JonKazama-Hellion/security-workflows
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

Merge pull request 'fix(scan): pin Trivy to v0.70.0 (avoid GitHub rate-limit)' (#2) from fix/pin-trivy-version into main

Browse Source 
Reviewed-on: #2
This commit was merged in pull request #2.
This commit is contained in:
Jon Kazama
2026-05-12 00:13:43 +00:00
parent 1222381732 27a469b169
commit 7cbc8fcccc
1 changed files with 7 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.gitea/workflows/security-scan.yml
+7 -1
View File
@@ -49,7 +49,13 @@ jobs:
# trivy-action wrapper does nested checkouts and auth-juggling that
# does not play well with Self-Hosted Gitea Actions, this is more
# robust and a smaller surface.
run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin
#
# Version pinned: the install script otherwise hits api.github.com to
# resolve "latest", which is unauthenticated and burns through the
# self-hosted runner's GitHub rate-limit on each push. Pinning skips
# the API call entirely. Renovate-bot keeps the version current:
# renovate: datasource=github-releases depName=aquasecurity/trivy
run: curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sudo sh -s -- -b /usr/local/bin v0.70.0
- name: Run Semgrep SAST
# --config=auto pulls language-appropriate rule packs from semgrep.dev