Skip to content

ci: pin trivy-action to safe SHA to mitigate supply chain attack#11612

Open
artemry-nv wants to merge 1 commit intofluent:masterfrom
Mellanox:fix/pin-trivy-action-safe-sha
Open

ci: pin trivy-action to safe SHA to mitigate supply chain attack#11612
artemry-nv wants to merge 1 commit intofluent:masterfrom
Mellanox:fix/pin-trivy-action-safe-sha

Conversation

@artemry-nv
Copy link

@artemry-nv artemry-nv commented Mar 23, 2026
edited by coderabbitai bot
Loading

Pin all aquasecurity/trivy-action references from @master to @57a97c7e7821a5776cebc9bb87c984fa69cba8f1 (v0.35.0) in response to active cybersecurity campaign targeting Trivy (GHSA-69fq-xp46-6x23).

Enter [N/A] in the box, if an item is not applicable to your change.

Testing
Before we can approve your change; please submit the following in a comment:

  • [N/A] Example configuration file for the change
  • [N/A] Debug log output from testing the change
  • [N/A] Attached Valgrind output that shows no leaks or memory corruption was found

If this is a change to packaging of containers or native binaries then please confirm it works for all targets.

  • Run local packaging test showing all targets (including any new ones) build.
  • Set ok-package-test label to test for all targets (requires maintainer to do).

Documentation

  • [N/A] Documentation required for this feature

Backporting

  • Backport to latest stable release.

Fluent Bit is licensed under Apache 2.0, by submitting this pull request I understand that this code will be released under the terms of that license.

Summary by CodeRabbit

  • Chores
    • Pinned Trivy scanning GitHub Action to v0.35.0 across multiple build workflows for improved CI/CD stability and consistency.

@artemry-nv
ci: pin trivy-action to safe SHA to mitigate supply chain attack
6389e12 
Pin all aquasecurity/trivy-action references from @master to
@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 (v0.35.0) in response to
active cybersecurity campaign targeting Trivy (GHSA-69fq-xp46-6x23).
@coderabbitai
Copy link

coderabbitai bot commented Mar 23, 2026
edited
Loading

📝 Walkthrough

Walkthrough

Two GitHub Actions workflow files update Trivy security scanning steps by pinning the aquasecurity/trivy-action reference from master to a specific commit SHA (57a97c7e7821a5776cebc9bb87c984fa69cba8f1, annotated as v0.35.0), addressing a documented CVE.

Changes

Cohort / File(s) Summary
Trivy Action Pinning
.github/workflows/call-build-images.yaml, .github/workflows/cron-trivy.yaml		 Pinned aquasecurity/trivy-action from moving master branch reference to fixed commit SHA 57a97c7e7821a5776cebc9bb87c984fa69cba8f1 (v0.35.0) across three scan steps to mitigate security risk. All scan parameters and workflow logic remain unchanged.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related issues

Possibly related PRs

Suggested labels

ci, security

Suggested reviewers

  • niedbalski
  • celalettin1286

Poem

🐰 A version floats wild, untethered and free,
But we pin it down tight for security,
Master no more—commit SHA's our key,
Safe scanning with Trivy, as secure as can be! 🔒

🚥 Pre-merge checks | ✅ 3
✅ Passed checks (3 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title accurately and concisely summarizes the main change: pinning trivy-action to a specific SHA to address a supply chain attack vulnerability.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

Important

Merge conflicts detected (Beta)

  • Resolve merge conflict in branch fix/pin-trivy-action-safe-sha
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

coderabbitai[bot]
coderabbitai bot reviewed Mar 23, 2026
View reviewed changes
Copy link

@coderabbitai coderabbitai bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🧹 Nitpick comments (1)
.github/workflows/cron-trivy.yaml (1)

53-55: Stale comment should be updated.

The comment on line 53 stating "Deliberately chosen master here to keep up-to-date" is now outdated since the action is pinned to a specific SHA. Consider updating or removing this comment to reflect the new pinning strategy and avoid confusion for future maintainers.

📝 Suggested comment update 
-      # Deliberately chosen master here to keep up-to-date.
+      # Pinned to specific SHA for supply chain security (CVE GHSA-69fq-xp46-6x23).
+      # Review and update periodically to newer safe versions.
       - name: Run Trivy vulnerability scanner for any major issues
         uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # v0.35.0 (pinned for CVE GHSA-69fq-xp46-6x23)
🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In @.github/workflows/cron-trivy.yaml around lines 53 - 55, Update the outdated
inline comment "Deliberately chosen master here to keep up-to-date" (above the
uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1) to
reflect that the action is pinned to a specific SHA, or remove it entirely; find
the comment near the uses: line in cron-trivy.yaml and either replace the text
with a concise note about the intentional SHA pin (e.g., "Pinned to specific SHA
for reproducible scans and CVE workaround") or delete the comment to avoid
confusion for future maintainers.
🤖 Prompt for all review comments with AI agents 
Verify each finding against the current code and only fix it if needed.

Nitpick comments:
In @.github/workflows/cron-trivy.yaml:
- Around line 53-55: Update the outdated inline comment "Deliberately chosen
master here to keep up-to-date" (above the uses:
aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1) to reflect
that the action is pinned to a specific SHA, or remove it entirely; find the
comment near the uses: line in cron-trivy.yaml and either replace the text with
a concise note about the intentional SHA pin (e.g., "Pinned to specific SHA for
reproducible scans and CVE workaround") or delete the comment to avoid confusion
for future maintainers.
ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d381b605-94bf-42d5-a2b5-d4179770e858

📥 Commits

Reviewing files that changed from the base of the PR and between e14698d and 6389e12.

📒 Files selected for processing (2)
  • .github/workflows/call-build-images.yaml
  • .github/workflows/cron-trivy.yaml

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@coderabbitai coderabbitai[bot] coderabbitai[bot] left review comments

@niedbalski niedbalski Awaiting requested review from niedbalski niedbalski is a code owner

@patrick-stephens patrick-stephens Awaiting requested review from patrick-stephens patrick-stephens is a code owner

@celalettin1286 celalettin1286 Awaiting requested review from celalettin1286 celalettin1286 is a code owner

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

docs-required

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@artemry-nv