ci: pin Trivy binary version to v0.70.0

[david-waltermire]

Summary

Pin the Trivy binary version to `v0.70.0` to fix flaky CI failures on the "Run Trivy security scanner" step.

Root cause

`aquasecurity/trivy-action` delegates binary installation to `aquasecurity/setup-trivy`. When no `version` input is provided, setup-trivy auto-detects the latest Trivy tag. It currently resolves `v0.69.1`, but no `trivy_0.69.1_Linux-64bit.tar.gz` was ever published — the download URL returns HTTP 404. The installer fails silently with exit code 1, blocking CI on most PRs (e.g. #672, #679).

Fix

Explicitly set `version: v0.70.0`, which has published binaries. Dependabot will continue to surface action updates and can bump this pin in lockstep when appropriate.

Test Plan

• CI's Trivy step installs successfully and produces `trivy-results.sarif`.

Summary by CodeRabbit

• Chores
  • Updated build workflow configuration to specify a fixed version for security scanning, ensuring consistent and reproducible builds across environments.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 58749d2d-3f56-4a77-b270-02caff21fdaa

📥 Commits

Reviewing files that changed from the base of the PR and between 22bc468 and 4d14a47.

📒 Files selected for processing (1)

• .github/workflows/build.yml

---

📝 Walkthrough

Walkthrough

The pull request pins the Trivy security scanning action to version v0.70.0 in the GitHub Actions workflow build configuration. Previously, the action relied on auto-detection of the latest version. No other scanning logic or workflow steps are modified.

Changes

Cohort / File(s)	Summary
Trivy Version Pinning .github/workflows/build.yml	Added explicit version pin version: 'v0.70.0' to the aquasecurity/trivy-action step, replacing reliance on auto-detected latest version.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• chore: expand Trivy scanners to include secret and misconfig detection #623: Modifies the Trivy step in .github/workflows/build.yml to configure scanner options.
• build: fix CI infrastructure (Trivy action bump + FedRAMP test URL) liboscal-java#277: Pins the Trivy action to a specific version/commit in the same GitHub Actions workflow.
• feat: add reusable build workflow and scheduled nightly build oscal-cli#221: Updates Trivy step configuration in .github/workflows/build.yml for security scanning.

Poem

🐰 A version is pinned, oh what delight! \
No drifting to newest, we hold it tight. \
v0.70.0 stands strong and true, \
Security locked in, tried and through! 🔒✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The pull request title clearly and concisely describes the main change: pinning the Trivy binary version to v0.70.0 in CI configuration.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}