Open smola opened 2 weeks ago
simar7
commented
2 weeks ago Even if skip-setup-trivy: true is set, it seems GitHub will require passlisting the tag version.
Could you expand more on this, where does this passlisting happen? Is it a GitHub requirement?
smola
commented
2 weeks ago Yes. GitHub Actions settings have an optional passlist. It is possible to passlist a tag too, but some projects try to rely as much as possible on actions references by commit hash (branches and tags can be arbitrarily rewritten). This reduces the attack surface for supply chain attacks through compromised GitHub Actions.
smola
commented
2 weeks ago This could also be fixed by using a commit hash reference in action.yml for setup-trivy. Users who do not restrict their referenced Actions will not notice the difference. Those who enforce commit hash pinning will be able to do so.
I work with repos where all GitHub Actions are pinned by commit hash, and passlisted in the repo settings. As of https://github.com/aquasecurity/trivy-action/pull/406, it is not possible to do this anymore, since it internally fetches
aquasecurity/setup-trivyby tag, and there does not seem to be any way to override that. Even ifskip-setup-trivy: trueis set, it seems GitHub will require passlisting the tag version.