Skip to content

fix: update trivy-action to safe SHA (v0.35.0)#285

Merged
apham0001 merged 1 commit intomainfrom
fix/pin-trivy-action-sha
Mar 20, 2026
Merged

fix: update trivy-action to safe SHA (v0.35.0)#285
apham0001 merged 1 commit intomainfrom
fix/pin-trivy-action-sha

Conversation

@apham0001
Copy link
Contributor

@apham0001 apham0001 commented Mar 20, 2026

Summary

  • Update aquasecurity/trivy-action from @22438a... to @57a97c7e7821a5776cebc9bb87c984fa69cba8f1 (v0.35.0)
  • Affects: docker-publish-openclaw.yml, docker-publish-x402-verifier.yml
  • Mitigates supply chain risk from trivy-action compromise (March 19, 2026)

Risk assessment

  • Previous SHA was pinned (good) but pointed to an untagged commit on master
  • 3 scheduled/push runs occurred during the March 19-20 window but used the pinned SHA (not affected by tag poisoning)
  • Updating to official v0.35.0 release SHA for clarity and safety

@apham0001
fix: update trivy-action to safe SHA (v0.35.0)
9f6bc42 
Update aquasecurity/trivy-action from untagged commit to v0.35.0
pinned by SHA to mitigate supply chain risk from the March 19
compromise.
Ref: aquasecurity/trivy-action#541
@apham0001 apham0001 enabled auto-merge March 20, 2026 21:24
@apham0001 apham0001 disabled auto-merge March 20, 2026 21:24
@apham0001 apham0001 merged commit 7753582 into main Mar 20, 2026
6 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@aly-obol aly-obol aly-obol approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@apham0001 @aly-obol