trivy-action
trivy-action copied to clipboard
Should we pin to `master` when Github advises pinning to full git SHA?
https://github.com/aquasecurity/trivy-action/blob/cb606dfdb0d2b3698ace62192088ef4f5360b24f/README.md?plain=1#L70
See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions
Fair enough - you can pin to a full SHA as you mentioned. The documentation is simply a suggestion and not a requirement.