This PR contains the following updates:

| Package | Update | Change |
|---|---|---|
| [mirror.gcr.io/aquasec/trivy](https://www.aquasec.com/products/trivy/) ([source](https://github.com/aquasecurity/trivy)) | minor | `0.63.0` -> `0.64.1` |

---

### Release Notes

<details>
<summary>aquasecurity/trivy (mirror.gcr.io/aquasec/trivy)</summary>

### [`v0.64.1`](https://github.com/aquasecurity/trivy/releases/tag/v0.64.1)

[Compare Source](aquasecurity/trivy@v0.64.0...v0.64.1)

#### Changelog

- [`86ee3c1`](aquasecurity/trivy@86ee3c1) release: v0.64.1 \[release/v0.64] ([#&#8203;9122](aquasecurity/trivy#9122))
- [`4e12722`](aquasecurity/trivy@4e12722) fix(misconf): skip rewriting expr if attr is nil \[backport: release/v0.64] ([#&#8203;9127](aquasecurity/trivy#9127))
- [`9a7d384`](aquasecurity/trivy@9a7d384) fix(cli): Add more non-sensitive flags to telemetry \[backport: release/v0.64] ([#&#8203;9124](aquasecurity/trivy#9124))
- [`53adfba`](aquasecurity/trivy@53adfba) fix(rootio): check full version to detect `root.io` packages \[backport: release/v0.64] ([#&#8203;9120](aquasecurity/trivy#9120))
- [`8cf1bf9`](aquasecurity/trivy@8cf1bf9) fix(alma): parse epochs from rpmqa file \[backport: release/v0.64] ([#&#8203;9119](aquasecurity/trivy#9119))

### [`v0.64.0`](https://github.com/aquasecurity/trivy/blob/HEAD/CHANGELOG.md#0640-2025-06-30)

[Compare Source](aquasecurity/trivy@v0.63.0...v0.64.0)

##### Features

- **cli:** add version constraints to annoucements ([#&#8203;9023](aquasecurity/trivy#9023)) ([19efa9f](aquasecurity/trivy@19efa9f))
- **java:** dereference all maven settings.xml env placeholders ([#&#8203;9024](aquasecurity/trivy#9024)) ([5aade69](aquasecurity/trivy@5aade69))
- **misconf:** add OpenTofu file extension support ([#&#8203;8747](aquasecurity/trivy#8747)) ([57801d0](aquasecurity/trivy@57801d0))
- **misconf:** normalize CreatedBy for buildah and legacy docker builder ([#&#8203;8953](aquasecurity/trivy#8953)) ([65e155f](aquasecurity/trivy@65e155f))
- **redhat:** Add EOL date for RHEL 10. ([#&#8203;8910](aquasecurity/trivy#8910)) ([48258a7](aquasecurity/trivy@48258a7))
- reject unsupported artifact types in remote image retrieval ([#&#8203;9052](aquasecurity/trivy#9052)) ([1e1e1b5](aquasecurity/trivy@1e1e1b5))
- **sbom:** add manufacturer field to CycloneDX tools metadata ([#&#8203;9019](aquasecurity/trivy#9019)) ([41d0f94](aquasecurity/trivy@41d0f94))
- **terraform:** add partial evaluation for policy templates ([#&#8203;8967](aquasecurity/trivy#8967)) ([a9f7dcd](aquasecurity/trivy@a9f7dcd))
- **ubuntu:** add end of life date for Ubuntu 25.04 ([#&#8203;9077](aquasecurity/trivy#9077)) ([367564a](aquasecurity/trivy@367564a))
- **ubuntu:** add eol date for 20.04-ESM ([#&#8203;8981](aquasecurity/trivy#8981)) ([87118a0](aquasecurity/trivy@87118a0))
- **vuln:** add Root.io support for container image scanning ([#&#8203;9073](aquasecurity/trivy#9073)) ([3a0ec0f](aquasecurity/trivy@3a0ec0f))

##### Bug Fixes

- Add missing version check flags ([#&#8203;8951](aquasecurity/trivy#8951)) ([ef5f8de](aquasecurity/trivy@ef5f8de))
- **cli:** add some values to the telemetry call ([#&#8203;9056](aquasecurity/trivy#9056)) ([fd2bc91](aquasecurity/trivy@fd2bc91))
- Correctly check for semver versions for trivy version check ([#&#8203;8948](aquasecurity/trivy#8948)) ([b813527](aquasecurity/trivy@b813527))
- don't show corrupted trivy-db warning for first run ([#&#8203;8991](aquasecurity/trivy#8991)) ([4ed78e3](aquasecurity/trivy@4ed78e3))
- **misconf:** .Config.User always takes precedence over USER in .History ([#&#8203;9050](aquasecurity/trivy#9050)) ([371b8cc](aquasecurity/trivy@371b8cc))
- **misconf:** correct Azure value-to-time conversion in AsTimeValue ([#&#8203;9015](aquasecurity/trivy#9015)) ([40d017b](aquasecurity/trivy@40d017b))
- **misconf:** move disabled checks filtering after analyzer scan ([#&#8203;9002](aquasecurity/trivy#9002)) ([a58c36d](aquasecurity/trivy@a58c36d))
- **misconf:** reduce log noise on incompatible check ([#&#8203;9029](aquasecurity/trivy#9029)) ([99c5151](aquasecurity/trivy@99c5151))
- **nodejs:** correctly parse `packages` array of `bun.lock` file ([#&#8203;8998](aquasecurity/trivy#8998)) ([875ec3a](aquasecurity/trivy@875ec3a))
- **report:** don't panic when report contains vulns, but doesn't contain packages for `table` format ([#&#8203;8549](aquasecurity/trivy#8549)) ([87fda76](aquasecurity/trivy@87fda76))
- **sbom:** remove unnecessary OS detection check in SBOM decoding ([#&#8203;9034](aquasecurity/trivy#9034)) ([198789a](aquasecurity/trivy@198789a))

</details>

---

### Configuration

📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined).

🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied.

♻ **Rebasing**: Whenever PR is behind base branch, or you tick the rebase/retry checkbox.

🔕 **Ignore**: Close this PR and you won't be reminded about this update again.

---

 - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box

---

This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate).
<!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS4xLjMiLCJ1cGRhdGVkSW5WZXIiOiI0MS4xLjMiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbImltYWdlIl19-->

Reviewed-on: https://gitea.alexlebens.dev/alexlebens/infrastructure/pulls/812
Co-authored-by: Renovate Bot <renovate-bot@alexlebens.net>
Co-committed-by: Renovate Bot <renovate-bot@alexlebens.net>