coreruleset · fzipi · May 10, 2026 · Apr 28, 2026 · Apr 28, 2026 · Apr 28, 2026
diff --git a/.github/workflows/verifyimage.yml b/.github/workflows/verifyimage.yml
@@ -11,7 +11,7 @@ permissions:
 env:
   # sha256sum format: <hash><space><format (space for text)><file name>
   MODSECURITY_RECOMMENDED: "ccff8ba1f12428b34ff41960d8bf773dd9f62b9a7c77755247a027cb01896d4f  modsecurity.conf-recommended"
-  GO_FTW_VERSION: '1.3.0'
+  GO_FTW_VERSION: '2.1.0'
 
 jobs:
   prepare:
@@ -202,6 +202,10 @@ jobs:
           sed -i \
             's#image: owasp/modsecurity-crs:${{ contains(matrix.target, 'apache') && 'apache' || 'nginx' }}.*#image: ${{ matrix.target }}-verification#' \
             crs/tests/docker-compose.yml
+      - name: Patch nginx overrides for nginx 1.30.0 (920100-4 now returns 405)
+        run: |
+          yq e -i '(.test_overrides[] | select(.rule_id == 920100 and .test_ids[0] == 4 and (.test_ids | length) == 1) | .output.status) = 405' \
+            crs/tests/regression/nginx-overrides.yaml
       - name: Run CRS tests for ${{ matrix.target }}
         # Log flushing isn't reliable enough for go-ftw (https://github.com/coreruleset/go-ftw/issues/473)
         if: ${{!contains(matrix.target, 'nginx-alpine')}}

diff --git a/README.md b/README.md
@@ -64,7 +64,7 @@ Examples:
 
 ## OS Variants
 
-* nginx – *latest stable ModSecurity v3 on Nginx 1.28.2 official stable base image, and latest stable OWASP CRS 4.25.0*
+* nginx – *latest stable ModSecurity v3 on Nginx 1.30.0 official stable base image, and latest stable OWASP CRS 4.25.0*
    * [nginx](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile)
    * [nginx-alpine](https://github.com/coreruleset/modsecurity-crs-docker/blob/master/nginx/Dockerfile-alpine)
 * Apache httpd – *last stable ModSecurity v2 on Apache 2.4.66 official stable base image, and latest stable OWASP CRS 4.25.0*

diff --git a/apache/Dockerfile b/apache/Dockerfile
@@ -27,12 +27,10 @@ RUN set -eux; \
         libyajl-dev \
         lua${LUA_VERSION}-dev \
         make \
-        pkgconf \
-        wget
+        pkgconf
 
 RUN set -eux; \
-    wget --quiet https://github.com/owasp-modsecurity/ModSecurity/archive/refs/tags/v${MODSEC2_VERSION}.tar.gz; \
-    tar -zxvf v${MODSEC2_VERSION}.tar.gz; \
+    git clone https://github.com/owasp-modsecurity/ModSecurity --branch "v${MODSEC2_VERSION}" --depth 1 --recursive ModSecurity-${MODSEC2_VERSION}; \
     cd ModSecurity-${MODSEC2_VERSION}; \
     ./autogen.sh; \
     ./configure ${MODSEC2_FLAGS}; \

diff --git a/apache/Dockerfile-alpine b/apache/Dockerfile-alpine
@@ -23,6 +23,7 @@ RUN set -eux; \
     geoip-dev \
     gcc \
     g++ \
+    git \
     gnupg \
     libc-dev \
     libfuzzy2-dev \
@@ -41,8 +42,7 @@ RUN set -eux; \
     zlib-dev
 
 RUN set -eux; \
-    wget --quiet https://github.com/owasp-modsecurity/ModSecurity/archive/refs/tags/v${MODSEC2_VERSION}.tar.gz; \
-    tar -zxvf v${MODSEC2_VERSION}.tar.gz; \
+    git clone https://github.com/owasp-modsecurity/ModSecurity --branch "v${MODSEC2_VERSION}" --depth 1 --recursive ModSecurity-${MODSEC2_VERSION}; \
     cd ModSecurity-${MODSEC2_VERSION}; \
     ./autogen.sh; \
     ./configure ${MODSEC2_FLAGS}; \

diff --git a/docker-bake.hcl b/docker-bake.hcl
@@ -1,7 +1,7 @@
 # docker-bake.hcl
 variable "modsec3-version" {
     # renovate: depName=ModSecurity3 packageName=owasp-modsecurity/ModSecurity datasource=github-releases
-    default = "3.0.14"
+    default = "3.0.15"
 }
 
 variable "modsec3-flags" {
@@ -10,7 +10,7 @@ variable "modsec3-flags" {
 
 variable "modsec2-version" {
     # renovate: depName=ModSecurity2 packageName=owasp-modsecurity/ModSecurity datasource=github-releases
-    default = "2.9.12"
+    default = "2.9.13"
 }
 
 variable "modsec2-flags" {
@@ -40,7 +40,7 @@ variable "crs-versions" {
 
 variable "nginx-version" {
     # renovate: depName=nginxinc/nginx-unprivileged datasource=docker
-    default = "1.28.2"
+    default = "1.30.0"
 }
 
 variable "httpd-version" {

diff --git a/nginx/Dockerfile-alpine b/nginx/Dockerfile-alpine
@@ -37,7 +37,6 @@ RUN set -eux; \
         make \
         openssl \
         openssl-dev \
-        patch \
         pkgconfig \
         pcre2-dev \
         yajl-dev \
@@ -51,7 +50,6 @@ RUN set -eux; \
     ARCH=$(gcc -print-multiarch); \
     sed -ie "s/i386-linux-gnu/${ARCH}/g" build/ssdeep.m4; \
     sed -ie "s/i386-linux-gnu/${ARCH}/g" build/pcre2.m4; \
-    curl -sSL https://patch-diff.githubusercontent.com/raw/owasp-modsecurity/ModSecurity/pull/3473.patch | patch -p1; \
     ./build.sh; \
     ./configure ${MODSEC3_FLAGS}; \
     make -j$(nproc) install; \