Code Changes
modified
action.yaml
+4
@@ -58,6 +58,9 @@ runs:
58
58
path: ${{ steps.binary-dir.outputs.dir }}
59
59
key: trivy-binary-${{ inputs.version }}-${{ runner.os }}-${{ runner.arch }}
60
60
61
+
## Security: Pin to a specific commit hash (not tag) to prevent supply chain attacks.
62
+
## The install script is stable and can install different Trivy versions.
63
+
## Update this ref as needed after reviewing changes to contrib/install.sh
61
64
- name: Checkout install script
62
65
if: steps.cache.outputs.cache-hit != 'true'
63
66
uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v6.0.1
@@ -67,6 +70,7 @@ runs:
67
70
contrib
68
71
path: trivy
69
72
fetch-depth: 1
73
+
ref: 75c4dc0f45c5d7ffd05ae26df1e0c666787bdf2a # main (with -c flag support)
70
74
github-server-url: ${{ inputs.github-server-url }}
71
75
token: ${{ inputs.token }}
72
76