Bump aquasecurity/trivy-action from 0.33.1 to 0.35.0#401
Bump aquasecurity/trivy-action from 0.33.1 to 0.35.0#401dependabot[bot] wants to merge 1 commit into
Conversation
Bumps [aquasecurity/trivy-action](https://github.com/aquasecurity/trivy-action) from 0.33.1 to 0.35.0. - [Release notes](https://github.com/aquasecurity/trivy-action/releases) - [Commits](aquasecurity/trivy-action@0.33.1...0.35.0) --- updated-dependencies: - dependency-name: aquasecurity/trivy-action dependency-version: 0.35.0 dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com>
dependabot
Bot
added
dependencies
dependabot
Bot
added
dependencies
WalkthroughUpdated the Trivy vulnerability scanning GitHub Actions step in the image build workflow to use version 0.35.0 instead of 0.33.1. All input parameters and the SARIF upload step remain unchanged. Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~5 minutes ✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: dependabot[bot] The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
needs-ok-to-test
|
Hi @dependabot[bot]. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
![coderabbitai[bot]](https://avatars.githubusercontent.com/in/347564?s=60&v=4){kind=small}
There was a problem hiding this comment.
🧹 Nitpick comments (1)
.github/workflows/image-build.yml (1)
23-23: Pintrivy-actionto commit SHA for supply-chain security.Tag-based references like
@0.35.0are mutable and can be retargeted by compromised repositories. Pinning to a commit SHA ensures immutability. Per GitHub security best practices, this is the recommended approach.Suggested change
- uses: aquasecurity/trivy-action@0.35.0 + uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed. In @.github/workflows/image-build.yml at line 23, The workflow currently references the Trivy action by tag ("uses: aquasecurity/trivy-action@0.35.0"), which is mutable; replace that tag with the action's immutable commit SHA (e.g., "uses: aquasecurity/trivy-action@<commit-sha>") to pin the action to a specific commit; locate the "uses: aquasecurity/trivy-action@0.35.0" line in the workflow and update it to the corresponding commit SHA from the aquasecurity/trivy-action repository (obtain the SHA from the repo's tag or commit history) so the workflow uses an immutable reference.
🤖 Prompt for all review comments with AI agents
Verify each finding against the current code and only fix it if needed.
Nitpick comments:
In @.github/workflows/image-build.yml:
- Line 23: The workflow currently references the Trivy action by tag ("uses:
aquasecurity/trivy-action@0.35.0"), which is mutable; replace that tag with the
action's immutable commit SHA (e.g., "uses:
aquasecurity/trivy-action@<commit-sha>") to pin the action to a specific commit;
locate the "uses: aquasecurity/trivy-action@0.35.0" line in the workflow and
update it to the corresponding commit SHA from the aquasecurity/trivy-action
repository (obtain the SHA from the repo's tag or commit history) so the
workflow uses an immutable reference.
ℹ️ Review info
⚙️ Run configuration
Configuration used: Organization UI
Review profile: CHILL
Plan: Pro
Run ID: 528253d3-e7f3-4fbc-b68f-6f11c8247b56
📒 Files selected for processing (1)
.github/workflows/image-build.yml
Bumps aquasecurity/trivy-action from 0.33.1 to 0.35.0.
Release notes
Sourced from aquasecurity/trivy-action's releases.
Commits
Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting
@dependabot rebase.Dependabot commands and options
You can trigger Dependabot actions by commenting on this PR:
@dependabot rebasewill rebase this PR@dependabot recreatewill recreate this PR, overwriting any edits that have been made to it@dependabot show <dependency name> ignore conditionswill show all of the ignore conditions of the specified dependency@dependabot ignore this major versionwill close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this minor versionwill close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)@dependabot ignore this dependencywill close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)