Exclude docker/docker plugin and AuthZ vulns from govulncheck

[JAORMX]

Summary

Two new Docker Engine vulnerabilities (published 2026-04-02) are failing the govulncheck CI check across all PRs. Neither is exploitable in ToolHive because we are a pure Docker API client, but no patched release exists for the github.com/docker/docker v28.x module path we consume.

• GO-2026-4883 (CVE-2026-33997, CVSS 6.8): Off-by-one error in Docker Engine's plugin privilege validation during docker plugin install. ToolHive never installs, enables, or manages Docker plugins -- zero plugin-related API calls exist in the codebase.
• GO-2026-4887 (CVE-2026-34040, CVSS 8.8): AuthZ plugin bypass via oversized request bodies (incomplete fix for CVE-2024-41110). Exploitable only when the Docker daemon is configured with AuthZ plugins and an attacker has local API access. ToolHive does not run a Docker daemon, does not expose Docker API endpoints, and does not implement AuthZ plugin middleware.

Both are fixed in Docker Engine 29.3.1 / moby/moby/v2 v2.0.0-beta.8, but the github.com/docker/docker module (all v28.x) has no patched release. Added to the govulncheck exclusion list with detailed justification comments.

Type of change

• Other (describe): CI govulncheck exclusion for non-applicable vulnerabilities

Test plan

• Manual testing (describe below)

Verified the exclusion list format matches the existing pattern and that the govulncheck step's jq/grep pipeline will correctly filter these IDs.

Does this introduce a user-facing change?

No.

Generated with Claude Code

[ChrisJBurns]

Has been fixed #4521 ... beat ya to it!!!