Pin trivy

.github/workflows/ci.yml

@@ -48,7 +48,9 @@ jobs:
             DOCKER_REGISTRY_IMAGE: "temporary-build-image-linux-amd64"
 
       -   name: Run Alpine Trivy vulnerability scanner
-          uses: aquasecurity/trivy-action@master
+          uses: aquasecurity/trivy-action@0.24.0
+          env:
+            TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
           with:
             image-ref: php-${{ env.PHP_VERSION }}
             format: 'table'
@@ -59,7 +61,9 @@ jobs:
 
       -   if: contains(github.ref, 'refs/heads/release/')
           name: Run Alpine Trivy vulnerability scanner and upload to github security tab
-          uses: aquasecurity/trivy-action@master
+          uses: aquasecurity/trivy-action@0.24.0
+          env:
+            TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
           with:
             image-ref: php-${{ env.PHP_VERSION }}
             format: 'sarif'
@@ -73,7 +77,9 @@ jobs:
 #
       -   if: contains(github.ref, 'refs/heads/release/')
           name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots
-          uses: aquasecurity/trivy-action@master
+          uses: aquasecurity/trivy-action@0.24.0
+          env:
+            TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
           with:
             format: 'github'
             output: 'dependency-results.sbom.json'