From 626f933ffbfbf17ae6db1d6291ac94e691912112 Mon Sep 17 00:00:00 2001
From: en-jschuetze <126695184+en-jschuetze@users.noreply.github.com>
Date: Mon, 4 Nov 2024 12:53:08 +0100
Subject: [PATCH] Pin trivy

---
 .github/workflows/ci.yml | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index bd795a0..7858fe2 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -48,7 +48,9 @@ jobs:
             DOCKER_REGISTRY_IMAGE: "temporary-build-image-linux-amd64"
 
       -   name: Run Alpine Trivy vulnerability scanner
-          uses: aquasecurity/trivy-action@master
+          uses: aquasecurity/trivy-action@0.24.0
+          env:
+            TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
           with:
             image-ref: php-${{ env.PHP_VERSION }}
             format: 'table'
@@ -59,7 +61,9 @@ jobs:
 
       -   if: contains(github.ref, 'refs/heads/release/')
           name: Run Alpine Trivy vulnerability scanner and upload to github security tab
-          uses: aquasecurity/trivy-action@master
+          uses: aquasecurity/trivy-action@0.24.0
+          env:
+            TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
           with:
             image-ref: php-${{ env.PHP_VERSION }}
             format: 'sarif'
@@ -73,7 +77,9 @@ jobs:
 #
       -   if: contains(github.ref, 'refs/heads/release/')
           name: Run Trivy in GitHub SBOM mode and submit results to Dependency Snapshots
-          uses: aquasecurity/trivy-action@master
+          uses: aquasecurity/trivy-action@0.24.0
+          env:
+            TRIVY_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-db:2
           with:
             format: 'github'
             output: 'dependency-results.sbom.json'