Should we pin to `master` when Github advises pinning to full git SHA?

[bixu]

https://github.com/aquasecurity/trivy-action/blob/cb606dfdb0d2b3698ace62192088ef4f5360b24f/README.md?plain=1#L70

See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-third-party-actions

[simar7]

Fair enough - you can pin to a full SHA as you mentioned. The documentation is simply a suggestion and not a requirement.