Update Trivy workflow to enhance permissions and upgrade action versions

devanshjainms · devanshjainms · commit 1b9fcf73c1b6 · 2025-03-27T19:41:29.000Z
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -7,19 +7,17 @@
     merge_group:
     workflow_dispatch:
 
-
-  permissions:
-    actions: read
-    contents: read
-    security-events: write
-
   jobs:
     build:
       name: 'trivy scan'
       runs-on: ubuntu-latest
+      permissions:
+        security-events: write
+        contents: read
+
       steps:
       - name: Harden Runner
-        uses: step-security/harden-runner@cb605e52c26070c328afc4562f0b4ada7618a84e # v2.10.4
+        uses: step-security/harden-runner@4d991eb9b905ef189e4c376166672c3f2f230481 # v2.11.0
         with:
           egress-policy: audit
 
@@ -37,7 +35,7 @@
           output: report-fs.sarif
 
       - name: Upload Trivy report (fs) GitHub Security
-        uses: github/codeql-action/upload-sarif@d68b2d4edb4189fd2a5366ac14e72027bd4b37dd # v3.28.2
+        uses: github/codeql-action/upload-sarif@9e8d0789d4a0fa9ceb6b1738f7e269594bdd67f0 # v3.28.9
         with:
           sarif_file: report-fs.sarif
           category: 'fs'
