Skip to content

Bump Trivy to Uncompromised Version#311

Merged
GA-XavierGonzalez merged 1 commit intodevelopfrom
security/hotfix_trivy_action_version
Mar 22, 2026
Merged

Bump Trivy to Uncompromised Version#311
GA-XavierGonzalez merged 1 commit intodevelopfrom
security/hotfix_trivy_action_version

Conversation

@GA-XavierGonzalez
Copy link
Contributor

@GA-XavierGonzalez GA-XavierGonzalez commented Mar 22, 2026

Trivy has had a security compromise. Versions older than v0.35.0 are pointing to a malicious commit.
GHSA-69fq-xp46-6x23

This PR bumps the action to a safe version

@GA-XavierGonzalez GA-XavierGonzalez merged commit 979d3b9 into develop Mar 22, 2026
3 of 5 checks passed
@omad
Copy link
Contributor

omad commented Mar 23, 2026

Heads up, this is good for now, but, it's much safer to pin any third party actions by SHA checksum instead of version tags. Version tags can, (and frequently do) get changed by attackers and there have been several instances of it happening in the last year.

See: https://wellarchitected.github.com/library/application-security/recommendations/actions-security/#pin-versions-of-actions

There's conflicting information floating around, but I believe dependabot does support updating pinned actions versions of the format:

    uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0

There's tools that can automate the conversion. There's none in particular I'd recommend, just pick one.

Cheers 😁

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@stephenohairga stephenohairga Awaiting requested review from stephenohairga

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@GA-XavierGonzalez @omad @stephenohairga