feat: update snyk-docker-plugin from 9.3.0 to 9.5.1

[bgardiner]

Pull Request Submission Checklist

• Follows CONTRIBUTING guidelines
• Commit messages are release-note ready, emphasizing what was changed, not how.
• Includes detailed description of changes
• Contains risk assessment (Low | Medium | High)
• Highlights breaking API changes (if applicable)
• Links to automated tests covering new functionality
• Includes manual testing instructions (if necessary)
• Updates relevant GitBook documentation (not necessary)
• Includes product update to be announced in the next stable release notes

What does this PR do?

Pulls in the following changes to the CLI's copy of Snyk container scanner (snyk-docker-plugin):

1. feat: override packages with inaccurate pom.properties files (feat: override packages with inaccurate pom.properties files snyk-docker-plugin#764) — Handles cases where Java pom.properties files report incorrect package metadata.
2. feat: add Go stdlib vulnerability detection to container scans (feat: add Go stdlib vulnerability detection to container scans snyk-docker-plugin#767) — Adds detection of Go standard library vulnerabilities when scanning containers.
3. fix: add snyk ignores for tar symlink attack vulns (fix: add snyk ignores for tar symlink attack vulns snyk-docker-plugin#769) — Ignores known tar symlink attack vulnerabilities (likely internal/dev dependency noise).

Where should the reviewer start?

Review the package.json version bump and the associated snyk-docker-plugin changes listed above.

How should this be manually tested?

Build the CLI locally with the new dependencies and run it.

What's the product update that needs to be communicated to CLI users?

1. feat: override packages with inaccurate pom.properties files (fix: align indent for legal instructions #764) — Handles cases where Java pom.properties files report incorrect package metadata.
2. feat: add Go stdlib vulnerability detection to container scans (fix: actionableCliRemediation FF with severity treshold flag #767) — Adds detection of Go standard library vulnerabilities when scanning containers.

Risk assessment (Low | Medium | High)?

Low — Relatively low risk scanner updates.

[snyk-io]

✅ Snyk checks have passed. No issues have been found so far.

Status	Scan Engine	Critical	High	Medium	Low	Total (0)
✅	Open Source Security	0	0	0	0	0 issues
✅	Licenses	0	0	0	0	0 issues
✅	Code Security	0	0	0	0	0 issues

💻 Catch issues earlier using the plugins for VS Code, JetBrains IDEs, Visual Studio, and Eclipse.

[j-luong]

Hi @bgardiner, could you update the PR description with the original template headings? The main headings to include are:

• What does this PR do?
• How should this be manually tested?
• What's the product update that needs to be communicated to CLI users?
• Risk assessment (high/medium/low)

[bgardiner]

@j-luong Fixed. Sorry about that.

[PeterSchafer]

Approving to get this merged. But @bgardiner do you see a chance to add a User Journey test (happy path acceptence test) for this in a later PR? This will help to detect regression.

[github-actions]

	Warnings
⚠️	There are multiple commits on your branch, please squash them locally before merging!
⚠️	"Merge remote-tracking branch 'origin/main' into chore/update-snyk-docker-plugin" is too long. Keep the first line of your commit message under 72 characters.

Generated by 🚫 dangerJS against 01d40a0

[bgardiner]

But @bgardiner do you see a chance to add a User Journey test (happy path acceptence test) for this in a later PR? This will help to detect regression.

@PeterSchafer will do. yes.

[bgardiner]

Covered in https://github.com/snyk/cli/pull/6665/changes.

[snyk-pr-review-bot]

PR Reviewer Guide 🔍

🧪 No relevant tests

🔒 No security concerns identified

⚡ No major issues detected

📚 Repository Context Analyzed This review considered 12 relevant code sections from 2 files (average relevance: 0.55) package-lock.json (9 segments, lines 3201-3300) package.json (3 segments, lines 101-200)