diff --git a/.github/workflows/call-build-images.yaml b/.github/workflows/call-build-images.yaml
index 21db28d1054..d7db8699f28 100644
--- a/.github/workflows/call-build-images.yaml
+++ b/.github/workflows/call-build-images.yaml
@@ -304,7 +304,7 @@ jobs:
           password: ${{ secrets.token }}
 
       - name: Trivy - multi-arch
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 (pinned for CVE GHSA-69fq-xp46-6x23)
         with:
           image-ref: "${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.version }}"
           format: "table"
diff --git a/.github/workflows/cron-trivy.yaml b/.github/workflows/cron-trivy.yaml
index 92545149176..ab1587e747c 100644
--- a/.github/workflows/cron-trivy.yaml
+++ b/.github/workflows/cron-trivy.yaml
@@ -52,7 +52,7 @@ jobs:
 
       # Deliberately chosen master here to keep up-to-date.
       - name: Run Trivy vulnerability scanner for any major issues
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 (pinned for CVE GHSA-69fq-xp46-6x23)
         with:
             image-ref: local/fluent-bit:${{ matrix.local_tag }}
             # Filter out any that have no current fix.
@@ -66,7 +66,7 @@ jobs:
       # Show all detected issues.
       # Note this will show a lot more, including major un-fixed ones.
       - name: Run Trivy vulnerability scanner for local output
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 (pinned for CVE GHSA-69fq-xp46-6x23)
         with:
             image-ref: local/fluent-bit:${{ matrix.local_tag }}
             format: table