fix(security): remove MCP credentials from managed-settings.json; bump Trivy to 0.70.0

settings.json is COPY-ed into the image at build time. Putting MCP server config with credential env references there risks baking tokens into the image if placeholders are ever replaced with real values. Move MCP server config to ~/.claude/settings.json (runtime volume mount) instead. Managed settings now contains policy only: models, permissions, telemetry. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-20 16:00:37 +02:00 · 2026-04-20 16:00:37 +02:00 · a79aad9fc8
commit a79aad9fc8
parent 9b931bcfd7
2 changed files with 1 additions and 32 deletions
--- a/.forgejo/workflows/docker-build.yml
+++ b/.forgejo/workflows/docker-build.yml
@ -10,7 +10,7 @@ env:
  # whichever you use to reach it from your desktop/laptop
  FORGEJO_HOST: code.zeidler.dev
  HELM_EXPERIMENTAL_OCI: 1
-  TRIVY_IMAGE: registry.zeidler.dev/docker-hub/aquasec/trivy:0.69.3
+  TRIVY_IMAGE: registry.zeidler.dev/docker-hub/aquasec/trivy:0.70.0

 jobs:
  check-docker: