Comment by cpuguy83
5 days ago
This attack was not mitigated by hash pinning. The setup-trivy action installs the latest version of trivy unless you specify a version.
5 days ago
This attack was not mitigated by hash pinning. The setup-trivy action installs the latest version of trivy unless you specify a version.
Oh, I was referring to `aquasecurity/trivy-action` that was changed with a malicious entrypoint for affected tags. Pinned commits were not affected.