DEFRA · johnwatson484 · Mar 20, 2026 · Mar 20, 2026 · Mar 20, 2026
diff --git a/.github/workflows/build-scan-push.yml b/.github/workflows/build-scan-push.yml
@@ -103,7 +103,7 @@ jobs:
       - name: Run Aqua Trivy scan
         id: trivy-scan
         if: ${{ matrix.target == 'production' }}
-        uses: aquasecurity/trivy-action@0.35.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
         with:
           input: image-${{ matrix.image.nodeVersion }}.tar
           scan-type: image

diff --git a/.github/workflows/nightly-scan.yml b/.github/workflows/nightly-scan.yml
@@ -40,7 +40,7 @@ jobs:
 
       - name: Run Aqua Trivy scan
         id: trivy-scan
-        uses: aquasecurity/trivy-action@0.35.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
         with:
           image-ref: defradigital/${{env.IMAGE_NAME}}:${{env.DEFRA_VERSION}}-node${{matrix.image.nodeVersion}}
           format: sarif

diff --git a/.grype.yaml b/.grype.yaml
@@ -33,3 +33,5 @@ ignore:
     reason: "Node 24: tar patched but not yet available in Node.js base images"
   - vulnerability: GHSA-9ppj-qmqm-q256
     reason: "Node 24: tar patched but not yet available in Node.js base images"
+  - vulnerability: CVE-2026-2673
+    reason: "Alpine libcrypto: No fix available"
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 # Set default values for build arguments
-ARG DEFRA_VERSION=3.0.3
+ARG DEFRA_VERSION=3.0.4
 ARG BASE_VERSION=24.14.0-alpine3.23
 
 FROM node:$BASE_VERSION AS production

diff --git a/JOB.env b/JOB.env
@@ -1,2 +1,2 @@
-DEFRA_VERSION=3.0.3
+DEFRA_VERSION=3.0.4
 IMAGE_NAME=node