From a2c296a239cda0141f4e5f672f52b0400b2b0aab Mon Sep 17 00:00:00 2001
From: Vladimir Antropov <vladimir.antropov@milaboratories.com>
Date: Fri, 20 Mar 2026 20:21:58 +0100
Subject: [PATCH] security: pin trivy binary to v0.69.3

Pin trivy install script to download v0.69.3 (latest safe release)
instead of unpinned latest. v0.69.4 was compromised and removed.

See: https://socket.dev/blog/trivy-under-attack-again-github-actions-compromise
---
 actions/docker/scan-docker-repo/action.yaml | 3 +--
 actions/docker/scan-pnpm-repo/action.yaml   | 3 +--
 2 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/actions/docker/scan-docker-repo/action.yaml b/actions/docker/scan-docker-repo/action.yaml
index 8322ab0d..b30f968f 100644
--- a/actions/docker/scan-docker-repo/action.yaml
+++ b/actions/docker/scan-docker-repo/action.yaml
@@ -152,8 +152,7 @@ runs:
         trivy_dir="${WORKSPACE_PATH}/trivy"
         mkdir -p "${trivy_dir}"
         curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh |
-          sh -s -- -b "${trivy_dir}"
-        # to fix the version used, put it as a value after trivy_dir, i.e. '-b "${trivy_dir}" v0.67.0'
+          sh -s -- -b "${trivy_dir}" v0.69.3
 
         trivy_bin="${trivy_dir}/trivy"
         report_file="./${REPORT_NAME}"
diff --git a/actions/docker/scan-pnpm-repo/action.yaml b/actions/docker/scan-pnpm-repo/action.yaml
index 11db6198..3728d7f6 100644
--- a/actions/docker/scan-pnpm-repo/action.yaml
+++ b/actions/docker/scan-pnpm-repo/action.yaml
@@ -68,8 +68,7 @@ runs:
         trivy_dir="${WORKSPACE_PATH}/trivy"
         mkdir -p "${trivy_dir}"
         curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh |
-          sh -s -- -b "${trivy_dir}" 
-        # to fix the version used, put it as a value after trivy_dir, i.e. '-b "${trivy_dir}" v0.67.0'
+          sh -s -- -b "${trivy_dir}" v0.69.3
 
         trivy_bin="${trivy_dir}/trivy"
         report_file="${trivy_dir}/report-file"