Skip to content

Pin all GitHub Actions to SHA hashes & modernize Trivy SARIF output#39

Draft
Copilot wants to merge 2 commits intolatestfrom
copilot/update-docker-workflow-security
Draft

Pin all GitHub Actions to SHA hashes & modernize Trivy SARIF output#39
Copilot wants to merge 2 commits intolatestfrom
copilot/update-docker-workflow-security

Conversation

Copy link

Copilot AI commented Mar 25, 2026
edited
Loading

Mutable tag references in workflow uses: directives are a supply chain attack vector — demonstrated by the Trivy Action March 2026 compromise where tags were force-pushed to malicious commits. All actions are now pinned to immutable commit SHAs.

Changes

  • SHA-pin all actions — every uses: line now references a full 40-char commit SHA with a # vX.Y.Z comment for readability:

    uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
uses: aquasecurity/trivy-action@57a97c7e41536f44adcf59faf14cd94554d91eb0 # v0.35.0

  • Replace deprecated Trivy SARIF template — migrates from the legacy format: "template" + template: "@/contrib/sarif.tpl" pattern to format: 'sarif' (direct native support)

  • Add severity filter — scopes Trivy scan to CRITICAL,HIGH to reduce noise

Warning

Firewall rules blocked me from connecting to one or more addresses (expand for details)

I tried to connect to the following addresses, but was blocked by firewall rules:

  • https://api.github.com/repos/actions/cache/git/ref/tags/v5
    • Triggering command: /usr/bin/curl curl -s REDACTED (http block)
  • https://api.github.com/repos/github/codeql-action/git/ref/tags/v4
    • Triggering command: /usr/bin/curl curl -s REDACTED (http block)

If you need me to access, download, or install something from one of these locations, you can either:

Original prompt

Problem

The .github/workflows/docker.yml workflow uses mutable tag references for GitHub Actions, which is a supply chain attack vector. This is especially critical given the Trivy Action supply chain compromise in March 2026 where nearly all tags were force-pushed to malicious commits.

Additionally, the Trivy action uses the deprecated format: "template" + template: "@/contrib/sarif.tpl" pattern instead of the modern format: 'sarif'.

Required Changes

Update .github/workflows/docker.yml to:

  1. Pin ALL actions to full SHA hashes with a comment indicating the version tag for readability.
  2. Replace the deprecated Trivy SARIF template with the modern format: 'sarif' approach.
  3. Add severity filtering to the Trivy scan to reduce noise (severity: 'CRITICAL,HIGH').

Current action references to update:

  • actions/checkout@v6 → pin to SHA hash (# v6.0.2)
  • crazy-max/ghaction-docker-meta@v6 → pin to SHA hash (# v6.0.0)
  • docker/setup-qemu-action@v4 → pin to SHA hash (# v4.0.0)
  • docker/setup-buildx-action@v4 → pin to SHA hash (# v4.0.0)
  • docker/login-action@v4 → pin to SHA hash (# v4.0.0)
  • actions/cache@v5 → pin to SHA hash (# v5)
  • docker/build-push-action@v7 → pin to SHA hash (# v7.0.0)
  • aquasecurity/trivy-action@0.35.0 → pin to SHA 57a97c7e41536f44adcf59faf14cd94554d91eb0 (# v0.35.0)
  • github/codeql-action/upload-sarif@v4 → pin to SHA hash (# v4)

Trivy step changes:

Replace:

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.35.0
        with:
          image-ref: ${{ env.imageName }}:${{ steps.docker_meta.outputs.version }}
          format: "template"
          template: "@/contrib/sarif.tpl"
          output: "trivy-results.sarif"

With:

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@57a97c7e41536f44adcf59faf14cd94554d91eb0 # v0.35.0
        with:
          image-ref: ${{ env.imageName }}:${{ steps.docker_meta.outputs.version }}
          format: 'sarif'
          output: 'trivy-results.sarif'
          severity: 'CRITICAL,HIGH'

For every uses: line, look up the full 40-character commit SHA for the tag version and use that. Add a comment with the human-readable tag after the SHA, e.g. uses: actions/checkout@<full-sha> # v6.0.2.

The following is the prior conversation context from the user's chat exploration (may be truncated):

User: where do i use trivy actions in my github pipelines. give me a full overview

Assistant: Here's a full overview of all the places you use aquasecurity/trivy-action across your GitHub pipelines. I found 9 repositories using it, organized into 3 distinct usage patterns:

Summary Table

Repository Workflow File Trivy Version Scan Type Output Format Severity Filter
beevelop/docker-java docker.yml @0.35.0 image SARIF (template) (all)
beevelop/docker-cuberite docker.yml @master image SARIF (template) (all)
beevelop/docker-nodejs-python docker.yml @master image SARIF (template) (all)
beevelop/docker-uniqush docker.yml @master image SARIF (template) (all)
beevelop/docker-varnish docker.yml @master image SARIF (template) (all)
beevelop/docker-nodejs docker.yml @master image SARIF (template) (all)
beevelop/docker-hedgewars docker.yml @master image SARIF (template) (all)
beevelop/semiatrix build-studio-image.yml @master image SARIF + table CRITICAL,HIGH (SARIF) / CRITICAL,HIGH,MEDIUM (table)
beevelop/BeeCompose ci-cd.yml @master image JSON CRITICAL,HIGH,MEDIUM,LOW

Pattern 1: Docker Image Repos (Legacy Template) — 7 repos

Used in: docker-java, docker-cuberite, docker-nodejs-python, docker-uniqush, docker-varnish, docker-nodejs, docker-hedgewars

These all follow the same pattern — Trivy runs after docker/build-push-action, scans the built image, outputs SARIF using the legacy template approach, and uploads to the GitHub Security tab:

      - name: Run Trivy vulnerability scanner
        uses: aquasecurity/trivy-action@0.35.0  # or @master in other repos
        with:
          image-ref: ${{ env.imageName }}:${{ steps.docker_meta.outputs.version }}
          format: "template"
          template: "@/contrib/sarif.tpl"
          output: "trivy-results.sarif"
      - name: Upload Trivy scan results to GitHub Security tab
        uses: github/codeql-action/upload-sarif@v4  # or @v1 in older repos
        with:
          sarif_file: "trivy-results.sarif"

⚠️ Note: 6 of these repos still pi...

This pull request was created from Copilot chat.

⌨️ Start Copilot coding agent tasks without leaving your editor — available in VS Code, Visual Studio, JetBrains IDEs and Eclipse.

Copilot AI changed the title [WIP] Update Docker workflow for security and modern standards Pin all GitHub Actions to SHA hashes & modernize Trivy SARIF output Mar 25, 2026
Copilot AI requested a review from beevelop March 25, 2026 10:11
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@beevelop beevelop Awaiting requested review from beevelop

Assignees

@beevelop beevelop

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@beevelop