fix: pin Trivy binary version to v0.69.3 in all CI workflows

2026-03-05 13:04:33 +00:00
parent 924b8227b5
commit 8c7a55eaa2
3 changed files with 8 additions and 0 deletions
--- a/.github/workflows/docker-build.yml
+++ b/.github/workflows/docker-build.yml
@@ -537,6 +537,7 @@ jobs:
          format: 'table'
          severity: 'CRITICAL,HIGH'
          exit-code: '0'
+          version: 'v0.69.3'
        continue-on-error: true

      - name: Run Trivy vulnerability scanner (SARIF)
@@ -548,6 +549,7 @@ jobs:
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'
+          version: 'v0.69.3'
        continue-on-error: true

      - name: Check Trivy SARIF exists
@@ -695,6 +697,7 @@ jobs:
          format: 'table'
          severity: 'CRITICAL,HIGH'
          exit-code: '0'
+          version: 'v0.69.3'

      - name: Run Trivy scan on PR image (SARIF - blocking)
        id: trivy-scan
@@ -705,6 +708,7 @@ jobs:
          output: 'trivy-pr-results.sarif'
          severity: 'CRITICAL,HIGH'
          exit-code: '1'  # Intended to block, but continued on error for now
+          version: 'v0.69.3'
        continue-on-error: true

      - name: Check Trivy PR SARIF exists
--- a/.github/workflows/nightly-build.yml
+++ b/.github/workflows/nightly-build.yml
@@ -401,6 +401,7 @@ jobs:
          image-ref: ${{ env.GHCR_REGISTRY }}/${{ env.IMAGE_NAME }}@${{ needs.build-and-push-nightly.outputs.digest }}
          format: 'sarif'
          output: 'trivy-nightly.sarif'
+          version: 'v0.69.3'

      - name: Upload Trivy results
        uses: github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162  # v4.32.5
--- a/.github/workflows/security-weekly-rebuild.yml
+++ b/.github/workflows/security-weekly-rebuild.yml
@@ -99,6 +99,7 @@ jobs:
          format: 'table'
          severity: 'CRITICAL,HIGH'
          exit-code: '1' # Fail workflow if vulnerabilities found
+          version: 'v0.69.3'
        continue-on-error: true

      - name: Run Trivy vulnerability scanner (SARIF)
@@ -109,6 +110,7 @@ jobs:
          format: 'sarif'
          output: 'trivy-weekly-results.sarif'
          severity: 'CRITICAL,HIGH,MEDIUM'
+          version: 'v0.69.3'

      - name: Upload Trivy results to GitHub Security
        uses: github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
@@ -122,6 +124,7 @@ jobs:
          format: 'json'
          output: 'trivy-weekly-results.json'
          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
+          version: 'v0.69.3'

      - name: Upload Trivy JSON results
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7