chore: move to sha for trivy-action - BED-7560

[mykeelium]

Description

Use sha for Trivy Action in workflow

Motivation and Context

Resolves BED-7560

How Has This Been Tested?

Screenshots (if appropriate):

Types of changes

• Chore (a change that does not modify the application functionality)
• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist:

• Documentation updates are needed, and have been made accordingly.
• I have added and/or updated tests to cover my changes.
• All new and existing tests passed.
• My changes include a database migration.

Summary by CodeRabbit

Release Notes

• Chores
  • Updated the GitHub Actions vulnerability scanner configuration.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between 9ea2281 and a8be5ad.

📒 Files selected for processing (1)

• .github/workflows/vuln-scan.yml

---

Walkthrough

A GitHub Actions workflow file was updated to pin the Trivy scanner action to a specific commit hash instead of a version tag, ensuring consistent vulnerability scanning across workflow runs.

Changes

Cohort / File(s)	Summary
GitHub Actions Workflow .github/workflows/vuln-scan.yml	Updated Trivy Action reference from version 0.34.2 to commit hash 97e0b3872f55f89b95b2f65b3dbab56962816478 for deterministic scanning.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~3 minutes

Possibly related PRs

• fix: remove pull_request_target from cla - BED-7555 #275 — Modifies the same Trivy action reference in the vulnerability scanner workflow, swapping between version tag and commit hash pinning strategies.
• chores: Add Trivy Scanner GH Workflow #260 — Introduced the Trivy-based vulnerability-scan workflow that is being refined in this PR.

Suggested reviewers

• kpowderly
• superlinkx

Poem

🐰 A hash commits to certainty,
Where versions once would drift,
The Trivy scanner, pinned so tight,
Gives workflows their gift. ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: updating Trivy Action to use a SHA reference instead of a version tag, which directly corresponds to the workflow file modification.
Description check	✅ Passed	The description includes key sections (Description, Motivation and Context, Types of changes, Checklist) but lacks detailed testing information despite the template's requirement.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch BED-7560

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}