Allow pinning setup-trivy by hash

[smola]

I work with repos where all GitHub Actions are pinned by commit hash, and passlisted in the repo settings. As of https://github.com/aquasecurity/trivy-action/pull/406, it is not possible to do this anymore, since it internally fetches aquasecurity/setup-trivy by tag, and there does not seem to be any way to override that. Even if skip-setup-trivy: true is set, it seems GitHub will require passlisting the tag version.

[simar7]

Even if skip-setup-trivy: true is set, it seems GitHub will require passlisting the tag version.

Could you expand more on this, where does this passlisting happen? Is it a GitHub requirement?

[smola]

Yes. GitHub Actions settings have an optional passlist. It is possible to passlist a tag too, but some projects try to rely as much as possible on actions references by commit hash (branches and tags can be arbitrarily rewritten). This reduces the attack surface for supply chain attacks through compromised GitHub Actions.

[smola]

This could also be fixed by using a commit hash reference in action.yml for setup-trivy. Users who do not restrict their referenced Actions will not notice the difference. Those who enforce commit hash pinning will be able to do so.