Conversation
The v0.48.0 release was removed, breaking the vulnerability-report job.
There was a problem hiding this comment.
Pull request overview
Updates the GitHub Actions workflow to restore the vulnerability-report job by reintroducing a pinned Trivy CLI download and bumping it to v0.69.3.
Changes:
- Update the Trivy tarball download URL/version used in the
vulnerability-reportjob. - Update the corresponding tar extraction filename to match the new version.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| wget https://github.com/aquasecurity/trivy/releases/download/v0.69.3/trivy_0.69.3_Linux-64bit.tar.gz | ||
| tar zxvf trivy_0.69.3_Linux-64bit.tar.gz |
There was a problem hiding this comment.
The Trivy version is duplicated in both the download URL and the tarball filename, which makes future updates error-prone (easy to bump one line and forget the other). Consider defining a single TRIVY_VERSION variable (env or shell var) and interpolating it in both commands.
| wget https://github.com/aquasecurity/trivy/releases/download/v0.69.3/trivy_0.69.3_Linux-64bit.tar.gz | |
| tar zxvf trivy_0.69.3_Linux-64bit.tar.gz | |
| TRIVY_VERSION=0.69.3 | |
| wget https://github.com/aquasecurity/trivy/releases/download/v${TRIVY_VERSION}/trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz | |
| tar zxvf trivy_${TRIVY_VERSION}_Linux-64bit.tar.gz |
| wget https://github.com/aquasecurity/trivy/releases/download/v0.69.3/trivy_0.69.3_Linux-64bit.tar.gz | ||
| tar zxvf trivy_0.69.3_Linux-64bit.tar.gz |
There was a problem hiding this comment.
This step downloads and executes a prebuilt Trivy binary without any integrity verification. To reduce supply-chain risk, consider verifying the release checksum/signature (e.g., SHA256SUMS + signature) before extracting/executing, or use a pinned, trusted install method (e.g., the trivy-action or package manager with version pinning).
The hardcoded trivy v0.48.0 download was removed, breaking the vulnerability-report job. Updated to v0.69.3 (latest).