use hashes for actions for trivvy workflow

HumairAK · HumairAK · commit 6da9d161e8ad · 2026-03-24T15:30:02.000-04:00
Signed-off-by: Humair Khan &lt;HumairAK@users.noreply.github.com&gt;
diff --git a/.github/workflows/trivy.yml b/.github/workflows/trivy.yml
@@ -18,12 +18,12 @@ jobs:
     runs-on: ubuntu-24.04
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
       - name: Run Trivy vulnerability scanner in repo mode
         id: trivy-skip-db
         continue-on-error: true
-        uses: aquasecurity/trivy-action@0.35.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           scan-type: 'fs'
           ignore-unfixed: true
@@ -40,7 +40,7 @@ jobs:
 
       - name: Run Trivy vulnerability scanner (with DB download)
         if: steps.trivy-skip-db.outcome == 'failure'
-        uses: aquasecurity/trivy-action@0.35.0
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1 # 0.35.0
         with:
           scan-type: 'fs'
           ignore-unfixed: true
@@ -53,6 +53,6 @@ jobs:
           TRIVY_JAVA_DB_REPOSITORY: public.ecr.aws/aquasecurity/trivy-java-db:1
 
       - name: Upload Trivy scan results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@256d634097be96e792d6764f9edaefc4320557b1 # v4
         with:
           sarif_file: 'trivy-results.sarif'
