diff --git a/_constraints b/_constraints
index a275540..3b9592e 100644
--- a/_constraints
+++ b/_constraints
@@ -2,7 +2,7 @@
- 10
+ 14
diff --git a/_service b/_service
index ae48680..93914b9 100644
--- a/_service
+++ b/_service
@@ -2,7 +2,7 @@
https://github.com/aquasecurity/trivy
git
- v0.67.2
+ v0.68.1
@PARENT_TAG@
v(.*)
enable
diff --git a/_servicedata b/_servicedata
index c205814..ff87fae 100644
--- a/_servicedata
+++ b/_servicedata
@@ -1,4 +1,4 @@
https://github.com/aquasecurity/trivy
- 60c57ad5ad7f270cecb51dff2dbf4d680114f6f8
+ 96290ae3fb1d974fd2f9ec7e37cee43f6b7f1511
\ No newline at end of file
diff --git a/trivy-0.67.2.tar.zst b/trivy-0.67.2.tar.zst
deleted file mode 100644
index 7b0196b..0000000
--- a/trivy-0.67.2.tar.zst
+++ /dev/null
@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:c0af11c2f9d23c4864c87937c5d33a1136592fe3d65054b339ba5321ba2e8b6a
-size 52632776
diff --git a/trivy-0.68.1.tar.zst b/trivy-0.68.1.tar.zst
new file mode 100644
index 0000000..2454dfd
--- /dev/null
+++ b/trivy-0.68.1.tar.zst
@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:de79a513a649ad495e0f118f91d453ffbc598ab3231eb10fcf2b0d8818c159b5
+size 52162645
diff --git a/trivy.changes b/trivy.changes
index 06437e3..fafbd87 100644
--- a/trivy.changes
+++ b/trivy.changes
@@ -1,3 +1,122 @@
+-------------------------------------------------------------------
+Wed Dec 03 10:23:46 UTC 2025 - Dirk Müller
+
+- Update to version 0.68.1:
+ * release: v0.68.1 [main] (#9867)
+ * fix: update cosing settings for GoReleaser after bumping cosing to v3 (#9863)
+ * chore(deps): bump the testcontainers group with 2 updates (#9506)
+ * release: v0.68.0 [main] (#9549)
+ * feat(aws): Add support for dualstack ECR endpoints (#9862)
+ * fix(vex): use a separate `visited` set for each DFS path (#9760)
+ * docs: catch some missed docs -> guide (#9850)
+ * refactor(misconf): parse azure_policy_enabled to addonprofile.azurepolicy.enabled (#9851)
+ * chore(cli): Remove Trivy Cloud (#9847)
+ * fix(misconf): ensure value used as ignore marker is non-null and known (#9835)
+ * fix(misconf): map healthcheck start period flag to --start-period instead of --startPeriod (#9837)
+ * chore(deps): bump the docker group with 3 updates (#9776)
+ * chore(deps): bump golang.org/x/crypto from 0.41.0 to 0.45.0 (#9827)
+ * chore(deps): bump the common group across 1 directory with 20 updates (#9840)
+ * feat(image): add Sigstore bundle SBOM support (#9516)
+ * chore(deps): bump the aws group with 7 updates (#9691)
+ * test(k8s): update k8s integrtion test (#9725)
+ * chore(deps): bump github.com/containerd/containerd from 1.7.28 to 1.7.29 (#9764)
+ * feat(sbom): add support for SPDX attestations (#9829)
+ * docs(misconf): Remove duplicate sections (#9819)
+ * feat(misconf): Update Azure network schema for new checks (#9791)
+ * feat(misconf): Update AppService schema (#9792)
+ * fix(misconf): ensure boolean metadata values are correctly interpreted (#9770)
+ * feat(misconf): support https_traffic_only_enabled in Az storage account (#9784)
+ * docs: restructure docs for new hosting (#9799)
+ * docs(server): fix info about scanning licenses on the client side. (#9805)
+ * ci: remove unused preinstalled software/images for build tests to free up disk space. (#9814)
+ * feat(report): add fingerprint generation for vulnerabilities (#9794)
+ * chore: trigger the trivy-www workflow (#9737)
+ * fix: update all documentation links (#9777)
+ * feat(suse): Add new openSUSE, Micro and SLES releases end of life dates (#9788)
+ * test(go): set `GOPATH` for tests (#9785)
+ * feat(flag): add `--cacert` flag (#9781)
+ * fix(misconf): handle unsupported experimental flags in Dockerfile (#9769)
+ * test(go): refactor mod_test.go to use txtar format (#9775)
+ * docs: Fix typos and linguistic errors in documentation / hacktoberfest (#9586)
+ * chore(deps): bump github.com/opencontainers/selinux from 1.12.0 to 1.13.0 (#9778)
+ * chore(deps): bump github.com/containerd/containerd/v2 from 2.1.4 to 2.1.5 (#9763)
+ * fix(java): use `true` as default value for Repository Release|Snapshot Enabled in pom.xml and settings.xml files (#9751)
+ * docs: add info that `SSL_CERT_FILE` works on `Unix systems other than macOS` only (#9772)
+ * docs: change SecObserve URLs in documentatio (#9771)
+ * feat(db): enable concurrent access to vulnerability database (#9750)
+ * feat(misconf): add agentpools to azure container schema (#9714)
+ * feat(report): switch ReportID from UUIDv4 to UUIDv7 (#9749)
+ * feat(misconf): Update Azure Compute schema (#9675)
+ * feat(misconf): Update azure storage schema (#9728)
+ * feat(misconf): Update SecurityCenter schema (#9674)
+ * feat(image): pass global context to docker/podman image save func (#9733)
+ * chore(deps): bump the github-actions group with 4 updates (#9739)
+ * fix(flag): remove viper.SetDefault to fix IsSet() for config-only flags (#9732)
+ * feat(license): use separate SPDX ids to ignore SPDX expressions (#9087)
+ * feat(dotnet): add dependency graph support for .deps.json files (#9726)
+ * feat(misconf): Add support for configurable Rego error limit (#9657)
+ * feat(misconf): Add RoleAssignments attribute (#9396)
+ * feat(report): add image reference to report metadata (#9729)
+ * fix(os): Add photon 5.0 in supported OS (#9724)
+ * fix(license): handle SPDX WITH exceptions as single license in category detection (#9380)
+ * refactor: add case-insensitive string set implementation (#9720)
+ * feat: include registry and repository in artifact ID calculation (#9689)
+ * feat(java): add support remote repositories from settings.xml files (#9708)
+ * fix(sbom): don’t panic on SBOM format if scanned CycloneDX file has empty metadata (#9562)
+ * docs: update vulnerability reporting guidelines in SECURITY.md (#9395)
+ * docs: add info about `java-db` subdir (#9706)
+ * fix(report): correct field order in SARIF license results (#9712)
+ * test: improve golden file management in integration tests (#9699)
+ * ci: get base_sha using base.ref (#9704)
+ * refactor(misconf): mark AVDID fields as deprecated and use ID internally (#9576)
+ * fix(nodejs): fix npmjs parser.pkgNameFromPath() panic issue (#9688)
+ * fix: close all opened resources if an error occurs (#9665)
+ * refactor(misconf): type-safe parser results in generic scanner (#9685)
+ * feat(image): add RepoTags support for Docker archives (#9690)
+ * chore(deps): bump github.com/quic-go/quic-go from 0.52.0 to 0.54.1 (#9694)
+ * feat(misconf): Update Azure Container Schema (#9673)
+ * ci: use merge commit for apidiff to avoid false positives (#9622)
+ * feat(misconf): include map key in manifest snippet for diagnostics (#9681)
+ * refactor(misconf): add ManifestFromYAML for unified manifest parsing (#9680)
+ * test: update golden files for TestRepository* integration tests (#9684)
+ * refactor(cli): Update the cloud config command (#9676)
+ * fix(sbom): add `buildInfo` info as properties (#9683)
+ * feat: add ReportID field to scan reports (#9670)
+ * docs: add vulnerability database contribution guide (#9667)
+ * feat(cli): Add trivy cloud suppport (#9637)
+ * feat: add ArtifactID field to uniquely identify scan targets (#9663)
+ * fix(nodejs): use the default ID format to match licenses in pnpm packages. (#9661)
+ * feat(sbom): use SPDX license IDs list to validate SPDX IDs (#9569)
+ * fix: use context for analyzers (#9538)
+ * chore(deps): bump the docker group with 3 updates (#9545)
+ * chore(deps): bump the aws group with 6 updates (#9547)
+ * ci(helm): bump Trivy version to 0.67.2 for Trivy Helm Chart 0.19.1 (#9641)
+ * test(helm): bump up Yamale dependency for Helm chart-testing-action (#9653)
+ * fix: Trim the end-of-range suffix (#9618)
+ * test(k8s): use a specific bundle for k8s misconfig scan (#9633)
+ * fix: Use `fetch-level: 1` to check out trivy-repo in the release workflow (#9636)
+ * refactor: move the aws config (#9617)
+ * fix(license): don't normalize `unlicensed` licenses into `unlicense` (#9611)
+ * fix: using SrcVersion instead of Version for echo detector (#9552)
+ * feat(fs): change artifact type to repository when git info is detected (#9613)
+ * fix: add `buildInfo` for `BlobInfo` in `rpc` package (#9608)
+ * fix(vex): don't use reused BOM (#9604)
+ * ci: use pull_request_target for apidiff workflow to support fork PRs (#9605)
+ * fix: restore compatibility for google.protobuf.Value (#9559)
+ * ci: add API diff workflow (#9600)
+ * chore(deps): update to module-compatible docker-credential-gcr/v2 (#9591)
+ * docs: improve documentation for scanning raw IaC configurations (#9571)
+ * feat: allow ignoring findings by type in Rego (#9578)
+ * docs: bump pygments from 2.18.0 to 2.19.2 (#9596)
+ * refactor(misconf): add ID to scan.Rule (#9573)
+ * fix(java): update order for resolving package fields from multiple demManagement (#9575)
+ * chore(deps): bump the github-actions group across 1 directory with 9 updates (#9563)
+ * chore(deps): bump the common group across 1 directory with 7 updates (#9590)
+ * chore(deps): Switch to go-viper/mapstructure (#9579)
+ * chore: add context to the cache interface (#9565)
+ * ci(helm): bump Trivy version to 0.67.0 for Trivy Helm Chart 0.19.0 (#9554)
+ * fix: validate backport branch name (#9548)
+
-------------------------------------------------------------------
Mon Nov 10 14:05:45 UTC 2025 - Dirk Müller
diff --git a/trivy.spec b/trivy.spec
index 4a5cf50..afce6f0 100644
--- a/trivy.spec
+++ b/trivy.spec
@@ -17,7 +17,7 @@
Name: trivy
-Version: 0.67.2
+Version: 0.68.1
Release: 0
Summary: A Simple and Comprehensive Vulnerability Scanner for Containers
License: Apache-2.0
diff --git a/vendor.tar.zst b/vendor.tar.zst
index 7b069e6..4384efd 100644
--- a/vendor.tar.zst
+++ b/vendor.tar.zst
@@ -1,3 +1,3 @@
version https://git-lfs.github.com/spec/v1
-oid sha256:d46d1b092e1a7b311a278504edd8842c9d000f4a2bcc1f536cd102dc3a9daff2
-size 42544562
+oid sha256:eecc750ffe8a863533cde96e35f6e85317ea60b9be56a4095e4167a78cc7f49c
+size 42000488