fix: add Trivy ignore for CVE-2026-22184 and update expiry date for CVE-2026-22184 in Grype configuration

.github/workflows/nightly-build.yml

@@ -449,6 +449,7 @@ jobs:
           format: 'sarif'
           output: 'trivy-nightly.sarif'
           version: 'v0.69.3'
+          trivyignores: '.trivyignore'
 
       - name: Upload Trivy results
         uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98  # v4.32.6

.grype.yaml

@@ -50,7 +50,7 @@ ignore:
       as of 2026-01-16. Risk accepted: Charon does not directly use untgz or
       process untrusted tar archives. Attack surface limited to base OS utilities.
       Monitoring Alpine security feed for upstream patch.
-    expiry: "2026-01-23"  # Re-evaluate in 7 days
+    expiry: "2026-03-14"  # Re-evaluate in 7 days
 
     # Action items when this suppression expires:
     # 1. Check Alpine security feed: https://security.alpinelinux.org/

.trivyignore

@@ -7,3 +7,10 @@ playwright/.auth/
 # Charon does not use Nebula VPN PKI by default. Review by: 2026-03-05
 # See also: .grype.yaml for full justification
 CVE-2026-25793
+
+# CVE-2026-22184: zlib Global Buffer Overflow in untgz utility
+# Severity: CRITICAL (CVSS 9.8) — Package: zlib 1.3.1-r2 in Alpine base image
+# No upstream fix available: Alpine 3.23 (including edge) still ships zlib 1.3.1-r2.
+# Charon does not use untgz or process untrusted tar archives. Review by: 2026-03-14
+# See also: .grype.yaml for full justification
+CVE-2026-22184