[ci]: bump ubi-minimal to 9.7 to fix Trivy scan failures #5444
Description
What happened:
The Trivy vulnerability scan in CI fails for all service images that use registry.access.redhat.com/ubi9/ubi-minimal:9.6 as their Docker base image. Three HIGH-severity CVEs with available fixes are detected, causing the build workflow to exit with code 1.
Affected Dockerfiles:
- chaoscenter/graphql/server/Dockerfile
- chaoscenter/authentication/Dockerfile
- chaoscenter/subscriber/Dockerfile
- chaoscenter/event-tracker/Dockerfile
CVEs detected:
| Package | CVE | Severity | Installed | Fixed |
|---|---|---|---|---|
| gnupg2 | CVE-2025-68973 | HIGH | 2.3.3-4.el9 | 2.3.3-5.el9_7 |
| openssl-libs | CVE-2025-15467 | HIGH | 1:3.2.2-6.el9_5.1 | 1:3.5.1-7.el9_7 |
| sqlite-libs | CVE-2025-6965 | HIGH | 3.34.1-8.el9_6 | 3.34.1-9.el9_7 |
What you expected to happen:
The Trivy scan should pass with 0 HIGH/CRITICAL findings so that CI builds succeed on all branches.
Where can this issue be corrected? (optional)
Bump the base image tag in all four Dockerfiles listed above:
FROM registry.access.redhat.com/ubi9/ubi-minimal:9.6 → FROM registry.access.redhat.com/ubi9/ubi-minimal:9.7
How to reproduce it (as minimally and precisely as possible):
You can look at the docker-build-graphql-server check in current CI on PRs
Anything else we need to know?:
All three CVE fixes ship in el9_7 packages, which are included in ubi9/ubi-minimal:9.7.
Bumping the tag to 9.7 was verified locally — Trivy reports 0 CRITICAL, 0 HIGH on the rebuilt image (exit code 0).
The Go binary layer is unaffected (0 findings).
I can open a PR for this, please assign this issue to me, here is the local run
