps everything on the docker monolith type system (buildx stays at v0.30.1, which compiles cleanly against buildkit v0.28.1), so the bump touches only go.mod / go.sum. It mirrors the existing loft-sh/log => devantler/log fork precedent and is frozen at the kubescape version KSail already targets (cf. the grype pin).

Remove the fork once kubescape ships a tagged v3 release that fixes patch.go without forcing the moby/moby split, or once KSail migrates to the split universe (gated on a monolith-free k3d release).

Verification

• go build ./... — clean
• go test ./... — green (the only failure is the pre-existing pkg/cli/cmd/chat env-flake under full parallel load; it passes in isolation)
• govulncheck ./... — GO-2026-4858 / GO-2026-4859 are gone from the reachable set
• git diff confirms the change is buildkit-only: buildkit v0.26.3→v0.28.1 plus its two transitive deps (tonistiigi/fsutil, otelhttptrace); x/crypto, x/net, docker/docker, k8s.io/kubernetes are untouched.

Remaining govulncheck findings (out of scope here)

• docker/docker GO-2026-4883 / GO-2026-4887 and k8s.io/kubernetes GO-2025-3521 / GO-2025-3547 — no upstream fix (per MegaLinter osv-scanner gate crashes on cgo and masks a dependency-vulnerability backlog #4894).
• golang.org/x/crypto (7) + golang.org/x/net (1) GO-2026-50xx — newly published since fix(deps): bump golang.org/x/{crypto,net,image} to clear reachable CVEs #4951, at versions main already pins (x/crypto@v0.51.0, x/net@v0.54.0). This is a re-emergence of the x/* half and is unrelated to this buildkit change; it deserves a separate follow-up bump.

Note: depends on a fork

This PR depends on devantler/kubescape@ksail/buildkit-v0.28-compat (pushed under the maintainer's account). Keep that branch until the replace is removed.

🤖 Generated with Claude Code

[github-actions]

✅MegaLinter analysis: Success

✅ Linters with no issues

actionlint, bash-exec, git_diff, hadolint, jscpd, jsonlint, lychee, markdown-table-formatter, markdownlint, prettier, prettier, shellcheck, shfmt, stylelint, syft, trivy-sbom, trufflehog, v8r, v8r, yamllint

Notices

📣 MegaLinter 9.5.0 is out! Discover the new features and security recommendations in the release announcement. (Skip this info by defining SECURITY_SUGGESTIONS: false)

See detailed reports in MegaLinter artifacts

Show us your support by starring ⭐ the repository

[Copilot]

Pull request overview

Bumps github.com/moby/buildkit from v0.26.3 to v0.28.1 to address two HIGH advisories (CVE-2026-33747 / CVE-2026-33748) that are reachable transitively via kubescape's image-patch path. Because upstream kubescape v3.0.48 still uses an API removed in BuildKit v0.28.0, and newer kubescape releases force the docker monolith → split-module migration that conflicts with k3d, the bump is unblocked by pinning kubescape to a minimal one-line devantler/kubescape fork via a go.mod replace directive (mirroring the existing loft-sh/log => devantler/log precedent).

Changes:

• Bump github.com/moby/buildkit to v0.28.1 (plus transitive tonistiigi/fsutil and otelhttptrace updates).
• Add a replace for github.com/kubescape/kubescape/v3 pointing at the devantler/kubescape fork, with a comment explaining the API-break / monolith-vs-split tradeoff.
• Refresh go.sum (incl. containerd/nydus-snapshotter v0.15.4 → v0.15.11 and the newly-introduced moby/policy-helpers).

Reviewed changes

Copilot reviewed 1 out of 2 changed files in this pull request and generated no comments.

File	Description
go.mod	Bumps buildkit + transitive indirect deps; adds documented replace pointing kubescape to the devantler fork.
go.sum	Updates checksums for buildkit and its transitive deps; replaces upstream kubescape sums with fork sums.

[github-code-quality]

Code Coverage Overview

Languages: Go

Go / code-coverage/go

The overall coverage remains at 55%, unchanged from the main branch.

---

_{Updated May 30, 2026 08:53 UTC
Code Coverage is in Public Preview. Learn more and provide us with your feedback.}

[github-actions]

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.50.

Benchmark suite	Current: 7fc1692	Previous: 0b88c6a	Ratio
BenchmarkCluster_MarshalJSON/FullProductionCluster (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1)	249158 ns/op 24791 B/op 551 allocs/op	136428 ns/op 24779 B/op 551 allocs/op	1.83
BenchmarkCluster_MarshalJSON/FullProductionCluster (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1) - ns/op	249158 ns/op	136428 ns/op	1.83
BenchmarkYAMLEncode/Minimal (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1)	225430 ns/op 25432 B/op 474 allocs/op	94294 ns/op 25432 B/op 474 allocs/op	2.39
BenchmarkYAMLEncode/Minimal (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1) - ns/op	225430 ns/op	94294 ns/op	2.39
BenchmarkYAMLEncode/FullProductionCluster (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1)	277466 ns/op 36560 B/op 519 allocs/op	104492 ns/op 36560 B/op 519 allocs/op	2.66
BenchmarkYAMLEncode/FullProductionCluster (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1) - ns/op	277466 ns/op	104492 ns/op	2.66
BenchmarkJSONEncode (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1)	233452 ns/op 19948 B/op 470 allocs/op	91469 ns/op 19944 B/op 470 allocs/op	2.55
BenchmarkJSONEncode (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1) - ns/op	233452 ns/op	91469 ns/op	2.55
BenchmarkPruneClusterDefaults/MostlyDefaults (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1)	108423 ns/op 9872 B/op 267 allocs/op	44348 ns/op 9872 B/op 267 allocs/op	2.44
BenchmarkPruneClusterDefaults/MostlyDefaults (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1) - ns/op	108423 ns/op	44348 ns/op	2.44
BenchmarkPruneClusterDefaults/MixedDefaultsAndCustom (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1)	95964 ns/op 9872 B/op 267 allocs/op	44856 ns/op 9872 B/op 267 allocs/op	2.14
BenchmarkPruneClusterDefaults/MixedDefaultsAndCustom (github.com/devantler-tech/ksail/v7/pkg/apis/cluster/v1alpha1) - ns/op	95964 ns/op	44856 ns/op	2.14

This comment was automatically generated by workflow using github-action-benchmark.

[Copilot]

Pull request overview

Copilot reviewed 2 out of 3 changed files in this pull request and generated no new comments.