fix: pin Trivy binary version to v0.69.3 in all CI workflows

2026-03-05 13:04:33 +00:00
parent 924b8227b5
commit 8c7a55eaa2
3 changed files with 8 additions and 0 deletions
--- a/.github/workflows/security-weekly-rebuild.yml
+++ b/.github/workflows/security-weekly-rebuild.yml
@@ -99,6 +99,7 @@ jobs:
          format: 'table'
          severity: 'CRITICAL,HIGH'
          exit-code: '1' # Fail workflow if vulnerabilities found
+          version: 'v0.69.3'
        continue-on-error: true

      - name: Run Trivy vulnerability scanner (SARIF)
@@ -109,6 +110,7 @@ jobs:
          format: 'sarif'
          output: 'trivy-weekly-results.sarif'
          severity: 'CRITICAL,HIGH,MEDIUM'
+          version: 'v0.69.3'

      - name: Upload Trivy results to GitHub Security
        uses: github/codeql-action/upload-sarif@c793b717bc78562f491db7b0e93a3a178b099162 # v4.32.5
@@ -122,6 +124,7 @@ jobs:
          format: 'json'
          output: 'trivy-weekly-results.json'
          severity: 'CRITICAL,HIGH,MEDIUM,LOW'
+          version: 'v0.69.3'

      - name: Upload Trivy JSON results
        uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7