fix: resolve CVE-2025-15558 and improve image scan workflow (#1462)

## Summary
- **CVE-2025-15558 fix**: Bump `go-containerregistry` from v0.20.7 to
v0.21.2 in the skills-init Dockerfile, updating transitive `docker/cli`
dependency from v29.0.3 to v29.2.1
- **fail-fast: false**: Image scan matrix now runs all jobs to
completion so all CVEs are visible even if one image fails
- **golang-adk**: Added to the image scan matrix

## Test plan
- [ ] Verify image scan workflow runs all matrix jobs to completion
- [ ] Verify skills-init image no longer reports CVE-2025-15558

🤖 Generated with [Claude Code](https://claude.com/claude-code)

---------

Signed-off-by: Eitan Yarmush <eitan.yarmush@solo.io>
Co-authored-by: Claude Opus 4.6 <noreply@anthropic.com>

Author: EItanya

.github/workflows/image-scan.yaml

@@ -23,12 +23,14 @@ env:
 jobs:
   build:
     strategy:
+      fail-fast: false
       matrix:
         image:
           - controller
           - ui
           - app
           - skills-init
+          - golang-adk
     runs-on: ubuntu-latest
     services:
       registry:
@@ -70,7 +72,7 @@ jobs:
         id: image-versions
         run: make build-img-versions
       - name: Image vulnerability scanner
-        uses: aquasecurity/trivy-action@0.33.1
+        uses: aquasecurity/trivy-action@0.35.0
         with:
           image-ref: localhost:5001/kagent-dev/kagent/${{ matrix.image }}:${{ steps.vars.outputs.version }}
           severity: 'CRITICAL,HIGH'

docker/skills-init/Dockerfile

@@ -1,7 +1,7 @@
 ### Stage 0: build krane
 FROM golang:1.25-alpine AS krane-builder
 
-ENV KRANE_VERSION=v0.20.7
+ENV KRANE_VERSION=v0.21.2
 WORKDIR /build
 
 RUN apk add --no-cache git && \

python/Dockerfile

@@ -1,24 +1,3 @@
-# Temporary: use apk to install krane
-# once https://github.com/wolfi-dev/os/pull/78579 is merged.
-### STAGE 0: build krane
-ARG BASE_IMAGE_REGISTRY=cgr.dev
-FROM $BASE_IMAGE_REGISTRY/chainguard/go:latest AS krane-builder
-
-ENV KRANE_VERSION=v0.20.7
-WORKDIR /build
-
-RUN git clone --depth 1 --branch $KRANE_VERSION \
-    https://github.com/google/go-containerregistry.git
-
-WORKDIR /build/go-containerregistry/cmd/krane
-
-RUN --mount=type=cache,target=/root/.cache/go-build \
-    --mount=type=cache,target=/go/pkg/mod \
-    CGO_ENABLED=0 go build \
-    -trimpath \
-    -ldflags="-s -w" \
-    -o /build/krane .
-
 ### STAGE 1: base image
 ARG BASE_IMAGE_REGISTRY=cgr.dev
 FROM $BASE_IMAGE_REGISTRY/chainguard/wolfi-base:latest AS base-os
@@ -103,11 +82,6 @@ RUN --mount=type=cache,target=/root/.npm \
 # Ensure the sandbox runtime binaries are on PATH
 ENV PATH="/opt/sandbox-runtime/node_modules/.bin:$PATH"
 
-# Install anthropic sandbox runtime and dependencies
-#RUN --mount=type=cache,target=/var/cache/apk,rw \
-#    apk add krane
-COPY --from=krane-builder --chown=1001:1001 /build/krane /usr/local/bin/krane
-
 USER python
 WORKDIR /.kagent
 

python/pyproject.toml

@@ -6,7 +6,7 @@ dev = [
   "pytest>=8.3.5",
   "pytest-asyncio>=0.25.3",
   "ruff>=0.11.5",
-  "authlib>=1.6.4"
+  "authlib>=1.6.7"
 ]
 
 [tool.uv]