Bump docker/scout-action from 1.20.4 to 1.21.0

[dependabot]

Bumps docker/scout-action from 1.20.4 to 1.21.0.

Release notes

Sourced from docker/scout-action's releases.

v1.21.0

What's Changed

• Fix local DHI-derived image handling, including inherited VEX and quickview base-image display
• Improve SBOM package qualifier handling, including DHI distro qualifiers
• Update dependencies and Go toolchain

Commits

• cd72f26 Merge pull request #104 from docker/release/v1.21.0
• b9ceaba [BOT] Update assets for v1.21.0 release
• See full diff in compare view

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.

---

Dependabot commands and options

You can trigger Dependabot actions by commenting on this PR:

• @dependabot rebase will rebase this PR
• @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
• @dependabot show <dependency name> ignore conditions will show all of the ignore conditions of the specified dependency
• @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
• @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)

[github-actions]

🔍 Vulnerabilities of renzof93/github-actions-secrets-mgmt:latest

📦 Image Reference renzof93/github-actions-secrets-mgmt:latest

digest	sha256:949b255856146ae89bec1bb16538f8f4aab60f9f6b290385a57a875984029ad9
vulnerabilities
platform	linux/amd64
size	104 MB
packages	64

📦 Base Image python:3-alpine3.20

also known as	3.13-alpine3.20 3.13.3-alpine3.20 alpine3.20
digest	sha256:68834522e73344a5337150a62e87a75be9046c0e39b9bab925be078d953e54e1
vulnerabilities

requests 2.32.3 (pypi) pkg:pypi/requests@2.32.3 Insufficiently Protected Credentials Affected range <2.32.4 Fixed version 2.32.4 CVSS Score 5.3 CVSS Vector CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N EPSS Score 0.227% EPSS Percentile 45th percentile Description Impact Due to a URL parsing issue, Requests releases prior to 2.32.4 may leak .netrc credentials to third parties for specific maliciously-crafted URLs. Workarounds For older versions of Requests, use of the .netrc file can be disabled with trust_env=False on your Requests Session (docs). References psf/requests#6965 https://seclists.org/fulldisclosure/2025/Jun/2 Insecure Temporary File Affected range <2.33.0 Fixed version 2.33.0 CVSS Score 4.4 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:U/C:N/I:H/A:N EPSS Score 0.004% EPSS Percentile 0th percentile Description Impact The requests.utils.extract_zipped_paths() utility function uses a predictable filename when extracting files from zip archives into the system temporary directory. If the target file already exists, it is reused without validation. A local attacker with write access to the temp directory could pre-create a malicious file that would be loaded in place of the legitimate one. Affected usages Standard usage of the Requests library is not affected by this vulnerability. Only applications that call extract_zipped_paths() directly are impacted. Remediation Upgrade to at least Requests 2.33.0, where the library now extracts files to a non-deterministic location. If developers are unable to upgrade, they can set TMPDIR in their environment to a directory with restricted write access.

pynacl 1.5.0 (pypi) pkg:pypi/pynacl@1.5.0 Incomplete List of Disallowed Inputs Affected range <1.6.2 Fixed version 1.6.2 CVSS Score 4.5 CVSS Vector CVSS:3.1/AV:L/AC:H/PR:N/UI:N/S:C/C:L/I:L/A:N EPSS Score 0.008% EPSS Percentile 1st percentile Description libsodium before ad3004e, in atypical use cases involving certain custom cryptography or untrusted data to crypto_core_ed25519_is_valid_point, mishandles checks for whether an elliptic curve point is valid because it sometimes allows points that aren't in the main cryptographic group. This advisoory lists packages in the GitHub Advisory Database's supported ecosystems that are affected by this vulnerability due to a vulnerable dependency.

[github-actions]

Recommended fixes for image renzof93/github-actions-secrets-mgmt:latest

Base image is python:3-alpine3.20

Name	3.13.3-alpine3.20
Digest	sha256:68834522e73344a5337150a62e87a75be9046c0e39b9bab925be078d953e54e1
Vulnerabilities
Pushed	1 year ago
Size	16 MB
Packages	41
Flavor	alpine
OS	3.20
Runtime	3.13.3

Refresh base image

Rebuild the image using a newer base image version. Updating this may result in breaking changes.

✅ This image version is up to date.

Change base image

Tag	Details	Pushed	Vulnerabilities
3-alpine Tag is preferred tag Also known as: alpine alpine3.23 3.14.5-alpine 3.14.5-alpine3.23 3.14-alpine 3.14-alpine3.23 3-alpine3.23	Benefits: Same OS detected Minor runtime version update Minor OS version update Tag is preferred tag Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 34 Image contains equal number of packages 3-alpine was pulled 51K times last month Image details: Size: 18 MB Flavor: alpine OS: 3.23 Runtime: 3.14.5	2 weeks ago
3.13-alpine Minor runtime version update Also known as: 3.13.13-alpine 3.13.13-alpine3.23 3.13-alpine3.23	Benefits: Same OS detected Minor runtime version update Minor OS version update Image contains 2 fewer packages Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 31 Image details: Size: 17 MB Flavor: alpine OS: 3.23 Runtime: 3.13.13	1 month ago
3.13-alpine3.22 Minor runtime version update Also known as: 3.13.13-alpine3.22	Benefits: Same OS detected Minor runtime version update Minor OS version update Image contains 2 fewer packages Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 29 Image details: Size: 17 MB Flavor: alpine OS: 3.22 Runtime: 3.13.13	1 month ago
3-alpine3.22 Minor runtime version update Also known as: alpine3.22 3.14.5-alpine3.22 3.14-alpine3.22	Benefits: Same OS detected Minor runtime version update Minor OS version update Tag was pushed more recently Image has similar size Image introduces no new vulnerability but removes 32 Image contains equal number of packages Image details: Size: 18 MB Flavor: alpine OS: 3.22 Runtime: 3.14.5	2 weeks ago