3030 runs-on : ubuntu-22.04
3131 steps :
3232 - name : Checkout
33- uses : actions/checkout@v4
34-
33+ uses : actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
3534 - name : Run Trivy in config mode for deployments
36- uses : aquasecurity/trivy-action@master
35+ uses : aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
3736 with :
3837 scan-type : config
3938 scan-ref : deployments/
4948 runs-on : ubuntu-22.04
5049 steps :
5150 - name : Checkout
52- uses : actions/checkout@v4
53-
51+ uses : actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
5452 - name : Run Trivy in config mode for dockerfiles
55- uses : aquasecurity/trivy-action@master
53+ uses : aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
5654 with :
5755 scan-type : config
5856 scan-ref : build/docker/
6462 name : Scan licenses
6563 steps :
6664 - name : Checkout
67- uses : actions/checkout@v4
68-
65+ uses : actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
6966 - name : Run Trivy in fs mode
70- uses : aquasecurity/trivy-action@master
67+ uses : aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
7168 with :
7269 scan-type : fs
7370 scan-ref : .
@@ -78,53 +75,47 @@ jobs:
7875 trivy-scan-vulns :
7976 permissions :
8077 security-events : write
81-
8278 runs-on : ubuntu-22.04
8379 name : Scan vulnerabilities
8480 steps :
8581 - name : Checkout
86- uses : actions/checkout@v4
87-
82+ uses : actions/checkout@a5ac7e51b41094c92402da3b24376905380afc29 # v4
8883 - name : Run Trivy in fs mode
8984 continue-on-error : true
90- uses : aquasecurity/trivy-action@master
85+ uses : aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
9186 with :
9287 scan-type : fs
9388 scan-ref : .
9489 exit-code : 1
9590 list-all-pkgs : true
9691 format : json
9792 output : trivy-report.json
98-
9993 - name : Show report in human-readable format
100- uses : aquasecurity/trivy-action@master
94+ uses : aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
10195 with :
10296 scan-type : convert
10397 vuln-type : ' '
10498 severity : ' '
10599 image-ref : trivy-report.json
106100 format : table
107-
108101 - name : Convert report to sarif
109102 if : ${{ inputs.upload-to-github-security-tab }}
110- uses : aquasecurity/trivy-action@master
103+ uses : aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
111104 with :
112105 scan-type : convert
113106 vuln-type : ' '
114107 severity : ' '
115108 image-ref : trivy-report.json
116109 format : sarif
117110 output : trivy-report.sarif
118-
119111 - name : Upload sarif report to GitHub Security tab
120112 if : ${{ inputs.upload-to-github-security-tab }}
121- uses : github/codeql-action/upload-sarif@v3
113+ uses : github/codeql-action/upload-sarif@71ace48453080e924b22589f0c397bedde464d78 # v3
122114 with :
123- sarif_file : trivy-report.sarif
124-
115+ sarif_file : trivy-report.sarif
125116 - name : Convert report to csv
126117 if : ${{ inputs.export-csv }}
127- uses : aquasecurity/trivy-action@master
118+ uses : aquasecurity/trivy-action@fd25fed6972e341ff0007ddb61f77e88103953c2 # 0.21.0
128119 with :
129120 scan-type : convert
130121 vuln-type : ' '
@@ -133,10 +124,9 @@ jobs:
133124 format : template
134125 template : " @.github/workflows/template/trivy-csv.tpl"
135126 output : trivy-report.csv
136-
137127 - name : Upload CSV report as an artifact
138128 if : ${{ inputs.export-csv }}
139- uses : actions/upload-artifact@v4
129+ uses : actions/upload-artifact@65462800fd760344b1a7b4382951275a0abb4808 # v4
140130 with :
141131 name : trivy-report
142- path : trivy-report.csv
132+ path : trivy-report.csv
0 commit comments