From 7a3cc53acf344d4e6d7a8e7a530de1a24ae14163 Mon Sep 17 00:00:00 2001
From: David Neal <dneal@plaid.com>
Date: Thu, 26 Feb 2026 13:27:35 -0500
Subject: [PATCH] ci: fix Trivy DB download failure by pinning action and using
 ghcr.io

The mirror.gcr.io registry was returning 404 for the Trivy vulnerability
DB artifact, breaking the Docker image scan job. Pin trivy-action to
v0.28.0 and explicitly set TRIVY_DB_REPOSITORY to the primary ghcr.io
source.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/security.yml | 8 ++++++--
 1 file changed, 6 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index f155e31..94ed4fb 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -111,12 +111,14 @@ jobs:
           cache-to: type=gha,mode=max
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.28.0
         with:
           image-ref: 'core-exchange-${{ matrix.service }}:scan'
           format: 'sarif'
           output: 'trivy-results-${{ matrix.service }}.sarif'
           severity: 'CRITICAL,HIGH'
+        env:
+          TRIVY_DB_REPOSITORY: 'ghcr.io/aquasecurity/trivy-db:2'
 
       - name: Upload Trivy scan results
         uses: github/codeql-action/upload-sarif@v4
@@ -125,8 +127,10 @@ jobs:
           sarif_file: 'trivy-results-${{ matrix.service }}.sarif'
 
       - name: Trivy summary
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@0.28.0
         with:
           image-ref: 'core-exchange-${{ matrix.service }}:scan'
           format: 'table'
           severity: 'CRITICAL,HIGH,MEDIUM'
+        env:
+          TRIVY_DB_REPOSITORY: 'ghcr.io/aquasecurity/trivy-db:2'