Container scanning suddenly breaks with "invalid byte sequence in US-ASCII"

Yesterday, our container scanning jobs suddenly started failing in one of your projects with:

[ERROR] [2025-12-04 10:15:23 +0100] [container-scanning] > invalid byte sequence in US-ASCII

There was a similiar issue #436970 (closed). This seems to be caused by UTF-8 symbols in the output of trivy, but it looks like #436970 (closed) was only fixed in the -fips images.

The reason this started failing yesterday seems to be that trivy made a new release yesterday and so trivy started making this output:

📣 Notices:
  - Version 0.68.1 of Trivy is now available, current version is 0.67.2

Notice the UTF-8 symbol before "Notices:".

This reason only one of your projects was affected, was that we were setting LANG: en_US.UTF-8 globally in the pipeline and I guess this locale doesn't exist in the container scanning image.

We worked around it by setting LANG: C.UTF-8 on the container scanning job.

Imho there are two separate issues here:

• it doesn't make sense to have this output from trivy in CI. Imho GitLab should start trivy with --skip--version-check to avoid this in the first place.
• the container scanning job should either fall back to C.UTF-8 if the locale specified in LANG is not available or ignore any custom LANG variable.