From 6389e1259324011553b41178fd763d8ef8513de0 Mon Sep 17 00:00:00 2001
From: artemry-nv <artemry@nvidia.com>
Date: Mon, 23 Mar 2026 13:08:55 -0700
Subject: [PATCH] ci: pin trivy-action to safe SHA to mitigate supply chain
 attack

Pin all aquasecurity/trivy-action references from @master to
@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 (v0.35.0) in response to
active cybersecurity campaign targeting Trivy (GHSA-69fq-xp46-6x23).
---
 .github/workflows/call-build-images.yaml | 2 +-
 .github/workflows/cron-trivy.yaml        | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/call-build-images.yaml b/.github/workflows/call-build-images.yaml
index 21db28d1054..d7db8699f28 100644
--- a/.github/workflows/call-build-images.yaml
+++ b/.github/workflows/call-build-images.yaml
@@ -304,7 +304,7 @@ jobs:
           password: ${{ secrets.token }}
 
       - name: Trivy - multi-arch
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 (pinned for CVE GHSA-69fq-xp46-6x23)
         with:
           image-ref: "${{ inputs.registry }}/${{ inputs.image }}:${{ inputs.version }}"
           format: "table"
diff --git a/.github/workflows/cron-trivy.yaml b/.github/workflows/cron-trivy.yaml
index 92545149176..ab1587e747c 100644
--- a/.github/workflows/cron-trivy.yaml
+++ b/.github/workflows/cron-trivy.yaml
@@ -52,7 +52,7 @@ jobs:
 
       # Deliberately chosen master here to keep up-to-date.
       - name: Run Trivy vulnerability scanner for any major issues
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 (pinned for CVE GHSA-69fq-xp46-6x23)
         with:
             image-ref: local/fluent-bit:${{ matrix.local_tag }}
             # Filter out any that have no current fix.
@@ -66,7 +66,7 @@ jobs:
       # Show all detected issues.
       # Note this will show a lot more, including major un-fixed ones.
       - name: Run Trivy vulnerability scanner for local output
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 (pinned for CVE GHSA-69fq-xp46-6x23)
         with:
             image-ref: local/fluent-bit:${{ matrix.local_tag }}
             format: table