[Aikido] Fix 4 security issues in gotenberg-fulll

[aikido-autofix]

Aikido updated the base image from debian:13-slim to debian:13-slim

The debian:13-slim base image is pinned to the latest digest across two stages, resolving 3 high-severity vulnerabilities in libpng and 1 medium-severity vulnerability in libgnutls30t64.

✅ 4 CVEs resolved by this upgrade

This PR will resolve the following CVEs:

Issue	Severity	Description
CVE-2026-25646	HIGH	An out-of-bounds read vulnerability in libpng's png_set_quantize() function can cause an infinite loop when processing certain valid PNG images with specific palette configurations, leading to denial of service through memory exhaustion or crash.
CVE-2026-22801	HIGH	Integer truncation in libpng's simplified write API functions causes heap buffer over-read when processing negative row strides or strides exceeding 65535 bytes, leading to information disclosure or potential code execution.
CVE-2026-22695	HIGH	A heap buffer over-read vulnerability exists in libpng's simplified API when processing interlaced 16-bit PNGs with 8-bit output format and non-minimal row stride, potentially leading to information disclosure or denial of service.
CVE-2025-14831	MEDIUM	A flaw was found in GnuTLS. This vulnerability allows a denial of service (DoS) by excessive CPU (Central Processing Unit) and memory consumption via specially crafted malicious certificates containing a large number of name constraints and subject alternative names (SANs).

🔗 Related Tasks

• https://github.com/fulll/chapter-secops/issues/1578

[wiz-poc-connector]

Wiz Scan Summary

Scanner	Findings
Vulnerabilities	-
Sensitive Data	-
Secrets	-
IaC Misconfigurations	1  2  2
SAST Findings	-
Software Management Findings	-
Total	1  2  2

View scan details in Wiz

To detect these findings earlier in the dev lifecycle, try using Wiz Code VS Code Extension.

[wiz-poc-connector]

 IaC Finding

Same Alias In Different Froms
on resource FROM debian:13-slim@sha256:1d3c811171a08a5adaa4a163fbafd96b61b87aa871bbc7aa15431ac275d3d430 AS base-image-stage

More Details

Different FROMS can't have the same alias defined

Expected

Different FROM commands don't have the same alias defined

Found

Different FROM commands with the same alias 'base-image-stage' defined

Rule ID: 1b997040-db67-4b61-8eea-6e638bd94d0e

To ignore this finding as an exception, reply to this conversation with #wiz_ignore reason

If you'd like to ignore this finding in all future scans, add an exception in the .wiz file (learn more) or create an Ignore Rule (learn more).

To get more details on how to remediate this issue using AI, reply to this conversation with #wiz remediate