diff --git a/.gitignore b/.gitignore
index 7b2f0a3b..a59cb9ac 100644
--- a/.gitignore
+++ b/.gitignore
@@ -316,3 +316,5 @@ docs/reports/codecove_patch_report.md
 vuln-results.json
 test_output.txt
 coverage_results.txt
+final-results.json
+new-results.json
diff --git a/.grype.yaml b/.grype.yaml
index 042c1a79..8be966c9 100644
--- a/.grype.yaml
+++ b/.grype.yaml
@@ -203,45 +203,47 @@ ignore:
   # GHSA-6g7g-w4f8-9c9x: buger/jsonparser Delete panic on malformed JSON (DoS)
   # Severity: HIGH (CVSS 7.5)
   # Package: github.com/buger/jsonparser v1.1.1 (embedded in /usr/local/bin/crowdsec and /usr/local/bin/cscli)
-  # Status: NO upstream fix available — OSV marks "Last affected: v1.1.1" with no Fixed event
+  # Status: UPSTREAM FIX EXISTS (v1.1.2 released 2026-03-20) — awaiting CrowdSec to update dependency
+  # NOTE: As of 2026-04-20, grype v0.111.0 with fresh DB no longer flags this finding in the image.
+  #       This suppression is retained as a safety net in case future DB updates re-surface it.
   #
   # Vulnerability Details:
   # - The Delete function fails to validate offsets on malformed JSON input, producing a
   #   negative slice index and a runtime panic — denial of service (CWE-125).
   # - CVSSv3: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
   #
-  # Root Cause (Third-Party Binary + No Upstream Fix):
+  # Root Cause (Third-Party Binary — Fix Exists Upstream, Not Yet in CrowdSec):
   # - Charon does not use buger/jsonparser directly. It is compiled into CrowdSec binaries.
-  # - The buger/jsonparser repository has no released fix as of 2026-03-19 (GitHub issue #275
-  #   and golang/vulndb #4514 are both open).
-  # - Fix path: once buger/jsonparser releases a patched version and CrowdSec updates their
-  #   dependency, rebuild the Docker image and remove this suppression.
+  # - buger/jsonparser released v1.1.2 on 2026-03-20 fixing issue #275.
+  # - CrowdSec has not yet released a version built with buger/jsonparser v1.1.2.
+  # - Fix path: once CrowdSec updates their dependency and rebuilds, rebuild the Docker image
+  #   and remove this suppression.
   #
-  # Risk Assessment: ACCEPTED (Limited exploitability + no upstream fix)
+  # Risk Assessment: ACCEPTED (Limited exploitability; fix exists upstream but not yet in CrowdSec)
   # - The DoS vector requires passing malformed JSON to the vulnerable Delete function within
   #   CrowdSec's internal processing pipeline; this is not a direct attack surface in Charon.
   # - CrowdSec's exposed surface is its HTTP API (not raw JSON stream parsing via this path).
   #
   # Mitigation (active while suppression is in effect):
-  # - Monitor buger/jsonparser: https://github.com/buger/jsonparser/issues/275
-  # - Monitor CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
+  # - Monitor CrowdSec releases for a build using buger/jsonparser >= v1.1.2.
+  # - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
   # - Weekly CI security rebuild flags the moment a fixed image ships.
   #
   # Review:
-  # - Reviewed 2026-03-19 (initial suppression): no upstream fix exists. Set 30-day review.
-  # - Extended 2026-04-04: no upstream fix available. buger/jsonparser issue #275 still open.
-  # - Next review: 2026-05-19. Remove suppression once buger/jsonparser ships a fix and
-  #   CrowdSec updates their dependency.
+  # - Reviewed 2026-03-19 (initial suppression): no upstream fix. Set 30-day review.
+  # - Extended 2026-04-04: no upstream fix. buger/jsonparser issue #275 still open.
+  # - Updated 2026-04-20: buger/jsonparser v1.1.2 released 2026-03-20. CrowdSec not yet updated.
+  #   Grype v0.111.0 with fresh DB (2026-04-20) no longer flags this finding. Suppression retained
+  #   as a safety net. Next review: 2026-05-19 — remove if CrowdSec ships with v1.1.2+.
   #
   # Removal Criteria:
-  # - buger/jsonparser releases a patched version (v1.1.2 or higher)
-  # - CrowdSec releases a version built with the patched jsonparser
+  # - CrowdSec releases a version built with buger/jsonparser >= v1.1.2
   # - Rebuild Docker image, run security-scan-docker-image, confirm finding is resolved
   # - Remove this entry and the corresponding .trivyignore entry simultaneously
   #
   # References:
   # - GHSA-6g7g-w4f8-9c9x: https://github.com/advisories/GHSA-6g7g-w4f8-9c9x
-  # - Upstream issue: https://github.com/buger/jsonparser/issues/275
+  # - Upstream fix: https://github.com/buger/jsonparser/releases/tag/v1.1.2
   # - golang/vulndb: https://github.com/golang/vulndb/issues/4514
   # - CrowdSec releases: https://github.com/crowdsecurity/crowdsec/releases
   - vulnerability: GHSA-6g7g-w4f8-9c9x
@@ -251,21 +253,20 @@ ignore:
       type: go-module
     reason: |
       HIGH — DoS panic via malformed JSON in buger/jsonparser v1.1.1 embedded in CrowdSec binaries.
-      No upstream fix: buger/jsonparser has no released patch as of 2026-03-19 (issue #275 open).
-      Charon does not use this package directly; the vector requires reaching CrowdSec's internal
-      JSON processing pipeline. Risk accepted; no remediation path until upstream ships a fix.
-      Reviewed 2026-03-19: no patched release available.
-    expiry: "2026-05-19"  # Extended 2026-04-04: no upstream fix. Next review 2026-05-19.
+      Upstream fix: buger/jsonparser v1.1.2 released 2026-03-20; CrowdSec has not yet updated their
+      dependency. Grype no longer flags this as of 2026-04-20 (fresh DB). Suppression retained as
+      safety net pending CrowdSec update. Charon does not use this package directly.
+      Updated 2026-04-20: fix v1.1.2 exists upstream; awaiting CrowdSec dependency update.
+    expiry: "2026-05-19"  # Review 2026-05-19: remove if CrowdSec ships with buger/jsonparser >= v1.1.2.
 
     # Action items when this suppression expires:
-    # 1. Check buger/jsonparser releases: https://github.com/buger/jsonparser/releases
-    #    and issue #275: https://github.com/buger/jsonparser/issues/275
-    # 2. If a fix has shipped AND CrowdSec has updated their dependency:
-    #    a. Rebuild Docker image and run local security-scan-docker-image
-    #    b. Remove this suppression entry and the corresponding .trivyignore entry
-    # 3. If no fix yet: Extend expiry by 30 days and update the review comment above
-    # 4. If extended 3+ times with no progress: Consider opening an issue upstream or
-    #    evaluating whether CrowdSec can replace buger/jsonparser with a safe alternative
+    # 1. Check if CrowdSec has released a version with buger/jsonparser >= v1.1.2:
+    #    https://github.com/crowdsecurity/crowdsec/releases
+    # 2. If CrowdSec has updated: rebuild Docker image, run security-scan-docker-image,
+    #    and remove this suppression entry and the corresponding .trivyignore entry
+    # 3. If grype still does not flag it with fresh DB: consider removing the suppression as
+    #    it may no longer be necessary
+    # 4. If no CrowdSec update yet: Extend expiry by 30 days
 
   # GHSA-jqcq-xjh3-6g23: pgproto3/v2 DataRow.Decode panic on negative field length (DoS)
   # Severity: HIGH (CVSS 7.5)