chore: use sha for trivy action - BED-7560

[mykeelium]

Description

Using sha for trivy action

Motivation and Context

Resolves: BED-7560

How Has This Been Tested?

Screenshots (if appropriate):

Types of changes

• Chore (a change that does not modify the application functionality)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• Documentation updates are needed, and have been made accordingly.
• I have added and/or updated tests to cover my changes.
• All new and existing tests passed.
• My changes include a database migration.

Summary by CodeRabbit

• Chores
  • Updated vulnerability scanning workflow configuration to pin dependencies to specific versions, enhancing supply chain security practices and ensuring consistent security analysis across builds.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 2bd0237 and 4784050.

📒 Files selected for processing (1)

• .github/workflows/vuln-scan.yml

---

Walkthrough

The vulnerability scan workflow was updated to pin the Trivy action to a specific commit hash (97e0b3872f55f89b95b2f65b3dbab56962816478) instead of using a version tag (0.34.2). All other workflow configuration parameters remain unchanged.

Changes

Cohort / File(s)	Summary
Vulnerability Scan Workflow .github/workflows/vuln-scan.yml	Pinned aquasecurity/trivy-action to a specific commit hash for reproducibility instead of relying on a version tag.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~2 minutes

Possibly related PRs

• fix: remove pull request target from cla - BED-7555 #197: Modifies the same .github/workflows/vuln-scan.yml file to change the Trivy action reference, addressing version pinning in the vulnerability scan workflow.
• chores: Add Trivy Scanner GH Workflow #187: Introduced the .github/workflows/vuln-scan.yml workflow; this PR extends it by pinning the aquasecurity/trivy-action to a specific commit.

Suggested reviewers

• zinic

Poem

🐰 A hash so long, a promise so clear,
No floating tags to cause us fear!
From 0.34.2 we now depart,
Pinned to a commit, that's the smart way to start.
Security's burrow grows ever deep! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: updating the Trivy action to use a SHA hash instead of a tag version.
Description check	✅ Passed	The description covers required sections (Description, Motivation/Context, Types of changes) but lacks testing details and leaves testing-related checklist items unchecked.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch BED-7560

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}