Pinning Trivy GH Action to commit hash for v0.35.0#1519
Merged
Conversation
lreading
added
security
github_actions
Collaborator
Author
|
To check for successful credential rotation, I manually ran the CI pipeline: https://github.com/OWASP/threat-dragon/actions/runs/23407258044
No other keys were rotated, so I think we are good. |
6 tasks
5 tasks
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary:
Relates to #1518
Updates all Trivy GH Actions to v0.35.0 - but using the commit hash instead of a version tag.
Our Trivy actions are failing because the tags they reference are no longer available. All tags were removed as part of the containment effort by AcquaSecurity (the makers of Trivy) related to a recent compromise.
Unlike tags, commit hashes are immutable. Even if the git history is rewritten, the commit becomes orphaned rather than overwritten.
Description for the changelog:
Pin Trivy GitHub action to specific commit
Declaration:
Thanks for submitting a pull request, please make sure:
[e.g. GitHub CoPilot, ChatGPT, JetBrains Junie, etc][e.g. GPT-4.1, Claude Haiku 4.5, Gemini 2.5 Pro, etc][Summarize the key prompts or instructions given to the AI tools]Other info:
This is the exact recommendation from AquaSecurity: https://www.aquasec.com/blog/autonomous-runtime-security-turning-runtime-intelligence-into-agentic-response-2/
I think there needs to be a larger discussion around GH Actions / dependency pinning. Aggressive pinning like this does increase maintenance overhead, and it is also less readable than a tag which is usually a semantic version. However, due to the immutable nature of commit hashes, this is significantly more secure from a dependency management / supply chain hardening perspective.